NSE4_FGT_AD-7.6 Fortinet NSE 4 - FortiOS 7.6 Administrator Questions and Answers

The exhibit shows a FortiGate UTM application control log with fields such as:

type="utm"

subtype="app-ctrl"

action="block"

policyid=1

appid=30220

appcat="Video/Audio"

service="HTTP"

apprisk="elevated"

This is a forward traffic security log, generated by Application Control applied to a firewall policy.

Why the correct answers are C and D

C. By filtering by policy universally unique identifier (UUID) and application name in the log entry

Correct.

FortiOS logs can be viewed and filtered in:

Log & Report → Forward Traffic

Administrators can filter logs using fields such as:

Policy ID / Policy UUID

Application name (app)

Application ID (appid)

The log entry clearly includes application-related fields, making filtering by policy and application a valid and documented way to view these logs.

D. In the Forward Traffic section

Correct.

The log is a UTM Application Control log for traffic passing through a firewall policy.

Such logs are displayed under:

Log & Report → Forward Traffic

This is the standard and correct location to view application control, web filter, IPS, and other security profile logs related to user traffic.

Why the other options are incorrect

A. By right clicking the implicit deny policy

Incorrect.

Implicit deny policies do not generate UTM forward traffic logs like the one shown.

Application control logs are generated only by explicit firewall policies with security profiles enabled.

B. Using the FortiGate CLI command diagnose log test

Incorrect.

diagnose log test is used to test log connectivity and log settings, not to view historical log entries.

It does not display traffic or UTM logs.

According to the FortiOS 7.6 Study Guide and technical documentation regarding High Availability (HA), the FortiGate Clustering Protocol (FGCP) uses a specific set of rules to elect the primary unit in a cluster. By default, the election order follows: Connected Monitored Ports > HA Uptime > Priority > Serial Number.

However, when the HA override setting is enabled, the election logic is modified to prioritize the administrator-defined priority value over the uptime of the cluster members. In this specific configuration, the election process follows this sequence:

Connected monitored ports: The unit with the most functioning monitored interfaces is preferred.

Priority: The unit with the highest manually configured priority value (e.g., 255) is selected next.

HA uptime: If monitored ports and priority are equal, the unit that has been up in the HA cluster the longest is chosen.

FortiGate serial number: As a final tie-breaker, the unit with the higher serial number is elected.1

Statement A is correct because it reflects the shift where Priority is evaluated immediately after monitored ports, overriding the standard uptime advantage. Statements B and D are incorrect because the FGCP uses HA uptime, not system uptime, for its calculations.

According to the FortiOS 7.6 Study Guide and technical documentation, conserve mode is a protective state triggered when memory utilization reaches the Extreme Threshold (typically 95% by default). When this occurs, the FortiGate implements several measures to prioritize system stability over new functionality. One of the primary restrictions is that the FortiGate refuses to accept configuration changes (Statement B). This prevents the system from initiating new processes or allocating additional memory that could lead to a total system crash.

Regarding traffic handling, the behavior is determined by specific "fail-open" settings. For the IPS engine, if the fail-open global setting is enabled, the FortiGate continues to transmit packets without IPS inspection (Statement D). This ensures that network connectivity is maintained even when the system lacks the memory resources to perform deep packet inspection. In contrast, Statement A is incorrect because the system may skip non-essential actions to save memory. Statement C is incorrect because conserve mode is designed to avoid a system halt; the device remains operational and will automatically exit conserve mode once memory usage drops below the Release Threshold (typically 82%).

From the exhibits:

The firewall policy has NAT enabled and is configured to Use Dynamic IP Pool.

The selected IP pool (Internet-pool) is configured as:

Type: One-to-One

External IP Range: 100.65.0.110–100.65.0.111 (only two public IPs)

PC1 and PC2 can access the internet because each one-to-one NAT mapping consumes one public IP from the pool. When PC3 is added, there is no third public IP available in the pool, so FortiGate cannot allocate a one-to-one mapping for PC3 and the session fails.

FortiOS behavior here is standard: with one-to-one IP pools, the available pool size limits how many distinct internal sources can be translated concurrently (depending on allocation and sessions), and a pool with only two IPs will not reliably support three separate hosts needing translations.

Therefore, the administrator can fix this in two valid ways:

B. In the IP pool configuration, set end ip to 100.65.0.112.

This expands the pool by adding an additional public IP address, making three public IPs available (.110, .111, .112), so PC3 can be assigned an address for one-to-one NAT.

D. In the IP pool configuration, set type to overload.

Changing the pool type to overload enables PAT (many-to-one), allowing multiple internal hosts (PC1, PC2, PC3) to share the pool address(es) using different source ports. This removes the “one public IP per internal host” limitation inherent to one-to-one pools.

Why the other options are not correct:

A. Multiple Interface Policies is unrelated to IP pool exhaustion and does not solve NAT allocation limits.

C. match-vip affects VIP matching behavior for destination NAT/virtual IP usage and does not address the source NAT pool shortage causing PC3 to fail.

With full SSL inspection, FortiGate performs a man-in-the-middle process: it decrypts the HTTPS session, inspects it, then re-encrypts it. To do this, FortiGate presents a substitute certificate to the client, signed by the CA certificate configured in the SSL/SSH inspection profile (for example, Fortinet_CA_SSL or a custom enterprise CA).

Browsers will show certificate warning errors when the issuing CA is not trusted by the client device/browser trust store. This only happens for HTTPS because certificates are used in TLS; HTTP has no certificate exchange, so no warning appears.

Why the other options are incorrect:

A: Allowing invalid server certificates affects whether FortiGate blocks/permits connections to sites with bad certs; it does not fix the client warning about FortiGate’s substituted cert.

B: Proxy vs flow inspection mode does not inherently cause certificate warnings; the warning is about trust of the signing CA.

D: Missing extensions is not the typical reason across “any HTTPS website”; the standard reason is the client does not trust the FortiGate inspection CA

From the exhibits:

The Application Control sensor has these key settings:

Application and Filter Overrides

Priority 1: Excessive-Bandwidth (Type: Filter) with Action Block

Priority 2: Google (Type: Filter) with Action Monitor

Category actions shown include Social Media set to Block (this category includes Facebook).

The firewall policy is using:

Flow-based inspection

Application control enabled (profile: default)

Deep inspection enabled (helps identify applications inside HTTPS)

Logging enabled

FortiOS applies Application Control as follows (top-down within the Application Control profile):

Overrides are evaluated by priority (highest priority first).

The first matching override determines the action (block/monitor/allow) for that traffic.

Category-based actions apply to applications that fall into those categories unless an override matches first.

Why A is correct

A. YouTube access is blocked based on Excessive-Bandwidth Application and Filter override settings.

The profile explicitly blocks the Excessive-Bandwidth behavior filter at the highest override priority.

When YouTube traffic is detected as matching the Excessive-Bandwidth behavior, FortiGate will apply the Block action due to the override.

Because this is a priority override, it is enforced before lower-priority entries.

Why B is correct

B. Facebook access is blocked based on the category filter settings.

The Application Sensor shows Social Media configured with a Block action.

Facebook is categorized under Social Media, so it will be blocked when matched by Application Control.

Why C is not correct

C. Facebook access is allowed but you cannot play Facebook videos...

Since the Social Media category is set to Block, Facebook would be blocked at the category level (not merely video playback).

Why D is not correct

D. YouTube search is allowed based on the Google override...

The Google override action is Monitor, not Allow.

“Monitor” logs/detects but does not override a block condition to “allow” traffic.

Also, YouTube traffic is not guaranteed to be treated as “Google” in a way that would permit it, and any matching block condition (such as Excessive-Bandwidth) would still take precedence.

In FortiOS 7.6, HA cluster heartbeat IP addresses are automatically managed by FortiGate and play a critical role in cluster communication and synchronization.

Correct statements

A. Heartbeat IP addresses are used to distinguish between cluster members.

Correct

FortiGate assigns unique heartbeat IP addresses (link-local addresses in the 169.254.0.0/16 range) to each HA member.

These addresses are used for:

Cluster member identification

Health checks

Synchronization traffic

This allows FortiGate units to uniquely identify and communicate with each other inside the HA cluster.

C. A change in the heartbeat IP address happens when a FortiGate device joins or leaves the cluster.

Correct

Heartbeat IPs are dynamically assigned.

When:

A new FortiGate joins the cluster, or

A member leaves or fails,

FortiGate may reassign heartbeat IP addresses to maintain unique identification among members.

This behavior is documented in the FortiOS HA operation and troubleshooting guides.

Why the other options are incorrect

B. The heartbeat interface of the primary device is always assigned IP address 169.254.0.1.

Incorrect

There is no fixed or guaranteed heartbeat IP (such as 169.254.0.1) for the primary unit.

Heartbeat IP assignment is dynamic, not role-based.

D. Heartbeat interfaces have virtual IP addresses that are manually assigned.

Incorrect

Heartbeat IP addresses are:

Automatically assigned

Link-local

Administrators do not manually configure heartbeat IP addresses.

In FortiOS 7.6, SD-WAN steering decisions are recorded in traffic logs only when traffic matches an explicit SD-WAN rule (SD-WAN service rule). When no configured SD-WAN rule matches a session, FortiGate uses the implicit (default) SD-WAN rule/behavior to select a member (often resulting in load-balancing or default selection based on the configured SD-WAN algorithm).

In the exhibit, traffic is permitted by firewall policy ID 1, and the Destination Interface alternates between port1 and port2, but SD-WAN Rule Name remains empty. This is consistent with the sessions being forwarded by the implicit SD-WAN rule, which does not populate a named rule in the log columns.

Why the other options are not correct:

A: SD-WAN rule name logging is not a “delayed display” behavior requiring refresh; it is populated per-session when an explicit rule matches.

B: Application Control is not required for SD-WAN rule name to appear. Rule name logging depends on SD-WAN rule match, not on whether Application Control is enabled.

C: Feature visibility affects GUI display options, but the exhibit already shows the SD-WAN columns enabled; the issue is that no explicit SD-WAN rule is being hit.

From the routing table in the exhibit, there is already a static route for 172.20.1.0/24 pointing out port3 with:

Distance = 9

Priority = 2

Type = Static

In FortiOS, route selection prefers (in order) the route with the lowest administrative distance to a destination. Therefore, to make traffic to 172.20.1.0/24 go through port2 only, the administrator must ensure the port2 static route is more preferred than the existing port3 route.

Why C is correct

C. The existing static route through port3 must have the distance set to 11.

If the existing port3 route distance is increased to 11, then a new port2 route with distance 9 will be preferred (9 < 11). This makes the port3 route a backup route instead of the active one.

Why D is correct

D. The new static route must have the distance set to 9

Setting the new port2 route distance to 9 (and increasing the port3 route to 11 as in option C) ensures FortiGate selects the port2 route as the best route for 172.20.1.0/24.

Why A and B are not correct

A (priority 3): By itself it does not guarantee selection over the existing route, and FortiOS route choice is driven primarily by distance.

B (metric 1): Metric is not the primary selector for static route preference compared to administrative distance in this scenario.

So the two criteria that achieve the objective are:

Make the existing port3 route less preferred by increasing its distance (C)

Ensure the new port2 route uses the preferred distance (D)

From the exhibits:

The firewall policy has Application Control enabled and uses certificate-inspection for SSL inspection.

The application sensor has Application and Filter Overrides with the following order (priority):

Excessive-Bandwidth with action Block

Google (vendor filter) with action Monitor

In FortiOS, Application and Filter Overrides are evaluated by priority (top-down). The first matching override is applied. If traffic matches an earlier override with Block, it will be blocked even if a later override would Monitor/Allow it.

Why Google apps fail while www.fortinet.com works:

Many Google applications can be detected as (or can trigger) the Excessive-Bandwidth behavior/signature depending on the specific service and traffic pattern.

Because Excessive-Bandwidth (Block) is above Google (Monitor), Google-related traffic may match the first rule and be blocked before the Google override is evaluated.

Access to www.fortinet.com works because that traffic is not matching the Excessive-Bandwidth override.

Therefore, to resolve:

B. Move up Google in the Application and Filter Overrides section to set its priority higher

This ensures Google matches the Google override before any broader blocking override is applied.

E. Set the action for Google in the Application and Filter Overrides section to Allow

This explicitly permits Google applications once the higher-priority match occurs (stronger than Monitor for troubleshooting and ensuring access).

Why the other options are not the best fit here:

A (deep-content inspection) can help identify more HTTPS applications, but the exhibit already shows a specific Google override configured; the immediate issue is the override evaluation order and action.

C relates to Web Filter URL categories, but the problem is occurring under Application Control behavior/vendor overrides.

D (flow-based) is not required to fix an override priority/action conflict.

According to the FortiOS 7.6 Study Guide and Parallel Path Processing documentation, flow-based antivirus inspection is designed to provide security with minimal impact on performance.

First, a defining characteristic of modern flow-based AV (specifically in its "hybrid" mode) is that FortiGate buffers the whole file but transmits to the client at the same time (Statement A). This behavior allows the client to start receiving data immediately to prevent session timeouts, while the FortiGate reassembles the file in memory to perform a signature check before the final packet is released.

Second, starting with recent FortiOS versions including 7.6, flow-based inspection uses a hybrid of the scanning modes (Statement B). Previously, flow mode offered "Quick" or "Full" scans; now, it combines these techniques to offer a balance between the speed of stream-based scanning and the thoroughness of archive inspection.

Third, the primary motivation for selecting this mode is that flow-based inspection optimizes performance compared to proxy-based inspection (Statement D). It processes traffic in a single pass using the IPS engine, avoiding the overhead associated with the WAD (proxy) process. Statement C is incorrect because if a virus is detected, the last packet is withheld and the connection is reset to prevent the file from being completed. Statement E is less accurate as the IPS engine loads the AV engine to perform the task rather than acting as a "standalone" entity in the context of file scanning.

In FortiOS 7.6, the Antivirus scan master switch in an antivirus profile becomes available only after at least one supported protocol is enabled for inspection.

What the exhibit shows

A new antivirus profile named FTP_AV_Profile

Feature set: Flow-based

Antivirus scan switch is grayed out

All Inspected Protocols (HTTP, SMTP, POP3, IMAP, FTP, CIFS) are currently disabled

Why the Antivirus scan switch is grayed out

In FortiOS antivirus profiles:

The Antivirus scan toggle is a dependent control

It cannot be enabled unless at least one inspected protocol is selected

This prevents enabling AV scanning when there is no traffic type to scan

This behavior is documented in the FortiOS 7.6 Antivirus Profile configuration section.

Once you enable a protocol (for example, FTP), the Antivirus scan switch becomes active and configurable.

Why option B is correct

B. None of the inspected protocols are active in this profile.

All protocol toggles are OFF

Therefore, FortiGate disables (grays out) the Antivirus scan option

This is expected and correct behavior

Why the other options are incorrect

A. Antivirus scan is disabled under Feature visibilityIncorrect. Feature Visibility controls whether Antivirus appears in the GUI, not whether the scan switch is enabled inside a profile.

C. Feature set must be Proxy-basedIncorrect. Antivirus scanning is supported in both flow-based and proxy-based modes.

D. Less than 2 GB RAM does not support Antivirus scanIncorrect. Memory size affects performance and offloading, not basic AV scan availability.

According to the FortiOS 7.6 Administrator Study Guide, the Application Control engine processes traffic by evaluating the Application and Filter Overrides section first, using a top-down matching logic similar to firewall policies. In the provided exhibit, there are two override entries:

Priority 1: A behavior-based filter for Excessive-Bandwidth with the action set to Block.

Priority 2: A vendor-based filter for Apple with the action set to Monitor.

The exhibit titled "Application override configuration" explicitly shows that Apple FaceTime is one of the signatures included within the Excessive-Bandwidth behavior filter. When the FortiGate inspects FaceTime traffic, it matches the first entry (Priority 1) because the signature belongs to the "Excessive-Bandwidth" group. Since the action for this priority is Block, the traffic is dropped immediately.

The phrase "only a few calls" is a common exam distractor; in this context, the "Excessive-Bandwidth" filter refers to the classification of the application (as one that typically consumes high bandwidth) rather than a real-time measurement of the specific session's throughput. Because the engine stops searching once a match is found in the overrides, it never reaches the Priority 2 "Monitor" rule or the general Category settings.

In FortiOS 7.6, SD-WAN Performance SLAs are used to measure link quality and influence SD-WAN rule decisions. The following three statements are true.

C. All the SLA targets can be configured.

True

SD-WAN Performance SLAs allow administrators to configure:

Latency

Jitter

Packet loss

Mean Opinion Score (MOS) (for voice)

Threshold values for these metrics are fully configurable per SLA.

This is explicitly documented in the SD-WAN Performance SLA configuration section.

D. They are applied in an SD-WAN rule lowest cost strategy.

True

Performance SLAs are commonly used with the Lowest Cost (SLA-based) strategy.

In this strategy:

FortiGate selects the lowest-cost link that meets the SLA requirements.

If a link violates the SLA, it is excluded from selection.

E. They can be measured actively or passively.

True

FortiOS supports:

Active probing (synthetic probes such as ping/HTTP)

Passive measurement (based on real traffic statistics)

Administrators can choose how SLAs are measured depending on the deployment and requirements.

Why the other options are incorrect

A. They rely on session loss and jitter.

Incorrect

SLAs measure packet loss, latency, and jitter.

Session loss is not an SLA metric in FortiOS.

B. They monitor the state of the FortiGate device.

Incorrect

Performance SLAs monitor link quality, not FortiGate system health or device state.