Fortinet · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A company wants to ensure that administrative access to FortiGate is only allowed from the internal trusted network (192.168.1.0/24) and that all other access attempts are blocked. Which CLI command should the administrator configure first?
config system admin; edit admin; set trusthost 192.168.1.0 255.255.255.0; end
Trusted hosts restrict administrative access to specified source IPs.
config system interface; edit port1; set allowaccess ping https ssh; end
config system global; set admin-http-redirect enable; end
set admin-sport 443
A FortiGate administrator is troubleshooting a high CPU usage issue. The 'get system performance status' command shows that the CPU usage is consistently above 80% with no traffic. Which of the following is the most likely cause?
An interface is in error-disable state causing CPU interrupts.
The firewall policy is misconfigured, causing packet drops.
A DDoS attack is overwhelming the CPU.
A process such as the IPS engine is stuck in an infinite loop.
A runaway process can consume CPU even without traffic.
An administrator needs to back up the FortiGate configuration to a TFTP server at 10.0.0.10. Which command should be used?
tftp -p -l mybackup.conf 10.0.0.10
execute backup config tftp mybackup.conf 10.0.0.10
This is the correct syntax for TFTP backup.
execute backup config ftp mybackup.conf 10.0.0.10
copy config tftp://10.0.0.10/mybackup.conf
Refer to the exhibit. An administrator wants to enable SNMP access on the wan1 interface. Which of the following is the most efficient method?
Execute 'config system interface' and edit wan1, then set allowaccess ping https ssh snmp.
Adding 'snmp' to allowaccess enables SNMP on that interface.
Change the interface type to 'management' to allow SNMP.
Execute 'config system interface' and edit wan1, then set snmp-index 1.
Configure an SNMP community under 'config system snmp community'.
Which TWO of the following are valid methods to upgrade the FortiGate firmware? (Choose two.)
Use the GUI under System > Firmware.
GUI provides a firmware upgrade option.
Use the command 'execute upgrade image tftp <ip> <filename>'.
This upgrades firmware from TFTP.
Use the command 'execute backup config tftp'.
Use the command 'execute reboot'.
Use the command 'execute restore config tftp'.
An administrator is troubleshooting a FortiGate that is not passing traffic. The policy allows traffic, but the session table shows no sessions. Which THREE steps should the administrator take to diagnose the issue? (Choose three.)
Verify the interface status and link state.
Interface down would stop traffic.
Run 'diagnose npu np6 show' to check offloading.
Check the ARP table to ensure the next-hop MAC is resolved.
If ARP is incomplete, traffic cannot be forwarded.
Examine the routing table for the destination network.
Missing route would drop traffic.
Disable the firewall policy and check if traffic flows.
Want more System and Network Administration practice?
Practice this domainA network administrator configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to a web server (172.16.1.10). Users on the 10.0.0.0/8 network cannot access the web server, but other internal users can. The administrator checks the policy list and sees the policy is enabled and in the correct position. What is the most likely cause?
The policy is placed below a deny-all policy
NAT is not configured on the policy
The firewall does not have a route to the 10.0.0.0/8 network
Without a route, traffic from that network will be dropped.
The policy is disabled
An organization wants to authenticate VPN users using an LDAP server. They configure an LDAP server object and a user group. However, users are unable to authenticate. The administrator checks the logs and sees 'authentication failed' errors. What is the most common misconfiguration?
The user group is not configured with the correct members
The LDAP server uses SSL/TLS but the FortiGate is not configured for it
The LDAP server bind DN or password is incorrect
Incorrect bind credentials prevent the FortiGate from querying the directory.
The LDAP server is not reachable from the FortiGate
A FortiGate administrator needs to allow SMTP traffic from the internal network to an external mail server. The internal network uses source NAT to the external interface IP. Which firewall policy configuration is correct?
Policy: source internal, destination external, service SMTP, enable NAT
SMTP uses TCP port 25 and NAT is needed for outbound traffic.
Policy: source internal, destination external, service SMTP, disable NAT
Policy: source internal, destination external, service SMTP (port 587), enable NAT
Policy: source internal, destination external, service SMTP (UDP), enable NAT
Refer to the exhibit. A FortiGate has this policy configured. Traffic from 10.0.1.0/24 to 192.168.1.10 on HTTP is being logged as allowed. However, users report that they cannot access the web server. What is the most likely issue?
NAT is not enabled on the policy
Without NAT, the server may send replies directly to the client's private IP, which is not routable.
The policy is placed below a deny policy
The service is set to HTTP but the server uses HTTPS
The policy is disabled
Refer to the exhibit. An administrator runs 'diagnose firewall auth list' and sees two authenticated users. The firewall policy requires authentication for HTTP traffic from 10.0.0.0/24 to 192.168.1.10. User 'jsmith' has been idle for 20 minutes, but the authentication session is still active. The idle timeout is set to 30 minutes. What will happen after 30 minutes of inactivity?
The authentication session will remain active because the firewall session is still valid
The user will be automatically re-authenticated without prompting
The firewall session will be torn down immediately
The authentication session will expire, and the user must re-authenticate for new traffic
The user will be prompted for credentials again after idle timeout.
A company uses FSSO (Fortinet Single Sign-On) with a domain controller. Users authenticate to the domain, and the FortiGate retrieves the login events. The firewall policy uses the FSSO group. Some users report that after logging in, they cannot access resources that require authentication. The administrator checks the FSSO status and sees that the FortiGate is receiving login events. What is the most likely cause?
The user is not a member of the FSSO group
The FSSO collector agent is not running
The user's IP address is not in the source address range of the policy
FSSO authenticates the user, but the policy's source address must match the user's IP.
The FortiGate is not polling the domain controller
Want more Firewall Policies and NAT practice?
Practice this domainA remote user reports that they can connect to the FortiGate SSL VPN portal but cannot access internal resources. The administrator checks the SSL VPN settings and sees that the tunnel mode is enabled with split tunneling. What is the most likely cause?
The IP pool is exhausted and no IP address was assigned.
The firewall policy allowing SSL VPN traffic to internal resources is missing.
The routing table on the client is missing the internal network routes.
Split tunneling requires proper routes to internal networks.
The SSL VPN authentication timeout is too short.
An administrator is configuring a site-to-site IPsec VPN between two FortiGates. After applying the configuration, the VPN status shows 'down'. Phase 1 parameters are identical on both sides. What is the most likely cause of the failure?
The Phase 2 selectors (local and remote subnets) are mismatched.
Phase 2 requires matching proxy IDs.
The pre-shared keys do not match.
The firewall policies are not configured.
NAT traversal is disabled but both FortiGates are behind NAT.
A company with multiple remote sites uses IPsec VPNs. One site reports intermittent connectivity. The administrator checks the logs and sees 'IPsec phase 2 negotiation failed' messages. Which configuration change is most likely to resolve the issue?
Enable Dead Peer Detection (DPD) on the Phase 1 interface.
DPD detects peer failure and triggers renegotiation.
Change the encryption algorithm from AES256 to 3DES.
Increase the Phase 2 lifetime.
Enable NAT traversal.
An administrator is troubleshooting an SSL VPN connection issue. Users can authenticate but receive 'No available tunnel' error. What is the most likely cause?
Split tunneling is misconfigured.
The firewall policy does not allow traffic from the SSL VPN interface.
The SSL VPN port is blocked on the firewall.
The SSL VPN IP pool has run out of addresses.
Exhausted IP pool prevents tunnel assignment.
A site-to-site IPsec VPN is configured with IKEv2. The tunnel establishes but traffic does not pass. Which two troubleshooting steps should the administrator perform first?
Check the Phase 2 selectors.
Verify that the Phase 1 proposal matches.
Check the firewall policies allowing traffic through the tunnel.
Policies must permit traffic between zones.
Check the routing table for routes pointing to the remote networks.
Proper routes are needed for traffic to use tunnel.
A FortiGate administrator is designing an SSL VPN solution for 500 remote users. The users need full network access. Which two design considerations are most important?
Ensure the SSL VPN IP pool has enough addresses for concurrent users.
Sufficient IP pool is critical for scalability.
Create firewall policies that allow traffic from the SSL VPN interface to internal networks.
Policies are essential to permit traffic.
Configure split tunneling to reduce load on the FortiGate.
Use certificate-based authentication for all users.
Enable port forwarding for RDP and SSH.
Want more Authentication and VPN practice?
Practice this domainA network administrator notices that users cannot access HTTPS websites after enabling SSL inspection. The firewall policy allows the traffic, and the certificate is trusted on the clients. What is the most likely cause?
The CA certificate used for SSL inspection is not trusted by the clients.
If the CA certificate is not trusted, clients will block HTTPS connections.
The client's browser has a proxy configured incorrectly.
The firewall policy has SSL inspection disabled.
The DNS server is not resolving the domain names.
Which FortiGate feature allows you to block access to specific URL categories such as 'Social Media' or 'Gambling'?
Web Filtering
Web Filtering is used to block or allow based on URL categories.
Antivirus
Intrusion Prevention System (IPS)
Application Control
An administrator configured SSL inspection with 'deep-inspection' profile. Users report that some websites fail to load with certificate errors. The firewall policy is correct. What is the most likely reason?
The CA certificate has expired.
The web server uses a cipher that the FortiGate cannot re-encrypt.
Some ciphers may not be supported for re-encryption, causing errors.
The user's browser is outdated.
The firewall needs a policy to allow DNS traffic.
When configuring SSL inspection, which type of inspection decrypts and inspects all HTTPS traffic including applications using non-standard ports?
SSL Offloading
Certificate Inspection
Full SSL Inspection (Deep Inspection)
Deep inspection decrypts and inspects all traffic.
Flow-based Inspection
A company wants to block downloads of executable files via HTTP and HTTPS while allowing other content. Which combination of security profiles should be applied to the firewall policy?
Web Filtering and Antivirus
Web filtering blocks file types, antivirus scans for malware.
Application Control and Antivirus
Web Filtering and IPS
DNS Filtering and Web Filtering
After enabling SSL inspection, a user receives a warning 'The certificate is not trusted' in the browser. The administrator has installed the CA certificate on the client. What else could be the cause?
The firewall policy denies the traffic.
The CA certificate is not added to the browser's trusted root store.
The CA must be trusted by the browser.
The FortiGate is not decrypting the traffic.
The web server's certificate has expired.
Want more Security Profiles practice?
Practice this domainA network engineer is configuring an SD-WAN rule to steer voice traffic to the MPLS link with the lowest latency. The SLA target is set to latency < 50 ms and jitter < 10 ms. However, the MPLS link occasionally exceeds the latency threshold. What should the engineer do to ensure voice traffic uses the best available link without manual intervention?
Remove the latency performance SLA and rely only on jitter.
Configure the SD-WAN rule with a secondary strategy to use the broadband link when SLA is not met.
Correct; this allows automatic failover to the broadband link when MPLS fails SLA.
Increase the jitter threshold to 15 ms to avoid SLA violations.
Disable SLA enforcement on the SD-WAN rule so voice traffic always uses the MPLS link.
An administrator has two FortiGate units in an active-passive HA cluster. The cluster is configured to use the heartbeat interface port3. During a failover test, the primary unit fails but the secondary does not take over. What is the most likely cause?
The secondary unit has an override enabled.
The heartbeat interface (port3) is down on the secondary unit.
Correct; heartbeat loss prevents failover.
Session pickup is disabled on the cluster.
The HA uptime on the secondary is less than the primary.
A company has two remote sites connected via an SD-WAN overlay. The headquarters uses a FortiGate with two WAN links: Fiber (priority 1) and LTE (priority 2). The SD-WAN rule for business-critical traffic uses the 'best quality' strategy with SLA targets for latency and jitter. The fiber link occasionally experiences high jitter but low latency. The engineer notices that traffic is not failing over to LTE even when jitter exceeds the threshold. What is the most likely reason?
The performance SLA for jitter is not configured, only latency.
Correct; only configured SLA targets are measured for failover.
The SD-WAN rule has SLA match set to 'either' instead of 'all'.
The LTE link has a higher cost and is not considered for failover.
The fiber link has a higher interface weight.
In an active-active HA cluster, which of the following must be identical on both FortiGate units?
HA priority
Management IP address
Virtual cluster ID
Correct; virtual cluster ID must match.
Hostname
An SD-WAN rule is configured with a 'manual' strategy and multiple members. The engineer wants to ensure that voice traffic always uses the MPLS link as long as it meets the SLA, otherwise use the broadband link. Which configuration is required?
Set the strategy to 'volume' and configure MPLS as preferred.
Set the manual strategy with MPLS as first member and enable SLA check.
Correct; manual strategy with SLA check will use the first member if SLA is met, otherwise the next.
Use 'load balancing' strategy and assign MPLS a higher weight.
Set the strategy to 'best quality' and set MPLS with highest priority.
Which TWO statements about FortiGate HA heartbeat interfaces are correct?
Heartbeat interfaces must be in the same VDOM.
Heartbeat interfaces must be dedicated management ports.
Heartbeat interfaces must be on the same subnet.
Correct; heartbeat requires L2 connectivity.
Heartbeat traffic is not encrypted by default.
Correct; encryption must be explicitly enabled.
Only two heartbeat interfaces can be configured.
Want more High Availability and Diagnostics practice?
Practice this domainThe NSE4 exam has 60 questions and must be completed in 105 minutes. The passing score is 650/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 5 domains: System and Network Administration, Firewall Policies and NAT, Authentication and VPN, Security Profiles, High Availability and Diagnostics. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Fortinet NSE4 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.