Practice Free NSE4_FGT_AD-7.6 Exam Online Questions
Question #21
Refer to the exhibit.
Which two statements about the FortiGuard connection are true? (Choose two.)
- A . The weight increases as the number of failed packets rises
- B . You can configure unreliable protocols to communicate with FortiGuard Server.
- C . FortiGate identified the FortiGuard Server using DNS lookup.
- D . FortiGate is using the default port for FortiGuard communication.
Correct Answer: A,D
A,D
Explanation:
Based on the diagnose debug rating output provided in the exhibit and the standard behavior of the FortiGuard connection mechanism in FortiOS 7.6:
Weight Calculation (Statement A is True):
In FortiOS, the rating server selection process uses a weight-based system.
According to official documentation, the weight increases with failed packets (lost responses) and decreases with successful packets.
This mechanism ensures that servers with poor reliability are penalized by having higher weights, effectively pushing them to the bottom of the preference list.
Default Port Communication (Statement D is True):
The exhibit explicitly shows the communication is using HTTPS on port 8888.
In FortiOS 7.6 (and legacy versions like 6.2/6.4), FortiGuard filtering supports specific protocols and ports: HTTPS on ports 443, 53, and 8888, where 8888 is considered a default port for FortiGuard queries.
Ports 53 and 8888 are standard for both UDP and TCP/HTTPS FortiGuard communications to avoid common firewall blocks on standard web ports.
Why other options are incorrect:
Statement B (Unreliable protocols): While you can configure UDP (which is unreliable), the exhibit specifically shows HTTPS is being used, which is a reliable (TCP-based) protocol.
Statement C (DNS lookup): In the "Flags" column of the server list, a server found via DNS lookup would be marked with the "D" flag. The exhibit shows the flag as "I" (indicating the last INIT request was sent to this server) and a numeric "2," but the "D" flag is absent. Additionally, the IP 10.0.1.241 is a private address, suggesting it is a manually configured FortiManager or local override server rather than a public server found via global DNS lookup.
A,D
Explanation:
Based on the diagnose debug rating output provided in the exhibit and the standard behavior of the FortiGuard connection mechanism in FortiOS 7.6:
Weight Calculation (Statement A is True):
In FortiOS, the rating server selection process uses a weight-based system.
According to official documentation, the weight increases with failed packets (lost responses) and decreases with successful packets.
This mechanism ensures that servers with poor reliability are penalized by having higher weights, effectively pushing them to the bottom of the preference list.
Default Port Communication (Statement D is True):
The exhibit explicitly shows the communication is using HTTPS on port 8888.
In FortiOS 7.6 (and legacy versions like 6.2/6.4), FortiGuard filtering supports specific protocols and ports: HTTPS on ports 443, 53, and 8888, where 8888 is considered a default port for FortiGuard queries.
Ports 53 and 8888 are standard for both UDP and TCP/HTTPS FortiGuard communications to avoid common firewall blocks on standard web ports.
Why other options are incorrect:
Statement B (Unreliable protocols): While you can configure UDP (which is unreliable), the exhibit specifically shows HTTPS is being used, which is a reliable (TCP-based) protocol.
Statement C (DNS lookup): In the "Flags" column of the server list, a server found via DNS lookup would be marked with the "D" flag. The exhibit shows the flag as "I" (indicating the last INIT request was sent to this server) and a numeric "2," but the "D" flag is absent. Additionally, the IP 10.0.1.241 is a private address, suggesting it is a manually configured FortiManager or local override server rather than a public server found via global DNS lookup.
Question #22
DRAG DROP
An administrator wants to form an HA cluster using the FGCP protocol. Both FortiGate devices are configured with the set override enable command. Arrange the criteria in the order in which the FGCP protocol uses them to elect the primary FortiGate. Select the criteria in the left column, hold and drag it to a blank position in the column on the right. Place the four correct steps in order, placing the first step in the first position. Once you place a step, you can move it again if you want to change your answer before moving to the next question.
You need to drop four criteria in the work area. Select and drag the screen divider to change the viewable area of the source and work areas. (Choose four answers)
Correct Answer:
Explanation:
“This slide shows the different criteria that a cluster considers during the primary FortiGate election process. The criteria order evaluation depends on the HA override setting.”
For the default case shown in the guide:
“1. The cluster compares the number of monitored interfaces that have a status of up. The member with the most available monitored interfaces becomes the primary.
Question #23
Exhibits:
You are asked to implement an antivirus profile for files downloaded through FTP, HTTP, and HTTPS.
While testing, you are successful with HTTP and FTP protocols, but FortiGate does not block the file download over HTTPS.
What could be the cause?
- A . The feature set in the antivirus profile is not set to Flow-based.
- B . Web filter is not enabled on the firewall policy to complement the antivirus profile.
- C . The action on the firewall policy is not set to deny.
- D . The SSL inspection mode in the firewall policy is not deep content inspection.
Correct Answer: D
D
Explanation:
“To perform SSL inspection on traffic flowing through the FortiGate device, you must allow the traffic with a firewall policy and apply an SSL inspection profile to the policy. Note that an SSL inspection profile alone will not trigger a security inspection. You must combine it with other security profiles like Antivirus, Web Filter, Application Control, or IPS.”
“By default, firewall policies are set with the no-inspection SSL profile. Therefore, any encrypted traffic flows through uninspected… For antivirus or IPS control, you should use a deep-inspection profile.”
“When you use deep inspection, FortiGate impersonates the recipient of the originating SSL session, and then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient. Deep inspection protects from attacks that use HTTPS and other commonly used SSL-encrypted protocols…”
Technical Deep Dive:
The correct answer is D. HTTP and FTP are working because FortiGate can inspect those payloads directly with the antivirus profile. HTTPS is different because the traffic is encrypted. If the firewall policy uses only certificate inspection or another non-decrypting SSL mode, FortiGate can identify certificate/SNI information, but it cannot see the downloaded file contents. Without decrypting the HTTPS session, the antivirus engine never receives the payload to scan, so EICAR or other malware can pass.
Why the other options are wrong:
A is not the issue here. The exhibit shows the antivirus profile and policy are already aligned for proxy-based operation, and the failure is specific to HTTPS visibility.
B is wrong because web filter is not required for antivirus scanning.
C is wrong because firewall policies commonly use ACCEPT with security profiles; the antivirus engine can still block the file after policy match. The study guide explicitly says ACCEPT allows the session and then applies antivirus scanning and other packet-processing features.
To fix it, apply deep-inspection on the firewall policy:
config firewall policy
edit <policy-id>
set ssl-ssh-profile "deep-inspection"
set av-profile "HTTP_AV_Profile"
next
end
On real FortiGate hardware, this also has performance implications. Simple flow handling can often stay on accelerated paths, but full SSL deep inspection forces decryption and content scanning through the inspection engine, increasing CPU/WAD workload.
D
Explanation:
“To perform SSL inspection on traffic flowing through the FortiGate device, you must allow the traffic with a firewall policy and apply an SSL inspection profile to the policy. Note that an SSL inspection profile alone will not trigger a security inspection. You must combine it with other security profiles like Antivirus, Web Filter, Application Control, or IPS.”
“By default, firewall policies are set with the no-inspection SSL profile. Therefore, any encrypted traffic flows through uninspected… For antivirus or IPS control, you should use a deep-inspection profile.”
“When you use deep inspection, FortiGate impersonates the recipient of the originating SSL session, and then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient. Deep inspection protects from attacks that use HTTPS and other commonly used SSL-encrypted protocols…”
Technical Deep Dive:
The correct answer is D. HTTP and FTP are working because FortiGate can inspect those payloads directly with the antivirus profile. HTTPS is different because the traffic is encrypted. If the firewall policy uses only certificate inspection or another non-decrypting SSL mode, FortiGate can identify certificate/SNI information, but it cannot see the downloaded file contents. Without decrypting the HTTPS session, the antivirus engine never receives the payload to scan, so EICAR or other malware can pass.
Why the other options are wrong:
A is not the issue here. The exhibit shows the antivirus profile and policy are already aligned for proxy-based operation, and the failure is specific to HTTPS visibility.
B is wrong because web filter is not required for antivirus scanning.
C is wrong because firewall policies commonly use ACCEPT with security profiles; the antivirus engine can still block the file after policy match. The study guide explicitly says ACCEPT allows the session and then applies antivirus scanning and other packet-processing features.
To fix it, apply deep-inspection on the firewall policy:
config firewall policy
edit <policy-id>
set ssl-ssh-profile "deep-inspection"
set av-profile "HTTP_AV_Profile"
next
end
On real FortiGate hardware, this also has performance implications. Simple flow handling can often stay on accelerated paths, but full SSL deep inspection forces decryption and content scanning through the inspection engine, increasing CPU/WAD workload.
Question #23
Exhibits:
You are asked to implement an antivirus profile for files downloaded through FTP, HTTP, and HTTPS.
While testing, you are successful with HTTP and FTP protocols, but FortiGate does not block the file download over HTTPS.
What could be the cause?
- A . The feature set in the antivirus profile is not set to Flow-based.
- B . Web filter is not enabled on the firewall policy to complement the antivirus profile.
- C . The action on the firewall policy is not set to deny.
- D . The SSL inspection mode in the firewall policy is not deep content inspection.
Correct Answer: D
D
Explanation:
“To perform SSL inspection on traffic flowing through the FortiGate device, you must allow the traffic with a firewall policy and apply an SSL inspection profile to the policy. Note that an SSL inspection profile alone will not trigger a security inspection. You must combine it with other security profiles like Antivirus, Web Filter, Application Control, or IPS.”
“By default, firewall policies are set with the no-inspection SSL profile. Therefore, any encrypted traffic flows through uninspected… For antivirus or IPS control, you should use a deep-inspection profile.”
“When you use deep inspection, FortiGate impersonates the recipient of the originating SSL session, and then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient. Deep inspection protects from attacks that use HTTPS and other commonly used SSL-encrypted protocols…”
Technical Deep Dive:
The correct answer is D. HTTP and FTP are working because FortiGate can inspect those payloads directly with the antivirus profile. HTTPS is different because the traffic is encrypted. If the firewall policy uses only certificate inspection or another non-decrypting SSL mode, FortiGate can identify certificate/SNI information, but it cannot see the downloaded file contents. Without decrypting the HTTPS session, the antivirus engine never receives the payload to scan, so EICAR or other malware can pass.
Why the other options are wrong:
A is not the issue here. The exhibit shows the antivirus profile and policy are already aligned for proxy-based operation, and the failure is specific to HTTPS visibility.
B is wrong because web filter is not required for antivirus scanning.
C is wrong because firewall policies commonly use ACCEPT with security profiles; the antivirus engine can still block the file after policy match. The study guide explicitly says ACCEPT allows the session and then applies antivirus scanning and other packet-processing features.
To fix it, apply deep-inspection on the firewall policy:
config firewall policy
edit <policy-id>
set ssl-ssh-profile "deep-inspection"
set av-profile "HTTP_AV_Profile"
next
end
On real FortiGate hardware, this also has performance implications. Simple flow handling can often stay on accelerated paths, but full SSL deep inspection forces decryption and content scanning through the inspection engine, increasing CPU/WAD workload.
D
Explanation:
“To perform SSL inspection on traffic flowing through the FortiGate device, you must allow the traffic with a firewall policy and apply an SSL inspection profile to the policy. Note that an SSL inspection profile alone will not trigger a security inspection. You must combine it with other security profiles like Antivirus, Web Filter, Application Control, or IPS.”
“By default, firewall policies are set with the no-inspection SSL profile. Therefore, any encrypted traffic flows through uninspected… For antivirus or IPS control, you should use a deep-inspection profile.”
“When you use deep inspection, FortiGate impersonates the recipient of the originating SSL session, and then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient. Deep inspection protects from attacks that use HTTPS and other commonly used SSL-encrypted protocols…”
Technical Deep Dive:
The correct answer is D. HTTP and FTP are working because FortiGate can inspect those payloads directly with the antivirus profile. HTTPS is different because the traffic is encrypted. If the firewall policy uses only certificate inspection or another non-decrypting SSL mode, FortiGate can identify certificate/SNI information, but it cannot see the downloaded file contents. Without decrypting the HTTPS session, the antivirus engine never receives the payload to scan, so EICAR or other malware can pass.
Why the other options are wrong:
A is not the issue here. The exhibit shows the antivirus profile and policy are already aligned for proxy-based operation, and the failure is specific to HTTPS visibility.
B is wrong because web filter is not required for antivirus scanning.
C is wrong because firewall policies commonly use ACCEPT with security profiles; the antivirus engine can still block the file after policy match. The study guide explicitly says ACCEPT allows the session and then applies antivirus scanning and other packet-processing features.
To fix it, apply deep-inspection on the firewall policy:
config firewall policy
edit <policy-id>
set ssl-ssh-profile "deep-inspection"
set av-profile "HTTP_AV_Profile"
next
end
On real FortiGate hardware, this also has performance implications. Simple flow handling can often stay on accelerated paths, but full SSL deep inspection forces decryption and content scanning through the inspection engine, increasing CPU/WAD workload.
Question #25
0.11.254/24.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on HQ-PC-1 (10.0.11.50) pings the IP address of BR-FGT (100.65.1.111)?
- A . 100.65.0.101
- B . 100.65.0.49
- C . 100.65.0.149
- D . 100.65.0.99
Correct Answer: D
D
Explanation:
From the exhibits, there are three relevant firewall policies from LAN (port4) to WAN (port2), each using a different IP pool for source NAT:
TCP traffic
Service: ALL_TCP
Destination: BR1-FGT
IP Pool: SNAT-Pool → 100.65.0.49
PING traffic
Service: PING
Destination: all
IP Pool: SNAT-Remote1 → 100.65.0.99
IGMP traffic
Service: IGMP
Destination: all
IP Pool: SNAT-Remote → 100.65.0.149
The user on HQ-PC-1 (10.0.11.50) is pinging BR1-FGT (100.65.1.111). In FortiOS, policy matching is based on (among other fields) source, destination, and service, and the first matching policy in top-down order is applied.
Because the traffic is ICMP echo (ping), it matches the policy named PING traffic (service PING, destination all). That policy explicitly uses Use Dynamic IP Pool with SNAT-Remote1, which is configured with external IP 100.65.0.99.
Therefore, the source NAT IP used for this ping is 100.65.0.99.
D
Explanation:
From the exhibits, there are three relevant firewall policies from LAN (port4) to WAN (port2), each using a different IP pool for source NAT:
TCP traffic
Service: ALL_TCP
Destination: BR1-FGT
IP Pool: SNAT-Pool → 100.65.0.49
PING traffic
Service: PING
Destination: all
IP Pool: SNAT-Remote1 → 100.65.0.99
IGMP traffic
Service: IGMP
Destination: all
IP Pool: SNAT-Remote → 100.65.0.149
The user on HQ-PC-1 (10.0.11.50) is pinging BR1-FGT (100.65.1.111). In FortiOS, policy matching is based on (among other fields) source, destination, and service, and the first matching policy in top-down order is applied.
Because the traffic is ICMP echo (ping), it matches the policy named PING traffic (service PING, destination all). That policy explicitly uses Use Dynamic IP Pool with SNAT-Remote1, which is configured with external IP 100.65.0.99.
Therefore, the source NAT IP used for this ping is 100.65.0.99.
Question #26
FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively.
Which two statements about the requirements of connected physical interfaces on FortiGate are true? (Choose two.)
- A . Both interfaces must have DHCP enabled and interfaces set to LAN and DMZ roles assigned.
- B . Both interfaces must have the interface role assigned.
- C . Both interfaces must have directly connected routes on the routing table.
- D . Both interfaces must have IP addresses assigned.
Correct Answer: C,D
C,D
Explanation:
In FortiOS 7.6, when a FortiGate is operating in NAT mode, physical interfaces that participate in traffic forwarding (such as LAN and DMZ) must meet certain fundamental requirements.
Correct statements
D. Both interfaces must have IP addresses assigned.
Correct
In NAT mode, FortiGate operates as a Layer-3 device.
Every interface that forwards traffic must have an IP address.
Without an IP address:
The interface cannot participate in routing
Firewall policies cannot be applied correctly
This is a mandatory requirement.
C. Both interfaces must have directly connected routes on the routing table.
Correct
When an IP address is assigned to an interface, FortiGate automatically installs a connected route for that subnet in the routing table.
These connected routes are required so FortiGate:
Knows how to reach the locally attached networks
Can forward traffic between LAN and DMZ
While administrators do not manually create these routes, their presence is required for correct operation.
Why the other options are incorrect
C,D
Explanation:
In FortiOS 7.6, when a FortiGate is operating in NAT mode, physical interfaces that participate in traffic forwarding (such as LAN and DMZ) must meet certain fundamental requirements.
Correct statements
D. Both interfaces must have IP addresses assigned.
Correct
In NAT mode, FortiGate operates as a Layer-3 device.
Every interface that forwards traffic must have an IP address.
Without an IP address:
The interface cannot participate in routing
Firewall policies cannot be applied correctly
This is a mandatory requirement.
C. Both interfaces must have directly connected routes on the routing table.
Correct
When an IP address is assigned to an interface, FortiGate automatically installs a connected route for that subnet in the routing table.
These connected routes are required so FortiGate:
Knows how to reach the locally attached networks
Can forward traffic between LAN and DMZ
While administrators do not manually create these routes, their presence is required for correct operation.
Why the other options are incorrect
Question #27
You have configured an application control profile, set peer-to-peer traffic to Block under the Categories tab. and applied it to the firewall policy. However, your peer-to-peer traffic on known ports is passing through the FortiGate without being blocked.
What FortiGate settings should you check to resolve this issue?
- A . FortiGuard category ratings
- B . Network Protocol Enforcement
- C . Replacement Messages for UDP-based Applications
- D . Application and Filter Overrides
Correct Answer: D
Question #28
A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode.
Which step is not part of the expected process?
- A . The DC agent sends login event data directly to FortiGate.
- B . FortiGate determines user identity based on the IP address in the FSSO list.
- C . The collector agent forwards login event data to FortiGate.
- D . The user logs into the windows domain.
Correct Answer: A
Question #28
A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode.
Which step is not part of the expected process?
- A . The DC agent sends login event data directly to FortiGate.
- B . FortiGate determines user identity based on the IP address in the FSSO list.
- C . The collector agent forwards login event data to FortiGate.
- D . The user logs into the windows domain.
Correct Answer: A
Question #30
When configuring the connection between FortiGate and FortiAnalyzer, which option indicates that reliable traffic is enabled? (Choose one answer)
- A . The connection status shows a green check icon
- B . The interface status is set to up
- C . A padlock icon appears in the connection settings
- D . The logging mode is set to real-time
Correct Answer: C
C
Explanation:
“When you enable reliable logging on FortiGate, the log transport delivery method changes from UDP to TCP. TCP provides reliable data transfer, guaranteeing that the transferred data remains intact and arrives in the same order in which it was sent.”
“Optionally, if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely transmitted across an unsecured network.”
Technical Deep Dive:
The correct answer is
C. The study guide explicitly ties reliable logging to TCP transport and optionally to SSL-encrypted OFTP. Among the choices, the padlock icon is the only one that meaningfully indicates secure, reliable log transport behavior. A green check icon usually indicates that the FortiGateCFortiAnalyzer connection is simply up, not specifically that reliable logging is enabled. Interface status being up is unrelated, and real-time logging mode describes delivery behavior, not the reliable transport indicator itself.
So, exam-wise, the best answer is C.
From the CLI perspective, reliable logging changes the transport from UDP to TCP, and with encryption enabled it uses SSL-protected OFTP. That is why the GUI indicator associated with secure transport is the most relevant visual clue here.
C
Explanation:
“When you enable reliable logging on FortiGate, the log transport delivery method changes from UDP to TCP. TCP provides reliable data transfer, guaranteeing that the transferred data remains intact and arrives in the same order in which it was sent.”
“Optionally, if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely transmitted across an unsecured network.”
Technical Deep Dive:
The correct answer is
C. The study guide explicitly ties reliable logging to TCP transport and optionally to SSL-encrypted OFTP. Among the choices, the padlock icon is the only one that meaningfully indicates secure, reliable log transport behavior. A green check icon usually indicates that the FortiGateCFortiAnalyzer connection is simply up, not specifically that reliable logging is enabled. Interface status being up is unrelated, and real-time logging mode describes delivery behavior, not the reliable transport indicator itself.
So, exam-wise, the best answer is C.
From the CLI perspective, reliable logging changes the transport from UDP to TCP, and with encryption enabled it uses SSL-protected OFTP. That is why the GUI indicator associated with secure transport is the most relevant visual clue here.