Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsNSE4DomainsFirewall Policies and NAT
NSE4Free — No Signup

Firewall Policies and NAT

Practice NSE4 Firewall Policies and NAT questions with full explanations on every answer.

237questions

Start practicing

Firewall Policies and NAT — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

NSE4 Domains

System and Network AdministrationFirewall Policies and NATAuthentication and VPNSecurity ProfilesHigh Availability and Diagnostics

Practice Firewall Policies and NAT questions

10Q20Q30Q50Q

All NSE4 Firewall Policies and NAT questions (237)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A network administrator configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to a web server (172.16.1.10). Users on the 10.0.0.0/8 network cannot access the web server, but other internal users can. The administrator checks the policy list and sees the policy is enabled and in the correct position. What is the most likely cause?

2

An organization wants to authenticate VPN users using an LDAP server. They configure an LDAP server object and a user group. However, users are unable to authenticate. The administrator checks the logs and sees 'authentication failed' errors. What is the most common misconfiguration?

3

A FortiGate administrator needs to allow SMTP traffic from the internal network to an external mail server. The internal network uses source NAT to the external interface IP. Which firewall policy configuration is correct?

4

Refer to the exhibit. A FortiGate has this policy configured. Traffic from 10.0.1.0/24 to 192.168.1.10 on HTTP is being logged as allowed. However, users report that they cannot access the web server. What is the most likely issue?

5

Refer to the exhibit. An administrator runs 'diagnose firewall auth list' and sees two authenticated users. The firewall policy requires authentication for HTTP traffic from 10.0.0.0/24 to 192.168.1.10. User 'jsmith' has been idle for 20 minutes, but the authentication session is still active. The idle timeout is set to 30 minutes. What will happen after 30 minutes of inactivity?

6

A company uses FSSO (Fortinet Single Sign-On) with a domain controller. Users authenticate to the domain, and the FortiGate retrieves the login events. The firewall policy uses the FSSO group. Some users report that after logging in, they cannot access resources that require authentication. The administrator checks the FSSO status and sees that the FortiGate is receiving login events. What is the most likely cause?

7

An administrator wants to create a firewall policy that blocks all traffic from a specific IP address (10.0.0.99) to the internet, but allows all other traffic. Which policy configuration is correct?

8

Which TWO statements about firewall policy authentication are correct?

9

Which THREE conditions must be met for a firewall policy with FSSO authentication to work correctly?

10

Refer to the exhibit. An administrator configures the policies as shown. Traffic from 10.0.0.0/8 to the internet on HTTP is denied. What is the most likely reason?

11

A FortiGate administrator wants to restrict access to a sensitive server (10.0.0.100) such that only users who authenticate via LDAP can access it. Which firewall policy configuration is required?

12

A company has a FortiGate 100F with two ISPs (ISP1 and ISP2) for load balancing. They use SD-WAN to direct traffic. The firewall has a policy that allows HTTP and HTTPS traffic from internal users (10.0.0.0/8) to the internet. The policy uses FSSO authentication with an Active Directory domain controller. Recently, users on the 10.0.1.0/24 subnet report that they are prompted for authentication repeatedly, even though they are domain-joined and logged in. Users on other subnets do not have this issue. The administrator checks the FSSO configuration and sees that the collector agent is running and the FortiGate is receiving login events. The FortiGate's policy is configured with source address 10.0.0.0/8 and FSSO group 'Domain Users'. The administrator also notices that the FortiGate's SD-WAN rules are configured to use ISP1 for traffic from 10.0.0.0/8 except for traffic from 10.0.1.0/24, which uses ISP2. The FortiGate's FSSO collector agent is configured to listen on the IP address 192.168.1.1, which is the IP of the interface connected to ISP1. What is the most likely cause of the authentication issue?

13

A company uses FortiGate with firewall policies to control access between internal VLANs. Users in VLAN 10 report they can access internet but cannot reach a server in VLAN 20 on port 443. The server is reachable from other VLANs. The administrator checks the firewall policy configuration: there is a policy from VLAN10 to VLAN20 allowing HTTPS, with NAT disabled and logging enabled. The policy has a schedule set to 'Always'. The administrator also checks that there are no overlapping policies. What is the most likely cause?

14

Given the exhibit, a user in the internal network tries to SSH to a public server (203.0.113.10). What will happen and why?

15

A company has a FortiGate with two ISPs: wan1 (primary) and wan2 (backup). They want all outbound traffic from internal users to use wan1, and if wan1 fails, traffic should automatically fail over to wan2. The administrator configures static routes: default route via wan1 gateway with distance 10 and default route via wan2 gateway with distance 20. They also configure an SD-WAN zone with both interfaces and set a strategy of 'Manual' with 'Best Quality' for wan1. After testing, failover does not occur when wan1 goes down. What is the most likely reason?

16

Drag and drop the steps to create a firewall policy allowing HTTP traffic from internal to DMZ into the correct order.

17

Drag and drop the steps to configure SSL VPN on FortiGate into the correct order.

18

Match each Fortinet product to its primary role.

19

Match each FortiGate logging destination to its description.

20

A network admin has configured a firewall policy allowing HTTPS traffic from the internal network to a DMZ web server. Users report that the web pages load slowly. The admin checks the policy and notices traffic shaping is not applied. What is the BEST action to ensure fair bandwidth distribution for HTTPS traffic?

21

A junior admin is creating firewall policies and wants to ensure that all traffic not explicitly permitted is denied. Which FortiGate mechanism provides this behavior by default?

22

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

23

An admin is configuring a policy-based NAT rule (central NAT) to translate internal users' source IPs to the external IP of the FortiGate interface. However, users complain that some applications fail. The admin notices that the NAT rule is using 'dynamic IP pool' with overload. What is the MOST likely cause of the application failures?

24

A FortiGate admin wants to create a firewall policy that allows traffic from the internal network to the internet. The source is a subnet 192.168.1.0/24, and the destination is 'all'. The admin wants to apply NAT to hide internal IPs. Which NAT configuration is BEST suited for this scenario?

25

An admin notices that a firewall policy allowing inbound HTTPS to a server is not matching traffic. The policy has source set to 'all', destination to the server's IP, and service to HTTPS. The admin checks the policy list and sees that policy ID 1 matches the traffic. What is the MOST likely reason the intended policy (ID 10) is not matching?

26

Which of the following is a valid address object type in FortiGate that can be used to match traffic based on the domain name of the destination?

27

An admin wants to block all traffic from a specific geographic region. Which address object type should be used in the firewall policy source?

28

A company has a web server in the DMZ that must be accessible from the internet on both HTTP and HTTPS. The admin configures a VIP to map the public IP to the server's private IP. However, external users can only reach HTTP. What is the MOST likely cause?

29

An admin configures a policy-based NAT rule (central SNAT) to translate source IPs from 10.0.0.0/24 to a dynamic IP pool of 203.0.113.1-203.0.113.10 with overload enabled. Users report that some connections are dropped. What is the MOST likely cause?

30

A FortiGate admin wants to ensure that traffic destined to a specific web server is inspected by an IPS profile. Which configuration is necessary?

31

An admin needs to allow inbound SMTP traffic from the internet to a mail server in the DMZ. The public IP is 203.0.113.10, and the mail server's private IP is 10.0.0.5. Which VIP configuration is correct?

32

A FortiGate admin is troubleshooting a policy that should allow VoIP traffic. The admin suspects that the SIP ALG is interfering. Which TWO actions should the admin take to verify or resolve the issue?

33

An admin is configuring a policy-based NAT (central SNAT) to translate internal users to a pool of public IPs using overload. The admin wants to ensure that specific applications using non-standard ports are not affected by NAT. Which THREE steps should the admin consider?

34

A FortiGate admin needs to allow inbound HTTPS traffic to a web server while also applying an application control profile to block certain web applications. The web server has a VIP configured. Which TWO components are necessary for this configuration?

35

A network administrator configures a firewall policy allowing HTTP traffic from the internal network (10.0.0.0/8) to the internet. After applying the policy, users report they can browse the web, but the FortiGate logs show that all sessions are using the 'implicit deny' policy ID 0. What is the most likely cause?

36

An administrator creates a firewall policy to allow outbound HTTP and HTTPS traffic from the internal network to the internet. The policy uses a dynamic IP pool for SNAT. Users report that some websites load slowly or fail to load intermittently. The administrator checks the firewall logs and sees 'session helper' warnings. What is the most likely cause?

37

During a security audit, the administrator runs the command 'diagnose firewall policy list' and sees the following output: policy id=1: allow from port1 to port2, src=10.0.0.0/8, dst=any, action=accept policy id=2: deny from port1 to port2, src=10.0.0.0/8, dst=172.16.0.0/12, action=deny policy id=3: allow from port1 to port2, src=any, dst=any, action=accept A host with IP 10.0.1.5 sends traffic to 172.16.0.1. Which policy will match?

38

An administrator needs to block all traffic from a specific geographic region. Which object type should be used as the source in the firewall policy?

39

A company has a web server in the DMZ that needs to be accessible from the internet on port 443 (HTTPS). The administrator configures a Virtual IP (VIP) mapping the public IP 203.0.113.10 to the private IP 10.0.1.10 port 443. Which firewall policy is required to allow inbound traffic?

40

An administrator configures a Central SNAT policy to translate traffic from the internal network (10.0.0.0/8) to the internet using the IP pool 'pool1'. The administrator also has a firewall policy that uses policy-based NAT with an IP pool 'pool2'. Both policies match the same traffic. Which NAT will be applied?

41

Which of the following statements about firewall policy ordering in FortiGate is correct?

42

An administrator wants to ensure that traffic from the engineering department (subnet 192.168.10.0/24) to the internet uses a specific public IP address for source NAT. Additionally, traffic from the marketing department (192.168.20.0/24) should use a different public IP. Which method should be used?

43

An administrator uses 'diagnose sys session list' and sees the following output for a session: 'proto=6 proto_state=01 duration=3600 expire=3599'. The session is for HTTPS traffic. What does 'proto_state=01' typically indicate in FortiGate?

44

An organization has multiple remote sites connected via IPsec VPN. The administrator needs to ensure that traffic from the internal network (10.0.0.0/8) to the VPN destination (10.10.0.0/16) uses a specific interface (port2) instead of the default route. Which feature should be configured?

45

Which of the following is NOT a valid address object type in FortiGate?

46

An administrator configures a firewall policy with a schedule that allows traffic only during business hours (Monday to Friday, 09:00-18:00). At 17:55 on a Friday, a user establishes an SSH session that is still active at 18:05. What happens to the session when the schedule ends?

47

A FortiGate administrator is troubleshooting why traffic from a specific host (10.0.1.100) to a web server (203.0.113.50) is being denied. The administrator has confirmed that a firewall policy exists that should allow the traffic. Which TWO diagnostic commands would help identify the issue?

48

An organization requires that outbound HTTP and HTTPS traffic from the internal network be translated to a single public IP address (203.0.113.1) using overload NAT (PAT). Which TWO configurations are necessary?

49

An administrator needs to allow inbound SSH access from the internet to a specific internal server (10.0.1.10) on port 22. The WAN IP is 203.0.113.10. Which THREE configuration steps are required?

50

A FortiGate administrator needs to allow inbound SSH access from the internet to a single internal server at IP 10.0.1.10. The public IP on the WAN interface is 203.0.113.5. Which type of object should be configured to map the public IP and port to the internal server?

51

A FortiGate has two firewall policies: Policy 1 (from port1 to port2, source all, destination 10.0.1.0/24, schedule always, action accept) and Policy 2 (from port1 to port2, source all, destination all, schedule 'Business Hours', action accept). A user attempts to connect from port1 to 10.0.1.5 at 8 PM on a Saturday. The traffic is denied. What is the most likely reason?

52

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

53

Which firewall policy matching parameter is evaluated FIRST when a packet arrives at a FortiGate interface?

54

A FortiGate has a policy-based NAT rule that translates source IPs from subnet 192.168.1.0/24 to 203.0.113.10 when accessing the internet. The admin also enables Central SNAT with a rule that translates the same subnet to 203.0.113.20. If both are configured, which translation will be applied to traffic from 192.168.1.0/24 to the internet?

55

Which type of address object allows a FortiGate to perform DNS resolution to match traffic based on a domain name?

56

A network admin needs to log all traffic from the sales VLAN to the internet. The firewall policy is configured with logging enabled. However, the admin notices that only session start logs are generated, not detailed traffic logs. What setting must be enabled to capture per-packet or per-session details?

57

A FortiGate admin configures a VIP to map 203.0.113.10:80 to 10.0.1.10:8080. However, when external users connect to http://203.0.113.10, they receive a connection timeout. The firewall policy allows the traffic. What is the most likely cause?

58

An admin configures an IP Pool with type 'Overload' for outbound traffic from the 192.168.1.0/24 subnet. The pool uses a single public IP 203.0.113.10. After a few hours, users are unable to access external websites. The admin checks the session table and sees many sessions with the same public IP and different source ports. What is the most likely issue?

59

A FortiGate has two policies for traffic from port1 to port3: Policy 1 (destination 10.0.1.0/24, schedule always, action accept) and Policy 2 (destination 10.0.2.0/24, schedule 'Weekdays', action accept). A packet destined to 10.0.2.10 arrives on Wednesday at 2 PM. Which policy is applied?

60

An admin configures a one-to-one IP Pool to map 10.0.1.0/28 to 203.0.113.16/28. A host with IP 10.0.1.5 initiates a connection to the internet. Which source IP will be used for the translated packet?

61

Which of the following is the default action of a FortiGate firewall policy if no policy matches the traffic?

62

A FortiGate admin wants to ensure that traffic from the internal network (192.168.1.0/24) to the internet uses a specific public IP (203.0.113.10) for source NAT, and that the same public IP is also used for inbound connections to an internal web server (10.0.1.10) on port 443. Which TWO configurations are required? (Choose two.)

63

A FortiGate admin is troubleshooting an issue where traffic from VLAN 10 to the internet is not being NATed even though a policy-based NAT rule is configured. The admin verifies that the firewall policy uses the correct IP Pool. Which THREE steps should the admin take to diagnose the problem? (Choose three.)

64

A FortiGate admin needs to block all traffic from the 'Guest' VLAN (192.168.100.0/24) to the internal network (10.0.0.0/8) except for DNS traffic (UDP 53) to the internal DNS server at 10.0.0.10. Which TWO firewall policy configuration elements are required to achieve this? (Choose two.)

65

A network administrator needs to allow only HTTPS traffic from the internal network (10.0.0.0/8) to the public DNS server (8.8.8.8). Which firewall policy configuration BEST enforces this restriction?

66

An administrator configures a firewall policy allowing traffic from the internal network to the internet with NAT enabled. Users report that some outbound connections fail intermittently. The administrator runs 'diagnose sys session list' and sees many sessions in 'proto_state=01' with a short TTL. What is the most likely cause?

67

A FortiGate administrator needs to ensure that traffic from the LAN (192.168.1.0/24) to the DMZ (10.0.0.0/24) uses a specific outbound interface (port3) instead of the default route. Which feature should be configured to achieve this?

68

An administrator configures a VIP for inbound HTTP traffic to an internal server (192.168.1.10:80). External users can reach the server via the VIP, but internal users on the same subnet as the server cannot access the server using its public IP. What is the most likely cause?

69

A FortiGate has two firewall policies: Policy 1 (ID 1) allows HTTP from any to 10.0.0.0/8, and Policy 2 (ID 2) denies all traffic from 192.168.1.0/24 to any. Traffic from 192.168.1.10 to 10.0.0.5 on port 80 is received. Which policy will match first?

70

An administrator needs to allow VoIP traffic from a remote branch (192.168.2.0/24) to the main office (10.0.0.0/8) using UDP ports 5060 and 10000-20000. What is the most efficient way to define the service in the firewall policy?

71

An administrator configures Central SNAT with a dynamic IP pool for internet-bound traffic. Some users report that certain applications fail when they should be translated to a specific public IP. The administrator checks the policy-based NAT rules and finds none. What is the most likely reason for the failure?

72

Which statement about the implicit deny policy at the bottom of the firewall policy list is true?

73

An administrator wants to log all traffic that is denied by the implicit deny rule. How can this be achieved?

74

An administrator needs to allow traffic from a guest network (192.168.100.0/24) to the internet only during business hours (Mon-Fri, 08:00-18:00). The administrator creates a schedule object and applies it to the firewall policy. However, guests can still access the internet outside of the schedule. What is the most likely cause?

75

An administrator needs to translate a single internal server (192.168.1.10:8080) to a public IP (203.0.113.10:80) so that external users can access it via HTTP. Which type of VIP should be configured?

76

An administrator runs 'diagnose firewall iprope list 100000' and sees 'action=deny' entries for traffic that should be allowed. The policy list shows an allow policy with ID 1 for that traffic. What is the most likely cause of the deny?

77

A FortiGate administrator needs to allow SMTP traffic (TCP port 25) from the internal network (10.0.0.0/8) to a mail server in the DMZ (172.16.0.10). The administrator wants to apply an antivirus profile and log all sessions. Which THREE configuration steps are required?

78

An administrator needs to configure outbound NAT for 200 internal users using a single public IP (203.0.113.1). The public IP provides 2000 ports. Some applications require a deterministic source port range for logging. Which TWO NAT settings should be used?

79

A company has two internet connections (WAN1 and WAN2). The administrator wants to route HTTP traffic from the internal network through WAN1, and all other traffic through WAN2. Which TWO configurations are needed?

80

A network administrator creates a firewall policy allowing HTTP traffic from the internal network to a web server in the DMZ. Users report that they cannot access the web server. The administrator runs 'diagnose firewall iprope list' and sees the policy is present. What is the MOST likely cause of the issue?

81

An administrator needs to allow outbound DNS traffic (UDP port 53) from multiple internal subnets to the internet. Which object type should be used to group the subnets into a single source in the firewall policy?

82

A FortiGate administrator configures a policy-based NAT using an IP pool with type 'Fixed Port Range' for internal users accessing a specific external server. Users report that after some time, they cannot establish new connections to the server. 'diagnose ip pool list' shows many entries with 'used_port=65535'. What is the MOST likely cause?

83

An administrator creates a firewall policy with a traffic shaper to limit bandwidth for guest wireless users. After applying the policy, users can still consume high bandwidth. The administrator confirms the policy is matching. What is the MOST likely reason the traffic shaper is not effective?

84

What is the default action of the implicit deny policy at the end of the firewall policy list?

85

A FortiGate administrator wants to ensure that traffic from the internal network to an external FTP server uses a specific source IP address (203.0.113.10). The internal network uses RFC 1918 addresses. Which NAT configuration should be used?

86

An administrator configures a firewall policy with a schedule object that is set to 'Available: Mon-Fri 09:00-17:00'. At 10:00 AM on Saturday, users report they cannot access the resource. The administrator checks the policy list and sees the policy is enabled. What is the MOST likely reason?

87

Which of the following best describes a Virtual IP (VIP) in FortiGate?

88

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

89

A FortiGate is configured with multiple VDOMs. The administrator creates a firewall policy in VDOM A that allows traffic from VDOM A to VDOM B using inter-VDOM links. Users in VDOM A can initiate traffic, but return traffic from VDOM B is not reaching them. What is the MOST likely cause?

90

An administrator needs to block traffic from a specific geographic region (e.g., country) from reaching the corporate web server. Which type of address object should be used to define the source?

91

What is the purpose of policy-based routing (PBR) in FortiGate?

92

A FortiGate administrator needs to allow inbound HTTPS traffic to a web server located at 192.168.1.10. The public IP is 203.0.113.5. The administrator wants to translate the destination to the internal server and also translate the source port to a fixed range for logging purposes. Which TWO configuration elements are required?

93

An administrator is troubleshooting why traffic from a specific subnet (192.168.10.0/24) to the internet is not being matched by the expected firewall policy. The policy list shows an allow policy for this traffic at ID 10, but there is a deny policy at ID 5 for any traffic from 192.168.0.0/16. Which TWO statements are correct?

94

A FortiGate administrator is configuring a policy-based routing (PBR) rule to send all traffic from the 'Engineering' VLAN (10.1.0.0/16) to a dedicated internet link through gateway 203.0.113.1. The administrator also wants to apply a traffic shaper to limit bandwidth. Which THREE configuration tasks must be performed?

95

A network admin configures a firewall policy allowing HTTP traffic from internal users to an external web server. The policy uses a service object 'HTTP' defined as TCP/80. However, users cannot reach the server. What is the MOST likely cause?

96

A FortiGate administrator needs to ensure that all internal users (10.0.0.0/8) accessing the internet use a single public IP address 203.0.113.10 for source NAT. Which NAT configuration should be used?

97

An admin runs the command 'diagnose firewall iprope list 100000' and sees the following output: id=2000000000 action=deny flag=0x0 src-interface=any dst-interface=any proto=0 src-addr=0.0.0.0-255.255.255.255 dst-addr=0.0.0.0-255.255.255.255 What does this entry represent?

98

A company wants to allow FTP (TCP ports 20-21) from their internal network (192.168.1.0/24) to a specific external server (203.0.113.50). They also need to inspect FTP traffic for viruses. What should the admin configure?

99

An admin wants to block access to malicious websites using FortiGuard Web Filtering. Which policy configuration is necessary to apply the web filter profile to HTTP/HTTPS traffic?

100

A FortiGate is configured with multiple policies. The first policy allows traffic from 10.0.0.0/8 to any destination. The second policy denies traffic from 10.0.1.0/24 to any destination. What happens when a packet from 10.0.1.5 to 8.8.8.8 arrives?

101

An administrator wants to allow SSH access from the internet to a server inside the network at 192.168.1.10. Which NAT configuration is needed?

102

A FortiGate admin runs 'diagnose sys session filter src 10.0.0.10' and gets no output. What does this indicate?

103

An organization needs to restrict internet access for employees to business hours only (Monday to Friday, 8:00 to 18:00). Which object should the admin use in the firewall policy?

104

Which statement best describes the 'implicit deny' policy on a FortiGate?

105

A FortiGate has a policy that allows traffic from 10.0.0.0/8 to any destination with NAT enabled using an IP pool 'Pool1' (203.0.113.10-203.0.113.20). The admin notices that internal servers using fixed ports (e.g., SIP) are failing. What is the likely cause?

106

An admin needs to create a firewall policy that matches traffic based on the destination being a specific geographic location (e.g., France). Which address object should be used?

107

A FortiGate admin is troubleshooting an issue where internal users cannot access a specific external service over TCP/443. The admin confirms that the firewall policy allows HTTP/HTTPS. Which TWO CLI commands should the admin use to diagnose? (Choose two.)

108

An organization wants to implement least privilege for firewall policies. Which THREE best practices should be followed? (Choose three.)

109

A FortiGate admin needs to configure source NAT for traffic from the internal network (10.0.0.0/8) to the internet. The requirement is to translate all internal IPs to a range of public IPs (203.0.113.1-203.0.113.10) while preserving the source port for specific applications. Which TWO configurations can achieve this? (Choose two.)

110

A FortiGate admin has configured a firewall policy allowing traffic from the internal network (10.0.1.0/24) to the internet (any). Users report that they cannot access a specific website (203.0.113.5). The admin runs 'diagnose firewall fqdn list' and sees that the FQDN object used in a policy above the allow policy resolves to an IP that includes 203.0.113.5. What is the MOST likely cause?

111

An admin needs to ensure that all traffic from the 10.0.1.0/24 network to the internet uses a specific public IP address (203.0.113.10) as the source IP, with port translation enabled. The FortiGate has multiple WAN interfaces. Which NAT configuration should the admin use on the firewall policy?

112

A FortiGate admin configures a firewall policy to allow outbound HTTP traffic and applies a web filter profile. The admin notices that some users can access a known malicious URL while others are blocked. All users are in the same source subnet (10.0.1.0/24). What is the MOST likely cause of this inconsistent behavior?

113

A FortiGate administrator wants to allow traffic from the internal network to a specific external server using its fully qualified domain name (FQDN) rather than an IP address, because the server's IP changes frequently. Which type of address object should the administrator create for the destination?

114

An admin runs 'diagnose sys session filter saddr 10.0.1.10' and 'diagnose sys session list' to check sessions from a specific internal host. The output shows multiple sessions with destination IP 203.0.113.50 using source port 12345. The admin then checks the firewall policy and sees that the policy uses an IP pool for source NAT. What does the source port 12345 indicate?

115

A company has a FortiGate with two WAN interfaces (port1 and port2) connected to different ISPs. The admin wants to ensure that traffic from a specific internal server (10.0.1.100) destined to the internet always exits via port2, while all other traffic uses port1. Which feature should the admin configure on the firewall policy for that server?

116

A FortiGate has a firewall policy with NAT enabled using an IP pool of type 'Fixed Port Range'. The pool range is 203.0.113.10-203.0.113.20 with port range 10000-20000. A user initiates a connection to an external server. Which of the following describes how the FortiGate will assign the source address and port?

117

An administrator is creating firewall policies for a FortiGate that separates the internal network (10.0.1.0/24) from a DMZ (192.168.1.0/24). The goal is to allow HTTP traffic from the internal network to the DMZ web server (192.168.1.10) but deny all other traffic. What is the recommended security posture for the implicit deny policy?

118

A FortiGate administrator is configuring a Virtual IP (VIP) to allow external users to access an internal web server (192.168.1.10) using the public IP 203.0.113.10 on port 80. The admin creates a VIP with mapped IP 192.168.1.10 and port 80. A firewall policy is created from WAN to DMZ with destination set to the VIP. External users report that they can access the web server. What additional step is needed to allow the internal server to respond correctly?

119

An administrator needs to block access to specific websites based on their FQDN (e.g., *.example.com). The FortiGate should match the destination domain regardless of the IP address the domain resolves to. Which type of address object should the admin use in the firewall policy destination?

120

A FortiGate has two firewall policies: Policy ID 1 (source: 10.0.1.0/24, destination: 203.0.113.0/24, action: allow, NAT: enabled) and Policy ID 2 (source: 10.0.1.0/24, destination: all, action: allow, NAT: enabled, IP pool: pool1). A user from 10.0.1.10 sends traffic to 203.0.113.5. Which policy will the traffic match and why?

121

An admin configures a firewall policy with a schedule object that restricts access to Monday to Friday from 9:00 to 17:00. A user attempts to connect on Saturday at 10:00. Which of the following best describes what happens?

122

A FortiGate admin is troubleshooting an issue where traffic from a specific internal host (10.0.1.50) to the internet is not being NATed as expected. The firewall policy has NAT enabled with an IP pool of type Overload. Which TWO conditions could cause the traffic to bypass the IP pool?

123

An admin needs to configure a FortiGate to allow multiple internal servers to be accessible from the internet using the same public IP but different ports. For example, internal server A (192.168.1.10:80) should be reachable via 203.0.113.10:8080, and internal server B (192.168.1.20:443) via 203.0.113.10:8443. Which TWO configuration steps are required?

124

A FortiGate admin is creating a firewall policy to allow outbound HTTP and HTTPS traffic from the internal network. The admin wants to ensure that traffic is inspected by security profiles (antivirus, web filter). Which THREE of the following must be configured on the firewall policy to achieve this?

125

A network administrator notices that traffic from the internal network (10.0.1.0/24) to the internet is not being matched by the intended firewall policy (ID 10). The policy uses source address 'internal_subnet' (10.0.1.0/24) and destination address 'all'. There is another policy (ID 5) with source 'all' and destination 'all' that also matches this traffic. What is the most likely reason policy 10 is not being matched?

126

A FortiGate administrator needs to create a firewall policy that allows outbound traffic to the internet but denies access to a specific list of malicious IP addresses. The malicious IP list is updated frequently. Which address object type should be used for the destination addresses to block?

127

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

128

A FortiGate administrator configures a Central SNAT policy to translate internal IPs to a single public IP for internet access. However, traffic from a specific internal server (10.0.1.100) must use a different public IP. The administrator also creates a policy-based NAT rule in the firewall policy for that server. Which NAT method takes precedence?

129

An administrator wants to restrict access to a web server from only specific countries. The FortiGate is located at the network edge. Which address object type should be used in the source field of the firewall policy?

130

A FortiGate has multiple WAN interfaces (port1, port2) connected to different ISPs. The administrator wants traffic from the internal network to use port1 for general internet access but use port2 for traffic to a specific cloud service (203.0.113.0/24). Which feature should be used to achieve this?

131

An administrator configures a Virtual IP (VIP) to map public IP 203.0.113.10 to internal server 10.0.1.10 on port 443. The firewall policy uses the VIP as the destination address. External users report they cannot connect. The administrator checks the policy and sees the destination interface is 'wan1' and source interface is 'wan1'. What is the most likely issue?

132

An administrator needs to ensure that a firewall policy applies only during business hours (Monday to Friday, 9:00 AM to 6:00 PM). What object should be configured and applied to the policy?

133

Which of the following describes the implicit deny action in FortiGate firewall policies?

134

An administrator configures a firewall policy with source address 'internal_net' (10.0.0.0/16) and destination address 'server_farm' (10.10.10.0/24). The action is set to ACCEPT with NAT enabled. However, traffic from 10.0.1.100 to 10.10.10.50 is being denied. What is the most likely cause?

135

An administrator configures a VIP for port forwarding: public IP 203.0.113.10 port 8080 to internal server 10.0.1.10 port 80. External users can connect to http://203.0.113.10:8080 but receive a timeout. The firewall policy allows traffic from any to the VIP on destination port 8080. The internal server is reachable from internal hosts. What is the most likely problem?

136

An administrator wants to limit the bandwidth for a specific application (e.g., YouTube) across all users. The administrator creates a traffic shaper and applies it to the firewall policy. What additional configuration is needed to identify YouTube traffic?

137

A FortiGate administrator needs to configure source NAT for a group of internal servers (10.0.1.100-10.0.1.110) so that each server uses a unique public IP from the range 203.0.113.20-203.0.113.30. The requirement is that each internal IP maps to a fixed external IP (one-to-one mapping) and not port overload. Which TWO settings should be configured in the IP Pool? (Choose two.)

138

An administrator notices that VoIP traffic (SIP) is not being inspected by the IPS profile applied to the firewall policy. The administrator suspects the traffic is being accelerated by NPU offloading. Which TWO actions can prevent NPU offloading for SIP traffic to ensure IPS inspection? (Choose two.)

139

Which THREE of the following are valid address object types in FortiGate? (Choose three.)

140

A network administrator has configured a firewall policy allowing traffic from the internal network (10.0.0.0/8) to the internet. Users report that some websites are not loading. The administrator runs 'diagnose firewall iprope list 100000' and sees the policy listed with a hit count of zero. What is the MOST likely cause?

141

Which of the following statements about FortiGate policy lookup order is correct?

142

An administrator needs to configure a firewall policy that allows internal users to access a specific web server on the internet using its domain name. The web server's IP address may change. Which type of address object should be used as the destination in the policy?

143

You run the following command on a FortiGate: 'diagnose sys session filter dport 443' and see: proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate?

144

A FortiGate administrator wants to ensure that traffic from the 192.168.1.0/24 network to the internet is translated to a single public IP address using overload (PAT). Which NAT configuration should be used?

145

An organization has a FortiGate with two internet connections (WAN1 and WAN2). They want traffic to a specific web service (203.0.113.50 port 443) to always exit via WAN2. All other internet traffic should use WAN1. Which feature should be used to achieve this?

146

What is the purpose of the 'implicit deny' policy on a FortiGate?

147

An administrator configures a Virtual IP (VIP) to map the public IP 203.0.113.10 port 8080 to the internal server 192.168.1.100 port 80. External users report they cannot connect. The firewall policy allows inbound traffic to the VIP. What is the MOST likely missing configuration?

148

You execute 'get firewall policy 5' and see the following output: policyid=5 name="test" status=enable schedule="always" logtraffic=all What does 'logtraffic=all' mean?

149

Which address object type can be used to match traffic based on the source country?

150

A FortiGate administrator observes that traffic from a specific subnet is being denied even though there is an allow policy for that subnet. The administrator checks the policy list and sees an explicit deny policy above the allow policy. What should the administrator do to allow the traffic?

151

An administrator configures a policy-based NAT rule to translate traffic from 10.0.0.0/8 to 203.0.113.1 using an IP Pool with overload. Later, they also enable Central SNAT for the same traffic. The traffic is not being NAT'd as expected. What is the MOST likely reason?

152

A FortiGate administrator is troubleshooting why traffic from a specific internal host is not being allowed through a firewall policy. The policy appears correct and is enabled. Which TWO diagnostic commands could the administrator use to determine if the traffic is matching a different policy?

153

A company needs to allow inbound HTTPS traffic from the internet to a web server behind the FortiGate. The public IP is 203.0.113.10, and the internal server is 192.168.1.10. The server must receive the original source IP of the client. Which THREE configurations are required to achieve this?

154

An administrator wants to configure traffic shaping to limit bandwidth for YouTube video streaming. Which THREE objects or settings must be configured on the FortiGate to apply traffic shaping?

155

A FortiGate administrator configures a firewall policy to allow HTTP traffic from internal users to the internet. The policy uses source address 'internal_subnet', destination address 'all', and service 'HTTP'. After applying the policy, users report they cannot access websites. What is the most likely cause?

156

A FortiGate administrator needs to create a firewall policy that allows traffic from the internal network (10.0.0.0/8) to a public web server (203.0.113.10) on port 443. The policy must also perform source NAT using the FortiGate's external IP (198.51.100.1). Which NAT configuration should be applied?

157

A FortiGate has the following policy list: ID 1: allow from trust to untrust, source 10.0.0.0/24, destination all, service HTTP, NAT enabled. ID 2: allow from trust to untrust, source 10.0.1.0/24, destination all, service ALL, NAT enabled. A host 10.0.1.50 sends an HTTP request to 203.0.113.5. Which policy matches?

158

An administrator wants to allow access to an internal web server from the internet using a public IP address 203.0.113.10. The internal server has IP 10.0.0.5. Which FortiGate feature should be configured to translate the destination IP?

159

A FortiGate administrator runs the following command and sees output: diagnose sys session filter dport 443 diagnose sys session list ... proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate about the session?

160

A FortiGate has a policy that enables NAT with an IP pool that uses overload (port address translation). The administrator notices that some applications are failing because they require a fixed source port range. What should the administrator do to resolve this?

161

A FortiGate administrator needs to block all traffic from a specific geographic region (country) from accessing the internal network. Which type of address object should be used in the firewall policy?

162

An administrator has configured a firewall policy that allows outbound traffic from a subnet to the internet, with NAT enabled. The external IP is 203.0.113.1. However, the administrator wants all traffic from a specific internal server (10.0.0.10) to appear with source IP 203.0.113.2. What should the administrator do?

163

A FortiGate has multiple VDOMs. The administrator needs to allow traffic from VDOM A (port1) to VDOM B (port2). What type of firewall policy is required?

164

A FortiGate is configured with two policies: Policy A allows traffic from trust to untrust with schedule 'WorkHours' (Mon-Fri 9-17). Policy B allows traffic from trust to untrust with schedule 'Always'. A user sends traffic at 8:00 AM on Saturday. Which policy matches?

165

An administrator needs to apply traffic shaping to limit bandwidth for video streaming traffic on a firewall policy. Which configuration step is required?

166

A FortiGate administrator wants to create a firewall policy that matches traffic based on the destination domain name (e.g., *.example.com). Which type of address object should be used?

167

A FortiGate administrator is troubleshooting a connectivity issue where internal clients cannot reach a public web server. The administrator has confirmed that routing is correct and there are no security profiles blocking traffic. Which TWO debugging steps should the administrator take? (Choose two.)

168

An administrator needs to configure destination NAT for multiple internal servers using a single public IP address by differentiating based on destination port. The public IP 203.0.113.10 should map to: (A) 10.0.0.1:80 for HTTP, (B) 10.0.0.2:443 for HTTPS. Which TWO configuration steps are required? (Choose two.)

169

A FortiGate administrator is implementing a policy to allow outbound traffic from the internal network to the internet. The requirements are: (1) all traffic from internal users must be source NATed to the external interface IP, (2) traffic from a specific server must use a different public IP, (3) HTTP traffic must be shaped to 10 Mbps. Which THREE configuration elements should the administrator create? (Choose three.)

170

A FortiGate admin creates a new firewall policy with source address object 'Internal_Net' and destination 'All'. After saving, traffic from 'Internal_Net' is not matching the new policy but instead matches an older policy with a broader source. What is the MOST likely cause?

171

An admin needs to allow outbound HTTP and HTTPS traffic from the internal network to the internet. Which two built-in service objects can be used in a single firewall policy to achieve this?

172

A FortiGate has a central SNAT policy that translates internal users to a single IP pool address. The admin wants specific traffic (e.g., from a particular subnet) to use a different IP pool. What is the correct approach?

173

An admin configures a firewall policy to allow SMTP traffic from a mail server to the internet with NAT enabled. External recipients report that the email source IP is the FortiGate's external interface IP. The admin wants the source to be a specific IP from a pool. What should the admin configure?

174

A FortiGate policy allows traffic from the internal network to a DMZ server. The admin wants to limit access to only specific hours. Which object type should be used in the policy?

175

An admin runs 'diagnose sys session filter dport 443' and sees output showing sessions with 'proto=6' and 'expire=3599'. The admin notices that these sessions are not being cleaned up after the firewall policy that allowed them is deleted. What is the reason?

176

A company has a FortiGate with multiple VDOMs. An admin creates a firewall policy in the root VDOM to allow traffic from a subnet to the internet. The traffic is not matching the policy. What is the most likely cause?

177

An admin configures a VIP to map a public IP to an internal server. The firewall policy uses the VIP as the destination. External users can access the server, but the server's logs show the source IP as the FortiGate's internal interface IP instead of the original client IP. Why is this happening?

178

Which statement best describes the implicit deny policy at the end of a FortiGate policy list?

179

An admin needs to allow traffic from a specific IP to a web server on port 8080. The web server is behind a VIP that forwards port 80 to port 8080. When configuring the security policy, which destination should be used?

180

A FortiGate with multiple WAN interfaces uses policy-based routing (PBR) to route traffic from a specific subnet out of a particular interface. The admin also has a firewall policy allowing that subnet to the internet. However, the traffic is not being routed as expected. What could be the issue?

181

An admin wants to allow traffic only from specific countries to access a web server. Which type of address object should be used in the firewall policy?

182

An admin is troubleshooting why traffic from a specific host (10.0.1.10) to a web server (203.0.113.50:80) is being denied. The FortiGate has several policies. Which TWO CLI commands should the admin use to identify which policy is matching the traffic? (Choose two.)

183

An admin needs to configure NAT for internal users accessing the internet. The requirements are: 1) All internal users must be translated to a single public IP. 2) The translation should use port address translation (PAT). 3) The configuration must allow tracking of which internal user initiated a connection. Which THREE settings must be configured? (Choose three.)

184

An admin is configuring a firewall policy to allow FTP traffic from a client to a server. The server is behind a VIP that translates public IP 203.0.113.10 port 21 to private IP 10.0.0.10 port 21. The admin wants to ensure the FTP data channel works correctly. Which TWO additional configurations are required? (Choose two.)

185

A network admin runs 'diag sys session filter proto 6' and 'diag sys session list' and sees many sessions with state 'SYN_SENT' to a public web server. The firewall policy allows TCP/443. What is the MOST likely cause?

186

An admin wants to block all traffic from the internet to a specific internal server except for the IP address 203.0.113.50. Which firewall policy configuration achieves this using the principle of least privilege?

187

A FortiGate has policy-based NAT enabled. The admin wants to translate the source IP of internal users to the interface IP for internet traffic. The firewall policy has NAT enabled. However, traffic from the internal network to the internet shows the original source IP instead of the interface IP. What is the MOST likely reason?

188

An admin creates a firewall policy allowing HTTP traffic from internal users to the internet. Users complain that they cannot access HTTPS websites. The admin checks and sees that the policy only has HTTP service. What is the BEST course of action to allow HTTPS while maintaining security?

189

What is the order of evaluation for firewall policies on a FortiGate?

190

An admin configures a VIP to map public IP 203.0.113.10 to internal server 10.0.1.100 on port 80. External users can reach the server via the public IP. However, internal users cannot access the server using the public IP. What is the MOST likely cause?

191

You run the following CLI command on a FortiGate: # diagnose debug flow filter saddr 192.168.1.10 # diagnose debug flow show function enable # diagnose debug enable You then initiate a ping from 192.168.1.10 to 8.8.8.8. The output shows 'no matching policy'. What does this indicate?

192

An admin configures a central SNAT rule to translate source IP 10.0.0.0/24 to IP pool 203.0.113.1-203.0.113.10 using overload (PAT). A policy-based NAT on a specific policy also translates the same source to the interface IP. Traffic from 10.0.0.0/24 to the internet shows source IP as the interface IP, not from the IP pool. What is the reason?

193

Which address object type allows you to match traffic based on the domain name in the HTTPS SNI field?

194

An admin wants to apply different QoS markings to traffic from two different departments. The admin creates two firewall policies: one for Sales (policy ID 1) and one for Engineering (policy ID 2). Both policies have traffic shaping enabled. However, traffic from both departments receives the same QoS marking. What is the MOST likely mistake?

195

A FortiGate with multiple VDOMs has a policy that allows traffic from VDOM A to VDOM B. The admin notices that traffic from VDOM A to a specific server in VDOM B is being dropped. The session log shows 'deny by forward policy check'. What is the MOST likely cause?

196

What is the purpose of a schedule object in a firewall policy?

197

An admin needs to configure NAT so that internal users (10.0.0.0/24) accessing the internet (any destination) are translated using an IP pool (203.0.113.10-203.0.113.20) with overload. The admin also needs to ensure that traffic from a specific server (10.0.0.100) always uses a fixed source port range (10000-20000) when translated. Which TWO configuration steps are required? (Choose two.)

198

An admin troubleshoots an issue where internal users cannot access an internal server using its public IP address. The server is published via a VIP. The admin has already verified that the firewall policy allows traffic from internal to the VIP. Which THREE checks should the admin perform to resolve the issue? (Choose three.)

199

A FortiGate has two firewall policies for HTTP traffic to the internet: Policy A (source: 10.0.1.0/24) and Policy B (source: 10.0.2.0/24). Both policies have the same destination and service. The admin wants to apply a traffic shaper to limit bandwidth for Policy B. Which TWO actions are correct? (Choose two.)

200

A FortiGate admin configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to the internet. Users report that they cannot access web pages. The admin runs 'diagnose debug flow' and sees packets hitting the policy but being dropped. What is the MOST likely cause?

201

Which of the following best describes the policy lookup order on a FortiGate firewall?

202

An admin configures a Central SNAT rule to translate internal 192.168.1.0/24 to 203.0.113.10 when accessing the internet. However, traffic from 192.168.1.100 to 8.8.8.8 shows source IP 192.168.1.100 in logs. What is the MOST likely cause?

203

When creating a firewall policy, an admin wants to ensure that traffic from a specific user group is allowed only during business hours (Monday to Friday, 09:00-18:00). Which object type must be configured and applied to the policy?

204

An admin configures a VIP to map public IP 203.0.113.10:80 to internal server 10.0.0.10:8080. Users on the internet can reach the server. However, internal users trying to access the public IP from inside the network fail. What is the MOST likely reason?

205

An admin wants to block traffic from a specific geographic region (e.g., North Korea) from reaching the FortiGate's external interface. Which address object type should be used in the firewall policy?

206

Which statement about the implicit deny policy on a FortiGate is true?

207

A FortiGate with multiple WAN interfaces uses policy-based routing (PBR) to route traffic from subnet 10.0.0.0/24 through port1 and 10.0.1.0/24 through port2. However, traffic from 10.0.0.0/24 is still using port2. The PBR rule appears correctly configured. What is the MOST likely issue?

208

An admin needs to translate the source IP of traffic from multiple internal hosts to a single public IP when accessing the internet, while keeping track of each session. Which NAT method should be used?

209

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

210

An admin wants to ensure that VoIP traffic (UDP ports 5060-5061) from the internal network to the internet is prioritized over other traffic when the WAN link is congested. Which feature should be configured on the firewall policy?

211

A FortiGate admin configures an IP pool with type 'Fixed Port Range' to translate source IPs from 192.168.1.0/24 to 203.0.113.0/28 using port range 10000-20000. After applying the IP pool to a policy, some users cannot establish connections while others work. What is the MOST likely cause?

212

A network admin needs to configure a FortiGate to allow remote VPN users (IPsec VPN) to access a web server in the DMZ. The VPN users are assigned IPs from 10.10.10.0/24. The web server is at 192.168.2.10:80. Which TWO objects must be created to define the traffic for the firewall policy? (Choose two.)

213

An admin is troubleshooting why traffic from VLAN 10 to the internet is not being translated by a Central SNAT rule. The Central SNAT rule is configured with source interface 'port2.10', destination interface 'wan1', source address '192.168.10.0/24', and IP pool 'pool1'. The firewall policy for internet access has NAT enabled but no IP pool attached. Which THREE steps should the admin take to resolve the issue? (Choose three.)

214

An admin needs to create a firewall policy that allows SMTP traffic (TCP/25) from the internal network (10.0.0.0/24) to a mail server in the DMZ (172.16.1.10). Additionally, the admin wants to ensure that the mail server can only be accessed by the internal network, not from the internet. Which THREE settings must be configured in the firewall policy? (Choose three.)

215

A FortiGate administrator wants to ensure that traffic from the internal network to the internet is translated to a single public IP address. Which NAT method should be used?

216

A network admin has configured a firewall policy allowing traffic from the 'internal' zone to the 'external' zone. The policy uses a service object 'HTTP' (TCP/80). Users report they can access HTTP websites but not HTTPS. The admin confirms no other policies block HTTPS. What is the most likely cause?

217

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

218

An administrator needs to allow FTP traffic from the internal network to a specific server on the internet. The FTP server uses passive mode. Which service object should be used in the firewall policy to ensure proper operation?

219

A FortiGate has multiple firewall policies. Policy ID 1 allows HTTP from LAN to WAN. Policy ID 2 allows all traffic from DMZ to WAN. A packet arrives from the DMZ interface destined to a web server on the internet using HTTPS. Which policy is matched?

220

An administrator is configuring a VIP to map a public IP to an internal server. The server hosts both HTTP and HTTPS services. The admin creates a VIP with port forwarding for port 80 to internal port 80, and another VIP for port 443 to internal port 443. Both VIPs use the same public IP. Users can access HTTP but not HTTPS. What is the most likely issue?

221

Which of the following is a characteristic of policy-based NAT on a FortiGate?

222

An administrator is troubleshooting a connectivity issue where users in the 10.0.0.0/24 subnet cannot access the internet. The FortiGate has the following policies (in order): 1: allow 10.0.0.0/24 -> any, service: HTTP, HTTPS 2: deny any -> any, service: all Users can browse HTTP but not HTTPS. Which TWO actions would resolve the issue?

223

An administrator needs to allow internal users to access a public web server using the server's private IP address, while external users access it via a public IP. Which TWO components are required?

224

A FortiGate is configured with policy-based NAT and multiple IP pools. The administrator wants traffic from the 192.168.1.0/24 subnet to use IP pool 'POOL1' (203.0.113.1-203.0.113.10) and traffic from 192.168.2.0/24 to use IP pool 'POOL2' (203.0.113.11-203.0.113.20). Which THREE steps are necessary?

225

Which TWO statements about firewall policy order are true?

226

An administrator is configuring traffic shaping on a firewall policy to limit bandwidth for YouTube. Which THREE components are required?

227

An administrator needs to block access to a specific website using FQDN address objects. Which TWO steps are necessary?

228

A FortiGate has a policy that matches traffic from LAN to WAN with NAT enabled and an IP pool. The pool contains IPs 203.0.113.1 to 203.0.113.5. The administrator notices that all traffic appears to come from 203.0.113.1. Which THREE reasons could explain this?

229

An administrator wants to apply policy-based routing (PBR) to route traffic from a specific subnet through a different ISP. Which TWO elements must be configured?

230

A FortiGate administrator has configured a firewall policy allowing HTTP traffic from the internal network (10.0.1.0/24) to the DMZ server (192.168.1.10). The policy is placed after a deny-all policy that blocks traffic from internal to DMZ. Even though the allow policy is more specific, traffic is still being denied. What is the most likely cause?

231

An administrator configures Central SNAT for traffic going from internal network (10.0.0.0/8) to the internet. The rule uses an IP Pool with overload (PAT) and the pool address is 203.0.113.10. However, traffic from 10.0.0.10 to a public server is not being NATed; the source IP remains 10.0.0.10. The firewall policy allows the traffic. What is the most likely cause?

232

A FortiGate administrator needs to allow all internal users (10.0.0.0/8) to access a web server in the DMZ (192.168.1.100) using HTTPS. The administrator wants to apply a web filter profile to block malicious URLs while allowing legitimate traffic. Which of the following is the correct policy configuration?

233

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

234

A FortiGate administrator is configuring a firewall policy to allow inbound HTTPS traffic from the internet to an internal web server. The web server has a private IP address 10.0.0.10. The administrator wants to translate the destination IP to the internal server using a Virtual IP (VIP). Which TWO of the following must be configured for the VIP to work correctly? (Choose two.)

235

An administrator is troubleshooting why traffic from a specific VLAN (192.168.10.0/24) to the internet is not being NATed correctly. The firewall policy allows the traffic with NAT enabled and uses an IP Pool (overload) for the source translation. The IP Pool is configured with the address 203.0.113.10. However, the traffic still shows the original source IP. Which THREE of the following could cause this issue? (Choose three.)

236

A FortiGate administrator needs to block all traffic from a specific IP address (10.0.0.100) to the internet, but allow all other internal users. The administrator has created a firewall policy with source=10.0.0.100, destination=all, service=all, action=DENY, and placed it at the top of the policy list. Which TWO additional steps should the administrator take to ensure the block is effective? (Choose two.)

237

An administrator is configuring policy-based routing (PBR) on a FortiGate to route traffic from a specific subnet (172.16.1.0/24) through a different internet connection (wan2) instead of the default route via wan1. The administrator has created a PBR rule matching source 172.16.1.0/24 and set the gateway to the next-hop IP on wan2. The traffic is still using wan1. Which THREE of the following could be causing the issue? (Choose three.)

Practice all 237 Firewall Policies and NAT questions

Other NSE4 exam domains

System and Network AdministrationAuthentication and VPNSecurity ProfilesHigh Availability and Diagnostics

Frequently asked questions

What does the Firewall Policies and NAT domain cover on the NSE4 exam?

The Firewall Policies and NAT domain covers the key concepts tested in this area of the NSE4 exam blueprint published by Fortinet. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all NSE4 domains — no account required.

How many Firewall Policies and NAT questions are in the NSE4 question bank?

The Courseiva NSE4 question bank contains 237 questions in the Firewall Policies and NAT domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Firewall Policies and NAT for NSE4?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Firewall Policies and NAT questions for NSE4?

Yes — the session launcher on this page draws questions exclusively from the Firewall Policies and NAT domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your NSE4 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide