Practice NSE4 System and Network Administration questions with full explanations on every answer.
Start practicing
System and Network Administration — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company wants to ensure that administrative access to FortiGate is only allowed from the internal trusted network (192.168.1.0/24) and that all other access attempts are blocked. Which CLI command should the administrator configure first?
2A FortiGate administrator is troubleshooting a high CPU usage issue. The 'get system performance status' command shows that the CPU usage is consistently above 80% with no traffic. Which of the following is the most likely cause?
3An administrator needs to back up the FortiGate configuration to a TFTP server at 10.0.0.10. Which command should be used?
4Refer to the exhibit. An administrator wants to enable SNMP access on the wan1 interface. Which of the following is the most efficient method?
5Which TWO of the following are valid methods to upgrade the FortiGate firmware? (Choose two.)
6An administrator is troubleshooting a FortiGate that is not passing traffic. The policy allows traffic, but the session table shows no sessions. Which THREE steps should the administrator take to diagnose the issue? (Choose three.)
7A FortiGate is configured with two ISPs (WAN1 and WAN2) and uses SD-WAN for load balancing. The administrator notices that traffic to a critical SaaS application is being sent over the slower link. What should the administrator do to ensure this traffic uses the faster link?
8What is the default administrative account on a FortiGate?
9An administrator needs to configure a FortiGate to send logs to two different syslog servers for redundancy. Which configuration method should be used?
10Refer to the exhibit. The administrator notices that traffic from internal to wan1 is being logged, but the logs do not show the original source IP. What is the most likely reason?
11Which TWO of the following are prerequisites for configuring a high availability (HA) cluster on FortiGate? (Choose two.)
12Which THREE statements about FortiGate's 'config system global' settings are true? (Choose three.)
13A company has a FortiGate 200F with FortiOS 7.2 and two ISPs (WAN1: 100 Mbps, WAN2: 50 Mbps). The company uses SD-WAN to load balance outbound internet traffic. Recently, the company added a new VoIP application that requires low latency and jitter. The administrator configured an SD-WAN rule to match the VoIP traffic and set the strategy to 'best quality' with a performance SLA measuring latency and jitter. However, after testing, the VoIP traffic is still using WAN2 (the slower link) even when WAN1 has lower latency. The performance SLA shows both links meeting the SLA thresholds. What is the most likely reason?
14A large enterprise is deploying a FortiGate 600F as the perimeter firewall. The security team requires that all administrative access (SSH, HTTPS, and Ping) to the FortiGate must be restricted to a dedicated management network (10.10.10.0/24). Additionally, any failed login attempt from outside the management network should be logged and the source IP should be blocked for 30 minutes. The administrator has configured a local-in policy to deny all administrative access from non-management networks and enabled logging. However, the administrator wants to automatically block the offending IPs. The FortiGate is not connected to any FortiAnalyzer or FortiManager. What should the administrator do to achieve this?
15Which command is used to display the current FortiGate firmware version?
16A company is deploying a FortiGate HA cluster in active-passive mode across two data centers. The network team reports that after a failover, some existing TCP sessions are dropped. Which configuration change should be applied to maintain session persistence during failover?
17A FortiGate administrator is troubleshooting a problem where users cannot access the Internet. The FortiGate has a default route pointing to the ISP gateway. The administrator runs 'execute ping 8.8.8.8' from the FortiGate CLI and it succeeds. However, internal users behind NAT are unable to reach external servers. Which is the most likely cause?
18An administrator needs to configure a FortiGate to allow web traffic from the internal network to the Internet. The internal network is 192.168.1.0/24 and the WAN interface is port1 with IP 203.0.113.1. Which firewall policy is correct?
19A FortiGate administrator notices that the device's disk usage is critically high, causing logging failures. The administrator wants to free up space without losing important logs. Which action should be taken first?
20Refer to the exhibit. The FortiGate has two default routes. The administrator attempts to ping 8.8.8.8 from the CLI and receives no response. What is the most likely reason?
21Which TWO configuration changes can reduce the risk of unauthorized administrative access to a FortiGate?
22Which THREE configuration steps are required to enable transparent proxy mode on a FortiGate?
23A medium-sized enterprise has a FortiGate 100F in NAT/Route mode with three interfaces: port1 (WAN, 203.0.113.1/24, gateway 203.0.113.254), port2 (internal, 192.168.1.1/24), and port3 (DMZ, 10.0.0.1/24). The internal network hosts a web server at 192.168.1.10 and a mail server at 192.168.1.20. The DMZ hosts a public web server at 10.0.0.10 and a public DNS server at 10.0.0.20. The company has a single public IP 203.0.113.1. The administrator has configured the following: - Port forwarding: external HTTP to DMZ web server (10.0.0.10:80) and external DNS to DMZ DNS server (10.0.0.20:53). - Outbound NAT (IP Pool) for internal users to 203.0.113.1. - Firewall policies allowing internal to external, DMZ to external, and external to DMZ (for forwarded services). Users report that they can access the Internet but cannot reach the internal web server (192.168.1.10) via its public IP (203.0.113.1:80). The DMZ web server is accessible from the Internet. What is the most likely cause?
24Drag and drop the steps to configure a static route on a FortiGate firewall into the correct order.
25Drag and drop the steps to troubleshoot a user unable to access the internet through FortiGate into the correct order.
26Match each Fortinet security feature to its primary function.
27Match each FortiGate security profile component to its purpose.
28A network administrator needs to configure a FortiGate to allow HTTPS access to the GUI from the internal network. Which two steps must be performed?
29An administrator runs 'diagnose sniffer packet any "host 10.0.1.100" 4' and sees packets being sent but no response. The FortiGate has a static route for 10.0.1.0/24 via 192.168.1.1. The administrator checks the routing table and sees the route is present. What is the most likely cause of no response?
30A FortiGate is configured in transparent mode. The administrator notices that traffic passing through the FortiGate is not being logged, even though log all sessions is enabled on the policy. What is the most likely reason?
31An administrator wants to aggregate two physical interfaces (port1 and port2) on a FortiGate to increase bandwidth and provide redundancy. Which interface type should be created?
32An administrator needs to back up the FortiGate configuration to a remote server using SCP. Which command is correct?
33A FortiGate is configured with two equal-cost static routes to the same destination network (0.0.0.0/0) via two different ISPs. The administrator wants to use both links simultaneously for load balancing. What must be enabled?
34During a firmware upgrade, the FortiGate reboots and the administrator cannot access the GUI via HTTPS. The CLI shows the system is running the previous firmware. What is the most likely cause?
35An administrator configures SNMP on a FortiGate to monitor CPU and memory usage. After applying the configuration, the NMS cannot reach the FortiGate via SNMP. The FortiGate's interface has SNMP access enabled. What is the most likely missing configuration?
36A FortiGate is configured in NAT/Route mode. Which statement is correct about this mode?
37An administrator attempts to configure a policy route to route specific traffic from an internal subnet (10.1.1.0/24) to the internet via a different ISP. The policy route is created but traffic is still using the default route. What is the most likely cause?
38A FortiGate administrator wants to synchronize the system time with an external NTP server. Which CLI command should be used to configure the NTP server?
39An administrator needs to integrate a FortiGate with FortiAnalyzer for centralized logging. After configuring the FortiAnalyzer IP and enabling logging, the FortiGate shows 'connection refused' for FortiAnalyzer. What is the most likely cause?
40An administrator is configuring a FortiGate HA cluster in active-passive mode. Which two statements are correct about this configuration?
41A FortiGate administrator is troubleshooting a VPN tunnel that is not coming up. The phase 1 parameters match on both sides. Which three configuration items should the administrator verify?
42An administrator is configuring a FortiGate to use FortiManager for centralized management. Which three steps are required?
43A network administrator needs to configure a FortiGate to participate in SNMP monitoring. Which CLI command enables SNMP agent on the FortiGate?
44A FortiGate is configured with two equal-cost static default routes via two ISPs. The administrator wants to use both links simultaneously for outbound traffic, distributing sessions per source-destination pair. Which ECMP load balancing method should be configured under config system settings?
45An administrator is configuring a FortiGate in a transparent mode. Which of the following features is NOT available in transparent mode?
46You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?
47What is the purpose of configuring an aggregate interface on a FortiGate?
48A FortiGate administrator needs to allow remote management from the internet only from a specific IP address. Which configuration achieves this?
49An administrator plans to upgrade FortiGate firmware from version 6.0 to 7.2. The current version is 6.0.10. Which upgrade path is correct?
50Which command is used to back up the FortiGate configuration to a TFTP server?
51A FortiGate is set to NAT/Route mode. The admin wants traffic from internal users to the internet to use an IP address on the WAN interface for source NAT. Which configuration is required?
52You notice that the FortiGate HA cluster is not failing over when the primary unit loses power. The HA configuration shows 'set ha-priority 250' on the primary and 'set ha-priority 200' on the secondary. What is the most likely cause?
53An administrator configures a policy route to send all traffic from a specific subnet to a different next-hop. However, traffic from that subnet is still using the default route. Which configuration could be causing this?
54Which of the following is required to allow a FortiGate to synchronize its clock with an NTP server?
55An administrator needs to configure a FortiGate to send logs to a FortiAnalyzer. Which two configurations are required? (Choose two.)
56An administrator is configuring a FortiGate HA cluster in active-passive mode with two units. Which three conditions must be met for failover to occur? (Choose three.)
57A FortiGate admin needs to create a loopback interface for management purposes. Which two statements about loopback interfaces are correct? (Choose two.)
58A network administrator is configuring a new FortiGate and needs to ensure that all traffic from the internal network to the internet is source NATed to the public IP address on port1. The default route points to port1. Which configuration step is required to achieve this?
59An administrator is configuring a VLAN interface on a FortiGate. The physical interface is port2 and the VLAN ID is 100. Which of the following correctly creates the VLAN interface?
60You run the following CLI command on a FortiGate: 'diagnose sys session filter dport 443' and see this output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?
61An administrator needs to upgrade the firmware on a FortiGate from version 6.4.10 to 7.0.1. The device currently runs FortiOS 6.4.10. Which upgrade path should be followed?
62Which FortiGate operating mode allows the device to act as a transparent layer 2 bridge, forwarding traffic without performing NAT or routing?
63A FortiGate in an HA active-passive cluster is experiencing frequent failovers. The administrator checks the HA statistics and sees that the primary unit's heartbeat interface has a high error rate. What is the most likely cause?
64An administrator needs to allow SSH access to the FortiGate's management interface from a specific management subnet (10.0.1.0/24). Which configuration achieves this?
65What is the purpose of configuring a loopback interface on a FortiGate?
66An administrator is troubleshooting a connectivity issue. A ping from the FortiGate to 8.8.8.8 succeeds, but traffic from internal hosts to the internet is failing. The firewall policy allows the traffic. What is the most likely cause?
67A FortiGate is configured with two WAN links (port1 and port2) and uses ECMP routing. The administrator wants to ensure that traffic from a specific internal subnet (192.168.10.0/24) always uses port1, while all other traffic uses ECMP. Which configuration should be applied?
68An administrator wants to send FortiGate logs to a FortiAnalyzer for centralized logging and reporting. Which configuration step is required on the FortiGate?
69Which of the following statements about FortiGate backup is true?
70A FortiGate administrator needs to configure NTP to ensure accurate time on the device. Which two steps are required? (Choose two.)
71An administrator is configuring a FortiGate in transparent mode and needs to forward traffic between two VLANs. Which three configurations are required? (Choose three.)
72An administrator is setting up SNMP monitoring on a FortiGate. Which two configurations are necessary for a basic SNMP setup? (Choose two.)
73A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?
74An admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?
75What is the primary purpose of configuring a loopback interface on a FortiGate?
76An admin configures an aggregate interface on a FortiGate using two physical ports. After configuration, the admin notices that traffic is not load-balancing evenly. What is the MOST likely cause?
77A FortiGate in NAT/Route mode has a policy with NAT enabled. The admin needs the source IP of traffic from internal users (192.168.1.0/24) to be translated to the interface IP of port1 (203.0.113.1) when accessing the internet. Which configuration is necessary?
78Which command is used to back up the full FortiGate configuration including all settings and objects?
79An admin configures two static routes to the same destination with different distances. The route with distance 10 points to ISP1, and the route with distance 20 points to ISP2. The admin wants to use ISP2 only if ISP1 fails. What is the expected behavior?
80A FortiGate is operating in transparent mode. The admin needs to allow HTTP traffic from users to a web server. Which type of firewall policy is required?
81During a firmware upgrade, the admin uploads the image via the GUI and clicks 'Upgrade'. The FortiGate reboots but comes up with the old firmware. What is the MOST likely cause?
82Which CLI command is used to configure NTP on a FortiGate?
83An admin wants to monitor CPU and memory usage on a FortiGate using SNMP. Which configuration is required?
84A FortiGate is configured in an HA active-passive cluster. The primary unit fails. After the secondary takes over, a policy route configured on the primary is not working. What is the MOST likely reason?
85An admin needs to configure a FortiGate to send logs to a FortiAnalyzer. Which TWO steps must be performed? (Choose two.)
86An admin wants to ensure that traffic between two internal subnets (10.0.1.0/24 and 10.0.2.0/24) is inspected by the FortiGate but does not have its source IP translated. Which THREE configuration elements are required? (Choose three.)
87An admin is configuring ECMP (Equal Cost Multi-Path) on a FortiGate with two ISPs. Which TWO conditions must be met for ECMP to load balance traffic across both links? (Choose two.)
88A network administrator notices that after configuring a new static route on a FortiGate, traffic to a remote subnet is still being forwarded via the default route. The administrator confirms the static route is present in the routing table with a lower distance than the default route. What is the MOST likely cause?
89An administrator needs to configure a FortiGate to allow remote management via HTTPS from the internet. Which configuration step is required?
90You run the following command on a FortiGate: ``` diagnose sys session filter dport 443 diagnose sys session list ``` The output shows: ``` proto=6 proto_state=01 duration=3600 expire=3599 ``` What does this indicate?
91An administrator configures a FortiGate in transparent mode to be deployed between a router and a switch. After installation, traffic passes through but the administrator cannot access the FortiGate's management IP from the management network. What is the MOST likely reason?
92A FortiGate administrator needs to upgrade the firmware from FortiOS 6.4 to 7.0. The administrator downloads the upgrade image but when uploading via the GUI, the FortiGate reboots and comes back with the same firmware version. What is the most likely cause?
93An administrator wants to ensure that traffic to a specific web server always exits through a particular ISP link, regardless of route changes. Which feature should be configured?
94A FortiGate is configured with two WAN interfaces in an active-passive HA cluster. The administrator notices that the passive unit is not synchronizing configuration changes from the active unit. What is the MOST likely cause?
95An administrator configures a VLAN interface on a FortiGate trunk port. The VLAN is allowed on the trunk, but the FortiGate cannot ping the default gateway of that VLAN. Which two items must be verified? (Choose two.)
96An administrator needs to back up the FortiGate configuration to a remote server. Which protocol is supported for backup?
97A FortiGate administrator configures SNMPv2c on the FortiGate to send traps to a monitoring server. However, no traps are received. The monitoring server can ping the FortiGate. What is the MOST likely cause?
98An administrator configures a FortiGate to use NTP for time synchronization. After configuration, the FortiGate still shows the wrong time. Which command should the administrator run to verify NTP status?
99A FortiGate is configured with multiple WAN interfaces and ECMP routing. The administrator notices that traffic to a particular destination is intermittently failing. What is the MOST likely cause?
100An administrator needs to integrate a FortiGate with FortiManager for centralized management. Which two steps are required? (Choose two.)
101An administrator is configuring a loopback interface on a FortiGate for management purposes. Which three statements are true about loopback interfaces? (Choose three.)
102An administrator needs to configure DNS on a FortiGate so that internal hosts can resolve external domain names. Which two settings are required? (Choose two.)
103You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?
104A network administrator needs to allow SSH access to the FortiGate from a management subnet 10.0.1.0/24. Which configuration step is required on the interface connected to that subnet?
105A FortiGate has been configured with two WAN interfaces (wan1, wan2) in an SD-WAN zone. The administrator wants to ensure that traffic for a specific internal server uses only wan1. What is the most appropriate method?
106An administrator configures two FortiGate units in an active-passive HA cluster. After a failover, some existing TCP sessions are dropped. What is the most likely reason for this behavior?
107A FortiGate administrator needs to upgrade the firmware from 7.0.5 to 7.2.0. The current firmware is 7.0.5. What is the recommended upgrade path?
108You run 'get system performance status' and see CPU usage at 95% with high context switch rate. The FortiGate is not passing any traffic. What is the most likely cause?
109An administrator creates a firewall policy to allow internal users to access the internet. The source interface is 'internal', destination interface is 'wan1', and NAT is enabled. Users complain that they cannot access external resources. The administrator verifies that the default route points to the ISP gateway. What is the most likely missing configuration?
110A FortiGate administrator wants to send logs to a FortiAnalyzer. The FortiAnalyzer IP is 192.168.1.100, and logging is configured under Log & Report. However, no logs are being received. Which command should the administrator use on the FortiGate to verify connectivity to the FortiAnalyzer?
111An organization has two FortiGate units in an HA cluster. They need to perform a firmware upgrade on the primary unit without causing a failover. Which procedure should be followed?
112A FortiGate is configured with two equal-cost default routes to different ISPs. The administrator notices that traffic for a specific destination is load-balanced across both links as expected. However, they want all traffic from a specific source IP to use only ISP1, while other traffic remains load-balanced. Which configuration should be applied?
113After upgrading FortiGate firmware, the administrator notices that the 'config router static' command now shows a new keyword 'distance' instead of 'weight'. The upgrade also changed the ECMP load-balancing behavior. What was the likely change in the ECMP algorithm?
114A FortiGate is configured in transparent mode. Which of the following statements is true?
115A FortiGate administrator needs to allow SNMP monitoring from a management station at 10.10.10.50. Which TWO configuration steps are required? (Choose two.)
116A FortiGate in NAT/Route mode has multiple internal networks. The administrator wants to configure a loopback interface for management access. Which THREE statements about loopback interfaces are correct? (Choose three.)
117You are troubleshooting a FortiGate HA cluster that is not failing over correctly. The cluster has two units in active-passive mode. You check the HA status and see both units are in 'standalone' mode. Which THREE configurations could cause this? (Choose three.)
118A network administrator configures a new FortiGate as the default gateway for a subnet. The FortiGate has two WAN interfaces (port1 and port2) connected to different ISPs. The admin wants to load-balance outbound traffic across both links. Which configuration method will achieve this goal?
119A FortiGate administrator is setting up a new FortiGate in a network that requires the firewall to bridge traffic between two subnets without routing. Which operating mode should the administrator select?
120An administrator configures an HA cluster of two FortiGates in active-passive mode. The cluster is synchronized, but after a failover, some existing TCP sessions are dropped. What is the most likely cause?
121You run the following CLI command on a FortiGate: diagnose sys session filter dport 443 diagnose sys session list And you see the output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?
122A FortiGate administrator needs to allow remote management of a FortiGate from the internet. Which administrative access protocols should be enabled on the WAN interface? (Choose the best single answer.)
123An administrator configures a policy route to force traffic from a specific source subnet to use a particular WAN interface. After applying the configuration, the traffic still uses the default route. What is the most likely cause?
124A FortiGate administrator is upgrading firmware from version 6.0 to 7.0. The upgrade path requires multiple steps. Which of the following is the recommended method to ensure a successful upgrade?
125A FortiGate is configured with an aggregate interface (link aggregation group) consisting of two physical ports. The administrator notices that traffic is not being distributed evenly across the two links. Which configuration setting should be verified to improve load balancing?
126An administrator needs to back up the full configuration of a FortiGate, including all system settings, policies, and objects. Which CLI command should be used?
127A FortiGate administrator wants to integrate the FortiGate with a FortiAnalyzer for centralized logging. Which configuration step is required on the FortiGate?
128An administrator configures a VLAN interface on a FortiGate's physical port with the IP 192.168.10.1/24. The VLAN ID is 10. The administrator connects a switch port configured as an access port (untagged) in VLAN 10. The devices on the switch cannot ping the FortiGate's VLAN interface. What is the most likely cause?
129A FortiGate administrator needs to ensure that all DNS queries from internal clients are forwarded to a specific DNS server for security filtering. Which configuration should be applied?
130A FortiGate is configured in an HA cluster with two units. The cluster is working, but the administrator wants to ensure that configuration changes made on the primary unit are automatically synchronized to the secondary unit. Which two conditions must be met? (Choose TWO.)
131A network administrator is configuring SNMP on a FortiGate for monitoring. Which three pieces of information are required to complete the SNMPv2c configuration? (Choose THREE.)
132An administrator wants to use FortiManager to manage multiple FortiGates. Which three steps must be performed to establish communication between a FortiGate and FortiManager? (Choose THREE.)
133A network administrator is configuring a FortiGate for the first time and needs to enable administrative access via HTTPS from the internal network. Which configuration step is required?
134You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?
135A FortiGate configured in NAT/Route mode is connected to the internet via port1 with an IP 10.0.0.1/24. The internal network uses 192.168.1.0/24. Users can browse the internet but cannot reach a public server at 203.0.113.5. A static default route exists. What is the most likely cause?
136An administrator wants to upgrade the FortiGate firmware from version 6.4.9 to 7.0.1. What is the most important consideration before proceeding?
137Which FortiGate operating mode is used when the device acts as a Layer 2 bridge without performing NAT?
138An administrator notices that traffic to a particular subnet is being load-balanced across two WAN links, but they want all traffic to that subnet to use a single link. Which feature should be configured?
139A FortiGate administrator needs to allow SSH management access from a specific IP address 10.0.0.100. Which configuration is required?
140An administrator wants to synchronize the FortiGate's time with a reliable NTP server. After configuring the NTP server, they notice the time is still incorrect. What could be the issue?
141A FortiGate has two internet connections: port1 (ISP1) and port2 (ISP2). An administrator configures two static default routes with equal distance and priority. Traffic to a specific public IP is observed going out port1, but the admin wants it to go out port2. What should be configured?
142An administrator wants to back up the FortiGate configuration to a remote FTP server. Which command should be used?
143A FortiGate is configured with two WAN interfaces in an SD-WAN zone. The administrator wants to ensure voice traffic uses the interface with the lowest latency. Which SD-WAN configuration should be used?
144Which protocol does FortiGate use to synchronize sessions between HA cluster members?
145An administrator is configuring a FortiGate to send logs to a FortiAnalyzer. Which TWO of the following are required? (Choose two.)
146A FortiGate administrator is planning an upgrade from FortiOS 6.4 to 7.2. Which THREE steps should be performed before the upgrade? (Choose three.)
147An administrator wants to configure HA on two FortiGate units. Which TWO of the following must match on both units for the cluster to form? (Choose two.)
148A FortiGate administrator needs to configure a static route to reach a remote network 192.168.100.0/24 via next-hop 10.0.0.1. Which CLI command should be used?
149An administrator wants to allow management access to a FortiGate from a specific subnet 10.10.10.0/24 via HTTPS. Which configuration achieves this?
150You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?
151An administrator configures a FortiGate in transparent mode. Which of the following is correct regarding transparent mode operation?
152Which of the following is the correct way to upgrade the firmware on a FortiGate from the CLI?
153An administrator wants to configure SNMP on a FortiGate to allow a monitoring server 192.168.1.100 to poll read-only information. Which set of commands is correct?
154A FortiGate has two WAN interfaces (wan1, wan2) configured with ECMP routes to the same destination. The administrator notices that traffic for a single session is being load-balanced across both links, causing performance issues. What should be configured to ensure sessions stick to one link?
155An administrator wants to back up the FortiGate configuration to a TFTP server at 10.10.10.10. Which CLI command should be used?
156What is the purpose of configuring an NTP server on a FortiGate?
157An administrator needs to ensure that all traffic from the internal network to the internet goes through a web proxy for content filtering. Which configuration is required on the FortiGate?
158A FortiGate in HA active-passive cluster is experiencing failover events. The administrator runs 'get system ha status' and sees that the 'sync status' is 'out of sync'. What is the most likely cause?
159An administrator configures a policy route to send all traffic from subnet 172.16.1.0/24 to a specific next-hop 10.0.0.2. However, the traffic is still using the default route. What could be the reason?
160An administrator is configuring a new FortiGate and wants to ensure it can be managed centrally via FortiManager. Which TWO steps are required?
161A FortiGate is configured in active-active HA mode. An administrator notices that session failover is not working properly during a failover event. Which THREE configurations should be checked?
162An administrator wants to integrate FortiGate with FortiAnalyzer for logging. Which TWO steps are necessary?
163A network administrator needs to configure a FortiGate to allow administrative access from a specific management subnet only. Which configuration step should be taken?
164A FortiGate is configured with two WAN interfaces (port1 and port2) connected to different ISPs. The administrator wants to load-balance outbound traffic across both links using equal-cost routes. Which routing configuration should be applied?
165An administrator runs the following CLI command on a FortiGate: 'diagnose sys session filter dport 443' and sees output indicating sessions with proto_state=01 and duration=3600. What does this indicate about the sessions?
166A FortiGate is operating in transparent mode. The administrator needs to configure a new VLAN interface for segmenting traffic. Which statement about VLAN interfaces in transparent mode is correct?
167An administrator wants to upgrade the FortiOS firmware on a FortiGate. Which step is critical before starting the upgrade process?
168A FortiGate administrator needs to integrate with FortiAnalyzer for centralized logging. After configuring the FortiAnalyzer IP and enabling logging, the FortiGate shows 'connection status: disconnected'. What is the most likely cause?
169An administrator configures a FortiGate HA cluster with two units in active-passive mode. After setup, the secondary unit shows 'standby' status but traffic is not failing over when the primary is shut down. What is the most likely cause?
170A FortiGate needs to resolve DNS names for outbound traffic. The administrator configures DNS servers under System > DNS. However, internal DNS queries for private domains fail. What additional configuration is required?
171An administrator needs to configure a loopback interface on a FortiGate for management purposes. Which of the following is true regarding loopback interfaces?
172A FortiGate administrator configures policy-based routing (PBR) to direct traffic from subnet 192.168.1.0/24 to the internet via ISP1. However, traffic from that subnet is still using the default route via ISP2. What is the most likely cause?
173An administrator wants to configure SNMPv3 on a FortiGate for secure monitoring. Which configuration is required?
174A FortiGate administrator needs to backup the configuration to a remote TFTP server. Which CLI command should be used?
175A network administrator has two FortiGate units that need to be configured as an HA cluster. Which TWO of the following are prerequisites for HA formation?
176A FortiGate administrator needs to configure a VLAN interface and an aggregate interface. Which THREE statements are correct regarding these interface types?
177An administrator is troubleshooting why traffic from a specific source IP is not being matched by a policy route. Which THREE steps should the administrator take to diagnose the issue?
178A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?
179An administrator is configuring a new FortiGate and wants to allow management access from the internal network via HTTPS. The internal interface is port2 with IP 192.168.1.1/24. Which CLI command correctly enables HTTPS administrative access on port2?
180After upgrading FortiGate firmware from 6.0 to 7.2, an administrator notices that a static route pointing to a next-hop IP 10.0.0.1 is no longer working. The route is present in the configuration but the FortiGate shows it as 'not active'. What is the MOST likely cause?
181A FortiGate is deployed in NAT/Route mode. The administrator wants to create a policy that allows internal users to access the internet and also translates their private IP addresses to the public IP of the FortiGate's WAN interface. Which policy configuration is required?
182An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?
183A FortiGate administrator needs to configure a policy route to send all traffic destined to 10.10.10.0/24 out through interface port3 instead of the default route. Which configuration steps are necessary?
184An administrator has configured two FortiGate units in an active-passive HA cluster. The primary unit fails. How does the secondary unit become active?
185An administrator configures an aggregate interface (port1 and port2) on a FortiGate. After connecting the switch ports, the aggregate interface shows 'down'. The individual member ports are up. What is the MOST likely cause?
186An administrator is troubleshooting a loss of connectivity between two sites connected via a VPN tunnel. The FortiGate logs show 'Tunnel: phase 1 negotiation failed'. Which two parameters MUST match on both peers for phase 1 to succeed? (Select two. Not all options are used.)
187A FortiGate administrator wants to ensure that all firewall policies are backed up before performing a firmware upgrade. Which backup method preserves the configuration in a format that can be restored to the same or different FortiGate model?
188An administrator needs to forward logs from a FortiGate to a FortiAnalyzer for centralized logging. The FortiAnalyzer IP is 10.10.10.10. Which configuration is required on the FortiGate?
189An administrator is configuring ECMP (Equal-Cost Multi-Path) on a FortiGate. Which TWO conditions are required for ECMP to load balance traffic across multiple routes?
190A FortiGate configured in transparent mode needs to allow HTTP traffic between two VLANs. The administrator has created a firewall policy. However, traffic is still blocked. Which TWO additional configurations are necessary for transparent mode operation?
191An administrator wants to allow only HTTPS and SSH administrative access to the FortiGate from a specific management subnet 192.168.100.0/24. Which TWO steps must be taken on the FortiGate?
192An administrator is planning a firmware upgrade from FortiOS 6.0 to 7.2. Which THREE steps should be performed before starting the upgrade process?
193A network administrator has configured a static route on a FortiGate with a distance of 10 and a priority of 0. Later, they add another static route to the same destination with a distance of 15 and priority of 0. Which route will be used for traffic forwarding?
194You are troubleshooting a FortiGate HA cluster (active-passive) and notice that after a failover, some existing TCP sessions are not being maintained. The hbdev heartbeat interfaces are configured correctly, and session synchronization is enabled. What is the MOST likely cause?
195Which of the following FortiGate operating modes allows the firewall to act as a Layer 3 device, performing NAT and routing between interfaces?
196An administrator configures a policy route to direct traffic from subnet 10.1.1.0/24 to the internet via ISP1 with a gateway of 203.0.113.1. However, traffic from that subnet is still using the default route via ISP2. What is the MOST likely cause?
197You run the following diagnose command on a FortiGate and see the output: diagnose sys session filter dport 443 diagnose sys session list ... proto=6 proto_state=01 duration=3600 expire=3599 ... What does the 'proto_state=01' indicate?
198A FortiGate administrator needs to configure a backup and restore strategy for the FortiGate configuration. Which TWO statements are correct regarding configuration backup and restore?
199An administrator is configuring SNMP on a FortiGate for monitoring. Which THREE items are required for SNMPv3 configuration?
200A FortiGate administrator is setting up a new FortiGate and needs to integrate it with FortiAnalyzer and FortiManager. Which THREE statements are correct regarding this integration?
The System and Network Administration domain covers the key concepts tested in this area of the NSE4 exam blueprint published by Fortinet. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all NSE4 domains — no account required.
The Courseiva NSE4 question bank contains 200 questions in the System and Network Administration domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the System and Network Administration domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included