Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsNSE4DomainsSystem and Network Administration
NSE4Free — No Signup

System and Network Administration

Practice NSE4 System and Network Administration questions with full explanations on every answer.

200questions

Start practicing

System and Network Administration — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

NSE4 Domains

System and Network AdministrationFirewall Policies and NATAuthentication and VPNSecurity ProfilesHigh Availability and Diagnostics

Practice System and Network Administration questions

10Q20Q30Q50Q

All NSE4 System and Network Administration questions (200)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company wants to ensure that administrative access to FortiGate is only allowed from the internal trusted network (192.168.1.0/24) and that all other access attempts are blocked. Which CLI command should the administrator configure first?

2

A FortiGate administrator is troubleshooting a high CPU usage issue. The 'get system performance status' command shows that the CPU usage is consistently above 80% with no traffic. Which of the following is the most likely cause?

3

An administrator needs to back up the FortiGate configuration to a TFTP server at 10.0.0.10. Which command should be used?

4

Refer to the exhibit. An administrator wants to enable SNMP access on the wan1 interface. Which of the following is the most efficient method?

5

Which TWO of the following are valid methods to upgrade the FortiGate firmware? (Choose two.)

6

An administrator is troubleshooting a FortiGate that is not passing traffic. The policy allows traffic, but the session table shows no sessions. Which THREE steps should the administrator take to diagnose the issue? (Choose three.)

7

A FortiGate is configured with two ISPs (WAN1 and WAN2) and uses SD-WAN for load balancing. The administrator notices that traffic to a critical SaaS application is being sent over the slower link. What should the administrator do to ensure this traffic uses the faster link?

8

What is the default administrative account on a FortiGate?

9

An administrator needs to configure a FortiGate to send logs to two different syslog servers for redundancy. Which configuration method should be used?

10

Refer to the exhibit. The administrator notices that traffic from internal to wan1 is being logged, but the logs do not show the original source IP. What is the most likely reason?

11

Which TWO of the following are prerequisites for configuring a high availability (HA) cluster on FortiGate? (Choose two.)

12

Which THREE statements about FortiGate's 'config system global' settings are true? (Choose three.)

13

A company has a FortiGate 200F with FortiOS 7.2 and two ISPs (WAN1: 100 Mbps, WAN2: 50 Mbps). The company uses SD-WAN to load balance outbound internet traffic. Recently, the company added a new VoIP application that requires low latency and jitter. The administrator configured an SD-WAN rule to match the VoIP traffic and set the strategy to 'best quality' with a performance SLA measuring latency and jitter. However, after testing, the VoIP traffic is still using WAN2 (the slower link) even when WAN1 has lower latency. The performance SLA shows both links meeting the SLA thresholds. What is the most likely reason?

14

A large enterprise is deploying a FortiGate 600F as the perimeter firewall. The security team requires that all administrative access (SSH, HTTPS, and Ping) to the FortiGate must be restricted to a dedicated management network (10.10.10.0/24). Additionally, any failed login attempt from outside the management network should be logged and the source IP should be blocked for 30 minutes. The administrator has configured a local-in policy to deny all administrative access from non-management networks and enabled logging. However, the administrator wants to automatically block the offending IPs. The FortiGate is not connected to any FortiAnalyzer or FortiManager. What should the administrator do to achieve this?

15

Which command is used to display the current FortiGate firmware version?

16

A company is deploying a FortiGate HA cluster in active-passive mode across two data centers. The network team reports that after a failover, some existing TCP sessions are dropped. Which configuration change should be applied to maintain session persistence during failover?

17

A FortiGate administrator is troubleshooting a problem where users cannot access the Internet. The FortiGate has a default route pointing to the ISP gateway. The administrator runs 'execute ping 8.8.8.8' from the FortiGate CLI and it succeeds. However, internal users behind NAT are unable to reach external servers. Which is the most likely cause?

18

An administrator needs to configure a FortiGate to allow web traffic from the internal network to the Internet. The internal network is 192.168.1.0/24 and the WAN interface is port1 with IP 203.0.113.1. Which firewall policy is correct?

19

A FortiGate administrator notices that the device's disk usage is critically high, causing logging failures. The administrator wants to free up space without losing important logs. Which action should be taken first?

20

Refer to the exhibit. The FortiGate has two default routes. The administrator attempts to ping 8.8.8.8 from the CLI and receives no response. What is the most likely reason?

21

Which TWO configuration changes can reduce the risk of unauthorized administrative access to a FortiGate?

22

Which THREE configuration steps are required to enable transparent proxy mode on a FortiGate?

23

A medium-sized enterprise has a FortiGate 100F in NAT/Route mode with three interfaces: port1 (WAN, 203.0.113.1/24, gateway 203.0.113.254), port2 (internal, 192.168.1.1/24), and port3 (DMZ, 10.0.0.1/24). The internal network hosts a web server at 192.168.1.10 and a mail server at 192.168.1.20. The DMZ hosts a public web server at 10.0.0.10 and a public DNS server at 10.0.0.20. The company has a single public IP 203.0.113.1. The administrator has configured the following: - Port forwarding: external HTTP to DMZ web server (10.0.0.10:80) and external DNS to DMZ DNS server (10.0.0.20:53). - Outbound NAT (IP Pool) for internal users to 203.0.113.1. - Firewall policies allowing internal to external, DMZ to external, and external to DMZ (for forwarded services). Users report that they can access the Internet but cannot reach the internal web server (192.168.1.10) via its public IP (203.0.113.1:80). The DMZ web server is accessible from the Internet. What is the most likely cause?

24

Drag and drop the steps to configure a static route on a FortiGate firewall into the correct order.

25

Drag and drop the steps to troubleshoot a user unable to access the internet through FortiGate into the correct order.

26

Match each Fortinet security feature to its primary function.

27

Match each FortiGate security profile component to its purpose.

28

A network administrator needs to configure a FortiGate to allow HTTPS access to the GUI from the internal network. Which two steps must be performed?

29

An administrator runs 'diagnose sniffer packet any "host 10.0.1.100" 4' and sees packets being sent but no response. The FortiGate has a static route for 10.0.1.0/24 via 192.168.1.1. The administrator checks the routing table and sees the route is present. What is the most likely cause of no response?

30

A FortiGate is configured in transparent mode. The administrator notices that traffic passing through the FortiGate is not being logged, even though log all sessions is enabled on the policy. What is the most likely reason?

31

An administrator wants to aggregate two physical interfaces (port1 and port2) on a FortiGate to increase bandwidth and provide redundancy. Which interface type should be created?

32

An administrator needs to back up the FortiGate configuration to a remote server using SCP. Which command is correct?

33

A FortiGate is configured with two equal-cost static routes to the same destination network (0.0.0.0/0) via two different ISPs. The administrator wants to use both links simultaneously for load balancing. What must be enabled?

34

During a firmware upgrade, the FortiGate reboots and the administrator cannot access the GUI via HTTPS. The CLI shows the system is running the previous firmware. What is the most likely cause?

35

An administrator configures SNMP on a FortiGate to monitor CPU and memory usage. After applying the configuration, the NMS cannot reach the FortiGate via SNMP. The FortiGate's interface has SNMP access enabled. What is the most likely missing configuration?

36

A FortiGate is configured in NAT/Route mode. Which statement is correct about this mode?

37

An administrator attempts to configure a policy route to route specific traffic from an internal subnet (10.1.1.0/24) to the internet via a different ISP. The policy route is created but traffic is still using the default route. What is the most likely cause?

38

A FortiGate administrator wants to synchronize the system time with an external NTP server. Which CLI command should be used to configure the NTP server?

39

An administrator needs to integrate a FortiGate with FortiAnalyzer for centralized logging. After configuring the FortiAnalyzer IP and enabling logging, the FortiGate shows 'connection refused' for FortiAnalyzer. What is the most likely cause?

40

An administrator is configuring a FortiGate HA cluster in active-passive mode. Which two statements are correct about this configuration?

41

A FortiGate administrator is troubleshooting a VPN tunnel that is not coming up. The phase 1 parameters match on both sides. Which three configuration items should the administrator verify?

42

An administrator is configuring a FortiGate to use FortiManager for centralized management. Which three steps are required?

43

A network administrator needs to configure a FortiGate to participate in SNMP monitoring. Which CLI command enables SNMP agent on the FortiGate?

44

A FortiGate is configured with two equal-cost static default routes via two ISPs. The administrator wants to use both links simultaneously for outbound traffic, distributing sessions per source-destination pair. Which ECMP load balancing method should be configured under config system settings?

45

An administrator is configuring a FortiGate in a transparent mode. Which of the following features is NOT available in transparent mode?

46

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

47

What is the purpose of configuring an aggregate interface on a FortiGate?

48

A FortiGate administrator needs to allow remote management from the internet only from a specific IP address. Which configuration achieves this?

49

An administrator plans to upgrade FortiGate firmware from version 6.0 to 7.2. The current version is 6.0.10. Which upgrade path is correct?

50

Which command is used to back up the FortiGate configuration to a TFTP server?

51

A FortiGate is set to NAT/Route mode. The admin wants traffic from internal users to the internet to use an IP address on the WAN interface for source NAT. Which configuration is required?

52

You notice that the FortiGate HA cluster is not failing over when the primary unit loses power. The HA configuration shows 'set ha-priority 250' on the primary and 'set ha-priority 200' on the secondary. What is the most likely cause?

53

An administrator configures a policy route to send all traffic from a specific subnet to a different next-hop. However, traffic from that subnet is still using the default route. Which configuration could be causing this?

54

Which of the following is required to allow a FortiGate to synchronize its clock with an NTP server?

55

An administrator needs to configure a FortiGate to send logs to a FortiAnalyzer. Which two configurations are required? (Choose two.)

56

An administrator is configuring a FortiGate HA cluster in active-passive mode with two units. Which three conditions must be met for failover to occur? (Choose three.)

57

A FortiGate admin needs to create a loopback interface for management purposes. Which two statements about loopback interfaces are correct? (Choose two.)

58

A network administrator is configuring a new FortiGate and needs to ensure that all traffic from the internal network to the internet is source NATed to the public IP address on port1. The default route points to port1. Which configuration step is required to achieve this?

59

An administrator is configuring a VLAN interface on a FortiGate. The physical interface is port2 and the VLAN ID is 100. Which of the following correctly creates the VLAN interface?

60

You run the following CLI command on a FortiGate: 'diagnose sys session filter dport 443' and see this output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

61

An administrator needs to upgrade the firmware on a FortiGate from version 6.4.10 to 7.0.1. The device currently runs FortiOS 6.4.10. Which upgrade path should be followed?

62

Which FortiGate operating mode allows the device to act as a transparent layer 2 bridge, forwarding traffic without performing NAT or routing?

63

A FortiGate in an HA active-passive cluster is experiencing frequent failovers. The administrator checks the HA statistics and sees that the primary unit's heartbeat interface has a high error rate. What is the most likely cause?

64

An administrator needs to allow SSH access to the FortiGate's management interface from a specific management subnet (10.0.1.0/24). Which configuration achieves this?

65

What is the purpose of configuring a loopback interface on a FortiGate?

66

An administrator is troubleshooting a connectivity issue. A ping from the FortiGate to 8.8.8.8 succeeds, but traffic from internal hosts to the internet is failing. The firewall policy allows the traffic. What is the most likely cause?

67

A FortiGate is configured with two WAN links (port1 and port2) and uses ECMP routing. The administrator wants to ensure that traffic from a specific internal subnet (192.168.10.0/24) always uses port1, while all other traffic uses ECMP. Which configuration should be applied?

68

An administrator wants to send FortiGate logs to a FortiAnalyzer for centralized logging and reporting. Which configuration step is required on the FortiGate?

69

Which of the following statements about FortiGate backup is true?

70

A FortiGate administrator needs to configure NTP to ensure accurate time on the device. Which two steps are required? (Choose two.)

71

An administrator is configuring a FortiGate in transparent mode and needs to forward traffic between two VLANs. Which three configurations are required? (Choose three.)

72

An administrator is setting up SNMP monitoring on a FortiGate. Which two configurations are necessary for a basic SNMP setup? (Choose two.)

73

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

74

An admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

75

What is the primary purpose of configuring a loopback interface on a FortiGate?

76

An admin configures an aggregate interface on a FortiGate using two physical ports. After configuration, the admin notices that traffic is not load-balancing evenly. What is the MOST likely cause?

77

A FortiGate in NAT/Route mode has a policy with NAT enabled. The admin needs the source IP of traffic from internal users (192.168.1.0/24) to be translated to the interface IP of port1 (203.0.113.1) when accessing the internet. Which configuration is necessary?

78

Which command is used to back up the full FortiGate configuration including all settings and objects?

79

An admin configures two static routes to the same destination with different distances. The route with distance 10 points to ISP1, and the route with distance 20 points to ISP2. The admin wants to use ISP2 only if ISP1 fails. What is the expected behavior?

80

A FortiGate is operating in transparent mode. The admin needs to allow HTTP traffic from users to a web server. Which type of firewall policy is required?

81

During a firmware upgrade, the admin uploads the image via the GUI and clicks 'Upgrade'. The FortiGate reboots but comes up with the old firmware. What is the MOST likely cause?

82

Which CLI command is used to configure NTP on a FortiGate?

83

An admin wants to monitor CPU and memory usage on a FortiGate using SNMP. Which configuration is required?

84

A FortiGate is configured in an HA active-passive cluster. The primary unit fails. After the secondary takes over, a policy route configured on the primary is not working. What is the MOST likely reason?

85

An admin needs to configure a FortiGate to send logs to a FortiAnalyzer. Which TWO steps must be performed? (Choose two.)

86

An admin wants to ensure that traffic between two internal subnets (10.0.1.0/24 and 10.0.2.0/24) is inspected by the FortiGate but does not have its source IP translated. Which THREE configuration elements are required? (Choose three.)

87

An admin is configuring ECMP (Equal Cost Multi-Path) on a FortiGate with two ISPs. Which TWO conditions must be met for ECMP to load balance traffic across both links? (Choose two.)

88

A network administrator notices that after configuring a new static route on a FortiGate, traffic to a remote subnet is still being forwarded via the default route. The administrator confirms the static route is present in the routing table with a lower distance than the default route. What is the MOST likely cause?

89

An administrator needs to configure a FortiGate to allow remote management via HTTPS from the internet. Which configuration step is required?

90

You run the following command on a FortiGate: ``` diagnose sys session filter dport 443 diagnose sys session list ``` The output shows: ``` proto=6 proto_state=01 duration=3600 expire=3599 ``` What does this indicate?

91

An administrator configures a FortiGate in transparent mode to be deployed between a router and a switch. After installation, traffic passes through but the administrator cannot access the FortiGate's management IP from the management network. What is the MOST likely reason?

92

A FortiGate administrator needs to upgrade the firmware from FortiOS 6.4 to 7.0. The administrator downloads the upgrade image but when uploading via the GUI, the FortiGate reboots and comes back with the same firmware version. What is the most likely cause?

93

An administrator wants to ensure that traffic to a specific web server always exits through a particular ISP link, regardless of route changes. Which feature should be configured?

94

A FortiGate is configured with two WAN interfaces in an active-passive HA cluster. The administrator notices that the passive unit is not synchronizing configuration changes from the active unit. What is the MOST likely cause?

95

An administrator configures a VLAN interface on a FortiGate trunk port. The VLAN is allowed on the trunk, but the FortiGate cannot ping the default gateway of that VLAN. Which two items must be verified? (Choose two.)

96

An administrator needs to back up the FortiGate configuration to a remote server. Which protocol is supported for backup?

97

A FortiGate administrator configures SNMPv2c on the FortiGate to send traps to a monitoring server. However, no traps are received. The monitoring server can ping the FortiGate. What is the MOST likely cause?

98

An administrator configures a FortiGate to use NTP for time synchronization. After configuration, the FortiGate still shows the wrong time. Which command should the administrator run to verify NTP status?

99

A FortiGate is configured with multiple WAN interfaces and ECMP routing. The administrator notices that traffic to a particular destination is intermittently failing. What is the MOST likely cause?

100

An administrator needs to integrate a FortiGate with FortiManager for centralized management. Which two steps are required? (Choose two.)

101

An administrator is configuring a loopback interface on a FortiGate for management purposes. Which three statements are true about loopback interfaces? (Choose three.)

102

An administrator needs to configure DNS on a FortiGate so that internal hosts can resolve external domain names. Which two settings are required? (Choose two.)

103

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

104

A network administrator needs to allow SSH access to the FortiGate from a management subnet 10.0.1.0/24. Which configuration step is required on the interface connected to that subnet?

105

A FortiGate has been configured with two WAN interfaces (wan1, wan2) in an SD-WAN zone. The administrator wants to ensure that traffic for a specific internal server uses only wan1. What is the most appropriate method?

106

An administrator configures two FortiGate units in an active-passive HA cluster. After a failover, some existing TCP sessions are dropped. What is the most likely reason for this behavior?

107

A FortiGate administrator needs to upgrade the firmware from 7.0.5 to 7.2.0. The current firmware is 7.0.5. What is the recommended upgrade path?

108

You run 'get system performance status' and see CPU usage at 95% with high context switch rate. The FortiGate is not passing any traffic. What is the most likely cause?

109

An administrator creates a firewall policy to allow internal users to access the internet. The source interface is 'internal', destination interface is 'wan1', and NAT is enabled. Users complain that they cannot access external resources. The administrator verifies that the default route points to the ISP gateway. What is the most likely missing configuration?

110

A FortiGate administrator wants to send logs to a FortiAnalyzer. The FortiAnalyzer IP is 192.168.1.100, and logging is configured under Log & Report. However, no logs are being received. Which command should the administrator use on the FortiGate to verify connectivity to the FortiAnalyzer?

111

An organization has two FortiGate units in an HA cluster. They need to perform a firmware upgrade on the primary unit without causing a failover. Which procedure should be followed?

112

A FortiGate is configured with two equal-cost default routes to different ISPs. The administrator notices that traffic for a specific destination is load-balanced across both links as expected. However, they want all traffic from a specific source IP to use only ISP1, while other traffic remains load-balanced. Which configuration should be applied?

113

After upgrading FortiGate firmware, the administrator notices that the 'config router static' command now shows a new keyword 'distance' instead of 'weight'. The upgrade also changed the ECMP load-balancing behavior. What was the likely change in the ECMP algorithm?

114

A FortiGate is configured in transparent mode. Which of the following statements is true?

115

A FortiGate administrator needs to allow SNMP monitoring from a management station at 10.10.10.50. Which TWO configuration steps are required? (Choose two.)

116

A FortiGate in NAT/Route mode has multiple internal networks. The administrator wants to configure a loopback interface for management access. Which THREE statements about loopback interfaces are correct? (Choose three.)

117

You are troubleshooting a FortiGate HA cluster that is not failing over correctly. The cluster has two units in active-passive mode. You check the HA status and see both units are in 'standalone' mode. Which THREE configurations could cause this? (Choose three.)

118

A network administrator configures a new FortiGate as the default gateway for a subnet. The FortiGate has two WAN interfaces (port1 and port2) connected to different ISPs. The admin wants to load-balance outbound traffic across both links. Which configuration method will achieve this goal?

119

A FortiGate administrator is setting up a new FortiGate in a network that requires the firewall to bridge traffic between two subnets without routing. Which operating mode should the administrator select?

120

An administrator configures an HA cluster of two FortiGates in active-passive mode. The cluster is synchronized, but after a failover, some existing TCP sessions are dropped. What is the most likely cause?

121

You run the following CLI command on a FortiGate: diagnose sys session filter dport 443 diagnose sys session list And you see the output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

122

A FortiGate administrator needs to allow remote management of a FortiGate from the internet. Which administrative access protocols should be enabled on the WAN interface? (Choose the best single answer.)

123

An administrator configures a policy route to force traffic from a specific source subnet to use a particular WAN interface. After applying the configuration, the traffic still uses the default route. What is the most likely cause?

124

A FortiGate administrator is upgrading firmware from version 6.0 to 7.0. The upgrade path requires multiple steps. Which of the following is the recommended method to ensure a successful upgrade?

125

A FortiGate is configured with an aggregate interface (link aggregation group) consisting of two physical ports. The administrator notices that traffic is not being distributed evenly across the two links. Which configuration setting should be verified to improve load balancing?

126

An administrator needs to back up the full configuration of a FortiGate, including all system settings, policies, and objects. Which CLI command should be used?

127

A FortiGate administrator wants to integrate the FortiGate with a FortiAnalyzer for centralized logging. Which configuration step is required on the FortiGate?

128

An administrator configures a VLAN interface on a FortiGate's physical port with the IP 192.168.10.1/24. The VLAN ID is 10. The administrator connects a switch port configured as an access port (untagged) in VLAN 10. The devices on the switch cannot ping the FortiGate's VLAN interface. What is the most likely cause?

129

A FortiGate administrator needs to ensure that all DNS queries from internal clients are forwarded to a specific DNS server for security filtering. Which configuration should be applied?

130

A FortiGate is configured in an HA cluster with two units. The cluster is working, but the administrator wants to ensure that configuration changes made on the primary unit are automatically synchronized to the secondary unit. Which two conditions must be met? (Choose TWO.)

131

A network administrator is configuring SNMP on a FortiGate for monitoring. Which three pieces of information are required to complete the SNMPv2c configuration? (Choose THREE.)

132

An administrator wants to use FortiManager to manage multiple FortiGates. Which three steps must be performed to establish communication between a FortiGate and FortiManager? (Choose THREE.)

133

A network administrator is configuring a FortiGate for the first time and needs to enable administrative access via HTTPS from the internal network. Which configuration step is required?

134

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

135

A FortiGate configured in NAT/Route mode is connected to the internet via port1 with an IP 10.0.0.1/24. The internal network uses 192.168.1.0/24. Users can browse the internet but cannot reach a public server at 203.0.113.5. A static default route exists. What is the most likely cause?

136

An administrator wants to upgrade the FortiGate firmware from version 6.4.9 to 7.0.1. What is the most important consideration before proceeding?

137

Which FortiGate operating mode is used when the device acts as a Layer 2 bridge without performing NAT?

138

An administrator notices that traffic to a particular subnet is being load-balanced across two WAN links, but they want all traffic to that subnet to use a single link. Which feature should be configured?

139

A FortiGate administrator needs to allow SSH management access from a specific IP address 10.0.0.100. Which configuration is required?

140

An administrator wants to synchronize the FortiGate's time with a reliable NTP server. After configuring the NTP server, they notice the time is still incorrect. What could be the issue?

141

A FortiGate has two internet connections: port1 (ISP1) and port2 (ISP2). An administrator configures two static default routes with equal distance and priority. Traffic to a specific public IP is observed going out port1, but the admin wants it to go out port2. What should be configured?

142

An administrator wants to back up the FortiGate configuration to a remote FTP server. Which command should be used?

143

A FortiGate is configured with two WAN interfaces in an SD-WAN zone. The administrator wants to ensure voice traffic uses the interface with the lowest latency. Which SD-WAN configuration should be used?

144

Which protocol does FortiGate use to synchronize sessions between HA cluster members?

145

An administrator is configuring a FortiGate to send logs to a FortiAnalyzer. Which TWO of the following are required? (Choose two.)

146

A FortiGate administrator is planning an upgrade from FortiOS 6.4 to 7.2. Which THREE steps should be performed before the upgrade? (Choose three.)

147

An administrator wants to configure HA on two FortiGate units. Which TWO of the following must match on both units for the cluster to form? (Choose two.)

148

A FortiGate administrator needs to configure a static route to reach a remote network 192.168.100.0/24 via next-hop 10.0.0.1. Which CLI command should be used?

149

An administrator wants to allow management access to a FortiGate from a specific subnet 10.10.10.0/24 via HTTPS. Which configuration achieves this?

150

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

151

An administrator configures a FortiGate in transparent mode. Which of the following is correct regarding transparent mode operation?

152

Which of the following is the correct way to upgrade the firmware on a FortiGate from the CLI?

153

An administrator wants to configure SNMP on a FortiGate to allow a monitoring server 192.168.1.100 to poll read-only information. Which set of commands is correct?

154

A FortiGate has two WAN interfaces (wan1, wan2) configured with ECMP routes to the same destination. The administrator notices that traffic for a single session is being load-balanced across both links, causing performance issues. What should be configured to ensure sessions stick to one link?

155

An administrator wants to back up the FortiGate configuration to a TFTP server at 10.10.10.10. Which CLI command should be used?

156

What is the purpose of configuring an NTP server on a FortiGate?

157

An administrator needs to ensure that all traffic from the internal network to the internet goes through a web proxy for content filtering. Which configuration is required on the FortiGate?

158

A FortiGate in HA active-passive cluster is experiencing failover events. The administrator runs 'get system ha status' and sees that the 'sync status' is 'out of sync'. What is the most likely cause?

159

An administrator configures a policy route to send all traffic from subnet 172.16.1.0/24 to a specific next-hop 10.0.0.2. However, the traffic is still using the default route. What could be the reason?

160

An administrator is configuring a new FortiGate and wants to ensure it can be managed centrally via FortiManager. Which TWO steps are required?

161

A FortiGate is configured in active-active HA mode. An administrator notices that session failover is not working properly during a failover event. Which THREE configurations should be checked?

162

An administrator wants to integrate FortiGate with FortiAnalyzer for logging. Which TWO steps are necessary?

163

A network administrator needs to configure a FortiGate to allow administrative access from a specific management subnet only. Which configuration step should be taken?

164

A FortiGate is configured with two WAN interfaces (port1 and port2) connected to different ISPs. The administrator wants to load-balance outbound traffic across both links using equal-cost routes. Which routing configuration should be applied?

165

An administrator runs the following CLI command on a FortiGate: 'diagnose sys session filter dport 443' and sees output indicating sessions with proto_state=01 and duration=3600. What does this indicate about the sessions?

166

A FortiGate is operating in transparent mode. The administrator needs to configure a new VLAN interface for segmenting traffic. Which statement about VLAN interfaces in transparent mode is correct?

167

An administrator wants to upgrade the FortiOS firmware on a FortiGate. Which step is critical before starting the upgrade process?

168

A FortiGate administrator needs to integrate with FortiAnalyzer for centralized logging. After configuring the FortiAnalyzer IP and enabling logging, the FortiGate shows 'connection status: disconnected'. What is the most likely cause?

169

An administrator configures a FortiGate HA cluster with two units in active-passive mode. After setup, the secondary unit shows 'standby' status but traffic is not failing over when the primary is shut down. What is the most likely cause?

170

A FortiGate needs to resolve DNS names for outbound traffic. The administrator configures DNS servers under System > DNS. However, internal DNS queries for private domains fail. What additional configuration is required?

171

An administrator needs to configure a loopback interface on a FortiGate for management purposes. Which of the following is true regarding loopback interfaces?

172

A FortiGate administrator configures policy-based routing (PBR) to direct traffic from subnet 192.168.1.0/24 to the internet via ISP1. However, traffic from that subnet is still using the default route via ISP2. What is the most likely cause?

173

An administrator wants to configure SNMPv3 on a FortiGate for secure monitoring. Which configuration is required?

174

A FortiGate administrator needs to backup the configuration to a remote TFTP server. Which CLI command should be used?

175

A network administrator has two FortiGate units that need to be configured as an HA cluster. Which TWO of the following are prerequisites for HA formation?

176

A FortiGate administrator needs to configure a VLAN interface and an aggregate interface. Which THREE statements are correct regarding these interface types?

177

An administrator is troubleshooting why traffic from a specific source IP is not being matched by a policy route. Which THREE steps should the administrator take to diagnose the issue?

178

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

179

An administrator is configuring a new FortiGate and wants to allow management access from the internal network via HTTPS. The internal interface is port2 with IP 192.168.1.1/24. Which CLI command correctly enables HTTPS administrative access on port2?

180

After upgrading FortiGate firmware from 6.0 to 7.2, an administrator notices that a static route pointing to a next-hop IP 10.0.0.1 is no longer working. The route is present in the configuration but the FortiGate shows it as 'not active'. What is the MOST likely cause?

181

A FortiGate is deployed in NAT/Route mode. The administrator wants to create a policy that allows internal users to access the internet and also translates their private IP addresses to the public IP of the FortiGate's WAN interface. Which policy configuration is required?

182

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

183

A FortiGate administrator needs to configure a policy route to send all traffic destined to 10.10.10.0/24 out through interface port3 instead of the default route. Which configuration steps are necessary?

184

An administrator has configured two FortiGate units in an active-passive HA cluster. The primary unit fails. How does the secondary unit become active?

185

An administrator configures an aggregate interface (port1 and port2) on a FortiGate. After connecting the switch ports, the aggregate interface shows 'down'. The individual member ports are up. What is the MOST likely cause?

186

An administrator is troubleshooting a loss of connectivity between two sites connected via a VPN tunnel. The FortiGate logs show 'Tunnel: phase 1 negotiation failed'. Which two parameters MUST match on both peers for phase 1 to succeed? (Select two. Not all options are used.)

187

A FortiGate administrator wants to ensure that all firewall policies are backed up before performing a firmware upgrade. Which backup method preserves the configuration in a format that can be restored to the same or different FortiGate model?

188

An administrator needs to forward logs from a FortiGate to a FortiAnalyzer for centralized logging. The FortiAnalyzer IP is 10.10.10.10. Which configuration is required on the FortiGate?

189

An administrator is configuring ECMP (Equal-Cost Multi-Path) on a FortiGate. Which TWO conditions are required for ECMP to load balance traffic across multiple routes?

190

A FortiGate configured in transparent mode needs to allow HTTP traffic between two VLANs. The administrator has created a firewall policy. However, traffic is still blocked. Which TWO additional configurations are necessary for transparent mode operation?

191

An administrator wants to allow only HTTPS and SSH administrative access to the FortiGate from a specific management subnet 192.168.100.0/24. Which TWO steps must be taken on the FortiGate?

192

An administrator is planning a firmware upgrade from FortiOS 6.0 to 7.2. Which THREE steps should be performed before starting the upgrade process?

193

A network administrator has configured a static route on a FortiGate with a distance of 10 and a priority of 0. Later, they add another static route to the same destination with a distance of 15 and priority of 0. Which route will be used for traffic forwarding?

194

You are troubleshooting a FortiGate HA cluster (active-passive) and notice that after a failover, some existing TCP sessions are not being maintained. The hbdev heartbeat interfaces are configured correctly, and session synchronization is enabled. What is the MOST likely cause?

195

Which of the following FortiGate operating modes allows the firewall to act as a Layer 3 device, performing NAT and routing between interfaces?

196

An administrator configures a policy route to direct traffic from subnet 10.1.1.0/24 to the internet via ISP1 with a gateway of 203.0.113.1. However, traffic from that subnet is still using the default route via ISP2. What is the MOST likely cause?

197

You run the following diagnose command on a FortiGate and see the output: diagnose sys session filter dport 443 diagnose sys session list ... proto=6 proto_state=01 duration=3600 expire=3599 ... What does the 'proto_state=01' indicate?

198

A FortiGate administrator needs to configure a backup and restore strategy for the FortiGate configuration. Which TWO statements are correct regarding configuration backup and restore?

199

An administrator is configuring SNMP on a FortiGate for monitoring. Which THREE items are required for SNMPv3 configuration?

200

A FortiGate administrator is setting up a new FortiGate and needs to integrate it with FortiAnalyzer and FortiManager. Which THREE statements are correct regarding this integration?

Practice all 200 System and Network Administration questions

Other NSE4 exam domains

Firewall Policies and NATAuthentication and VPNSecurity ProfilesHigh Availability and Diagnostics

Frequently asked questions

What does the System and Network Administration domain cover on the NSE4 exam?

The System and Network Administration domain covers the key concepts tested in this area of the NSE4 exam blueprint published by Fortinet. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all NSE4 domains — no account required.

How many System and Network Administration questions are in the NSE4 question bank?

The Courseiva NSE4 question bank contains 200 questions in the System and Network Administration domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice System and Network Administration for NSE4?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only System and Network Administration questions for NSE4?

Yes — the session launcher on this page draws questions exclusively from the System and Network Administration domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your NSE4 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide