Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsNSE4Exam Questions

Fortinet · Free Practice Questions · Last reviewed May 2026

NSE4 Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

60 exam questions
105 min time limit
Pass: 650/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. System and Network Administration2. Firewall Policies and NAT3. Authentication and VPN4. Security Profiles5. High Availability and Diagnostics
1

Domain 1: System and Network Administration

All System and Network Administration questions
Q1
mediumFull explanation →

A company wants to ensure that administrative access to FortiGate is only allowed from the internal trusted network (192.168.1.0/24) and that all other access attempts are blocked. Which CLI command should the administrator configure first?

A

config system admin; edit admin; set trusthost 192.168.1.0 255.255.255.0; end

Trusted hosts restrict administrative access to specified source IPs.

B

config system interface; edit port1; set allowaccess ping https ssh; end

C

config system global; set admin-http-redirect enable; end

D

set admin-sport 443

Why: Option A is correct because the `config system admin` command with `set trusthost` restricts administrative login attempts to only the specified source IP address or subnet. By setting `trusthost 192.168.1.0 255.255.255.0`, the FortiGate will only allow admin access from the 192.168.1.0/24 network, blocking all other sources. This is the foundational step to enforce source-based access control for administrative interfaces.
Q2
hardFull explanation →

A FortiGate administrator is troubleshooting a high CPU usage issue. The 'get system performance status' command shows that the CPU usage is consistently above 80% with no traffic. Which of the following is the most likely cause?

A

An interface is in error-disable state causing CPU interrupts.

B

The firewall policy is misconfigured, causing packet drops.

C

A DDoS attack is overwhelming the CPU.

D

A process such as the IPS engine is stuck in an infinite loop.

A runaway process can consume CPU even without traffic.

Why: When CPU usage remains high (above 80%) with no traffic, the most likely cause is a process stuck in an infinite loop, such as the IPS engine. This is a known software bug or process hang that consumes CPU cycles even without network traffic, and it can be verified using 'diagnose sys top' to identify the offending process.
Q3
easyFull explanation →

An administrator needs to back up the FortiGate configuration to a TFTP server at 10.0.0.10. Which command should be used?

A

tftp -p -l mybackup.conf 10.0.0.10

B

execute backup config tftp mybackup.conf 10.0.0.10

This is the correct syntax for TFTP backup.

C

execute backup config ftp mybackup.conf 10.0.0.10

D

copy config tftp://10.0.0.10/mybackup.conf

Why: The correct command to back up a FortiGate configuration to a TFTP server is 'execute backup config tftp <filename> <server-ip>'. This is a standard FortiOS CLI command that uses TFTP (Trivial File Transfer Protocol) to transfer the configuration file to the specified server at 10.0.0.10. Option B matches this syntax exactly.
Q4
hardFull explanation →

Refer to the exhibit. An administrator wants to enable SNMP access on the wan1 interface. Which of the following is the most efficient method?

A

Execute 'config system interface' and edit wan1, then set allowaccess ping https ssh snmp.

Adding 'snmp' to allowaccess enables SNMP on that interface.

B

Change the interface type to 'management' to allow SNMP.

C

Execute 'config system interface' and edit wan1, then set snmp-index 1.

D

Configure an SNMP community under 'config system snmp community'.

Why: Option A is correct because the 'allowaccess' parameter under 'config system interface' controls which management protocols (ping, https, ssh, snmp, etc.) are permitted on a given interface. By adding 'snmp' to the allowaccess list for wan1, the administrator enables SNMP access on that interface without changing its role or type.
Q5
mediumFull explanation →

Which TWO of the following are valid methods to upgrade the FortiGate firmware? (Choose two.)

A

Use the GUI under System > Firmware.

GUI provides a firmware upgrade option.

B

Use the command 'execute upgrade image tftp <ip> <filename>'.

This upgrades firmware from TFTP.

C

Use the command 'execute backup config tftp'.

D

Use the command 'execute reboot'.

E

Use the command 'execute restore config tftp'.

Why: Option A is correct because the FortiGate GUI provides a dedicated interface under System > Firmware to upload and install firmware images, which is a standard and supported upgrade method. This method allows administrators to select a local or remote firmware file and apply it with minimal disruption when proper procedures are followed.
Q6
hardFull explanation →

An administrator is troubleshooting a FortiGate that is not passing traffic. The policy allows traffic, but the session table shows no sessions. Which THREE steps should the administrator take to diagnose the issue? (Choose three.)

A

Verify the interface status and link state.

Interface down would stop traffic.

B

Run 'diagnose npu np6 show' to check offloading.

C

Check the ARP table to ensure the next-hop MAC is resolved.

If ARP is incomplete, traffic cannot be forwarded.

D

Examine the routing table for the destination network.

Missing route would drop traffic.

E

Disable the firewall policy and check if traffic flows.

Why: Option A is correct because if the interface is down or has a link issue, the FortiGate cannot send or receive any traffic, resulting in no sessions being created even if the policy allows traffic. Verifying interface status and link state is a fundamental first step in troubleshooting connectivity issues, as it ensures the physical or logical layer is operational before checking higher-layer configurations.

Want more System and Network Administration practice?

Practice this domain
2

Domain 2: Firewall Policies and NAT

All Firewall Policies and NAT questions
Q1
mediumFull explanation →

A network administrator configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to a web server (172.16.1.10). Users on the 10.0.0.0/8 network cannot access the web server, but other internal users can. The administrator checks the policy list and sees the policy is enabled and in the correct position. What is the most likely cause?

A

The policy is placed below a deny-all policy

B

NAT is not configured on the policy

C

The firewall does not have a route to the 10.0.0.0/8 network

Without a route, traffic from that network will be dropped.

D

The policy is disabled

Why: The most likely cause is that the firewall does not have a route to the 10.0.0.0/8 network. Even though the policy is enabled and correctly positioned, the firewall must have a return route to the source network (10.0.0.0/8) for the web server's response traffic to reach the users. Without this route, the firewall drops the return packets, causing connectivity failure for those specific users.
Q2
hardFull explanation →

An organization wants to authenticate VPN users using an LDAP server. They configure an LDAP server object and a user group. However, users are unable to authenticate. The administrator checks the logs and sees 'authentication failed' errors. What is the most common misconfiguration?

A

The user group is not configured with the correct members

B

The LDAP server uses SSL/TLS but the FortiGate is not configured for it

C

The LDAP server bind DN or password is incorrect

Incorrect bind credentials prevent the FortiGate from querying the directory.

D

The LDAP server is not reachable from the FortiGate

Why: The most common misconfiguration when LDAP authentication fails is an incorrect bind DN or password. The FortiGate uses the bind DN to authenticate to the LDAP server before it can search for users; if these credentials are wrong, the LDAP server rejects the bind request, resulting in an 'authentication failed' log entry. This error occurs even before user credentials are checked, making it a frequent root cause.
Q3
easyFull explanation →

A FortiGate administrator needs to allow SMTP traffic from the internal network to an external mail server. The internal network uses source NAT to the external interface IP. Which firewall policy configuration is correct?

A

Policy: source internal, destination external, service SMTP, enable NAT

SMTP uses TCP port 25 and NAT is needed for outbound traffic.

B

Policy: source internal, destination external, service SMTP, disable NAT

C

Policy: source internal, destination external, service SMTP (port 587), enable NAT

D

Policy: source internal, destination external, service SMTP (UDP), enable NAT

Why: Option A is correct because SMTP traffic from the internal network to an external mail server requires source NAT (masquerading) to translate private source IPs to the FortiGate's external interface IP. This ensures return traffic is routed back correctly. The default SMTP service uses TCP port 25, and enabling NAT on the policy is the standard configuration for outbound traffic to the internet.
Q4
mediumFull explanation →

Refer to the exhibit. A FortiGate has this policy configured. Traffic from 10.0.1.0/24 to 192.168.1.10 on HTTP is being logged as allowed. However, users report that they cannot access the web server. What is the most likely issue?

A

NAT is not enabled on the policy

Without NAT, the server may send replies directly to the client's private IP, which is not routable.

B

The policy is placed below a deny policy

C

The service is set to HTTP but the server uses HTTPS

D

The policy is disabled

Why: The correct answer is A because the policy allows traffic from 10.0.1.0/24 to 192.168.1.10 on HTTP, but without NAT enabled, the return traffic from the web server will be sent directly to the source IP (10.0.1.x) without going through the FortiGate. Since the source is a private IP, the server cannot route back to it unless the FortiGate performs source NAT (SNAT) to translate the source IP to its own interface IP. Without NAT, the session is logged as allowed but the client never receives the server's response, resulting in a connectivity failure.
Q5
hardFull explanation →

Refer to the exhibit. An administrator runs 'diagnose firewall auth list' and sees two authenticated users. The firewall policy requires authentication for HTTP traffic from 10.0.0.0/24 to 192.168.1.10. User 'jsmith' has been idle for 20 minutes, but the authentication session is still active. The idle timeout is set to 30 minutes. What will happen after 30 minutes of inactivity?

A

The authentication session will remain active because the firewall session is still valid

B

The user will be automatically re-authenticated without prompting

C

The firewall session will be torn down immediately

D

The authentication session will expire, and the user must re-authenticate for new traffic

The user will be prompted for credentials again after idle timeout.

Why: Option D is correct because the authentication idle timeout of 30 minutes governs the authentication session, not the firewall session. Once the user 'jsmith' has been idle for 30 minutes, the authentication session expires. Any new HTTP traffic from 10.0.0.0/24 to 192.168.1.10 will then require re-authentication, as the firewall policy enforces authentication for that traffic. The existing firewall session may persist briefly, but it will not allow new traffic without a valid authentication entry.
Q6
mediumFull explanation →

A company uses FSSO (Fortinet Single Sign-On) with a domain controller. Users authenticate to the domain, and the FortiGate retrieves the login events. The firewall policy uses the FSSO group. Some users report that after logging in, they cannot access resources that require authentication. The administrator checks the FSSO status and sees that the FortiGate is receiving login events. What is the most likely cause?

A

The user is not a member of the FSSO group

B

The FSSO collector agent is not running

C

The user's IP address is not in the source address range of the policy

FSSO authenticates the user, but the policy's source address must match the user's IP.

D

The FortiGate is not polling the domain controller

Why: Option C is correct because even though the FortiGate is receiving FSSO login events, the firewall policy also includes a source address restriction. If the user's IP address falls outside the defined source address range, the policy will not match, and the user will be denied access despite being authenticated via FSSO. The FSSO group membership is only one condition; the source IP must also satisfy the policy's source address criteria.

Want more Firewall Policies and NAT practice?

Practice this domain
3

Domain 3: Authentication and VPN

All Authentication and VPN questions
Q1
easyFull explanation →

A remote user reports that they can connect to the FortiGate SSL VPN portal but cannot access internal resources. The administrator checks the SSL VPN settings and sees that the tunnel mode is enabled with split tunneling. What is the most likely cause?

A

The IP pool is exhausted and no IP address was assigned.

B

The firewall policy allowing SSL VPN traffic to internal resources is missing.

C

The routing table on the client is missing the internal network routes.

Split tunneling requires proper routes to internal networks.

D

The SSL VPN authentication timeout is too short.

Why: With split tunneling enabled, the FortiGate SSL VPN portal connection succeeds, but the client's routing table does not automatically include routes for the internal network. Without those routes, traffic to internal resources is sent to the default gateway instead of through the VPN tunnel, causing access failure. This is the most likely cause because the user can authenticate and establish the tunnel but cannot reach internal subnets.
Q2
mediumFull explanation →

An administrator is configuring a site-to-site IPsec VPN between two FortiGates. After applying the configuration, the VPN status shows 'down'. Phase 1 parameters are identical on both sides. What is the most likely cause of the failure?

A

The Phase 2 selectors (local and remote subnets) are mismatched.

Phase 2 requires matching proxy IDs.

B

The pre-shared keys do not match.

C

The firewall policies are not configured.

D

NAT traversal is disabled but both FortiGates are behind NAT.

Why: When Phase 1 parameters are identical and the VPN is down, the most common cause is a mismatch in Phase 2 selectors (local and remote subnets). Phase 2 uses these selectors to negotiate the IPsec security associations (SAs); if they do not match exactly on both sides, the IKEv1/v2 Quick Mode or Child SA exchange will fail, leaving the tunnel in a 'down' state even though Phase 1 (IKE SA) may be up.
Q3
hardFull explanation →

A company with multiple remote sites uses IPsec VPNs. One site reports intermittent connectivity. The administrator checks the logs and sees 'IPsec phase 2 negotiation failed' messages. Which configuration change is most likely to resolve the issue?

A

Enable Dead Peer Detection (DPD) on the Phase 1 interface.

DPD detects peer failure and triggers renegotiation.

B

Change the encryption algorithm from AES256 to 3DES.

C

Increase the Phase 2 lifetime.

D

Enable NAT traversal.

Why: Intermittent IPsec phase 2 negotiation failures often occur when one peer's Phase 2 security association (SA) expires while the other peer still considers it valid, causing a mismatch. Enabling Dead Peer Detection (DPD) on the Phase 1 interface allows the FortiGate to actively probe the peer's liveness and renegotiate Phase 1 and Phase 2 SAs before they expire, preventing the state mismatch that leads to intermittent failures.
Q4
easyFull explanation →

An administrator is troubleshooting an SSL VPN connection issue. Users can authenticate but receive 'No available tunnel' error. What is the most likely cause?

A

Split tunneling is misconfigured.

B

The firewall policy does not allow traffic from the SSL VPN interface.

C

The SSL VPN port is blocked on the firewall.

D

The SSL VPN IP pool has run out of addresses.

Exhausted IP pool prevents tunnel assignment.

Why: The 'No available tunnel' error after successful authentication indicates that the SSL VPN daemon cannot assign an IP address to the client. The most likely cause is that the SSL VPN IP pool has exhausted its available addresses, preventing the creation of a virtual tunnel interface. This is a common issue when the pool size is smaller than the number of concurrent users.
Q5
mediumFull explanation →

A site-to-site IPsec VPN is configured with IKEv2. The tunnel establishes but traffic does not pass. Which two troubleshooting steps should the administrator perform first?

A

Check the Phase 2 selectors.

B

Verify that the Phase 1 proposal matches.

C

Check the firewall policies allowing traffic through the tunnel.

Policies must permit traffic between zones.

D

Check the routing table for routes pointing to the remote networks.

Proper routes are needed for traffic to use tunnel.

Why: Option C is correct because even if the IPsec tunnel is established, traffic will not pass unless firewall policies explicitly permit it. In FortiGate, a Phase 2 tunnel being up does not imply that traffic is allowed; you must have a policy that matches the source/destination and enables the action to forward traffic through the tunnel interface.
Q6
hardFull explanation →

A FortiGate administrator is designing an SSL VPN solution for 500 remote users. The users need full network access. Which two design considerations are most important?

A

Ensure the SSL VPN IP pool has enough addresses for concurrent users.

Sufficient IP pool is critical for scalability.

B

Create firewall policies that allow traffic from the SSL VPN interface to internal networks.

Policies are essential to permit traffic.

C

Configure split tunneling to reduce load on the FortiGate.

D

Use certificate-based authentication for all users.

E

Enable port forwarding for RDP and SSH.

Why: Option A is correct because the SSL VPN IP pool must have enough addresses to assign to all concurrent users. Without a sufficient pool, users will fail to obtain an IP address and cannot access the network. Option B is correct because firewall policies are required to permit traffic from the SSL VPN interface (e.g., ssl.root) to internal networks; without them, traffic is dropped even if the tunnel is established.

Want more Authentication and VPN practice?

Practice this domain
4

Domain 4: Security Profiles

All Security Profiles questions
Q1
mediumFull explanation →

A network administrator notices that users cannot access HTTPS websites after enabling SSL inspection. The firewall policy allows the traffic, and the certificate is trusted on the clients. What is the most likely cause?

A

The CA certificate used for SSL inspection is not trusted by the clients.

If the CA certificate is not trusted, clients will block HTTPS connections.

B

The client's browser has a proxy configured incorrectly.

C

The firewall policy has SSL inspection disabled.

D

The DNS server is not resolving the domain names.

Why: Option A is correct because the most likely cause is that the CA certificate used for SSL inspection is not trusted by the clients. Even if the firewall policy allows the traffic and the certificate is trusted on the clients, if the CA certificate used to generate the inspection certificate is not trusted, the clients will not trust the certificate presented by the firewall, resulting in HTTPS access failures.
Q2
easyFull explanation →

Which FortiGate feature allows you to block access to specific URL categories such as 'Social Media' or 'Gambling'?

A

Web Filtering

Web Filtering is used to block or allow based on URL categories.

B

Antivirus

C

Intrusion Prevention System (IPS)

D

Application Control

Why: FortiGate's Web Filtering feature uses URL rating and category databases (e.g., FortiGuard) to block access to entire categories like 'Social Media' or 'Gambling' based on the destination URL. This is distinct from content inspection; it operates at the HTTP/HTTPS request level by matching the requested URL against predefined or custom category lists.
Q3
hardFull explanation →

An administrator configured SSL inspection with 'deep-inspection' profile. Users report that some websites fail to load with certificate errors. The firewall policy is correct. What is the most likely reason?

A

The CA certificate has expired.

B

The web server uses a cipher that the FortiGate cannot re-encrypt.

Some ciphers may not be supported for re-encryption, causing errors.

C

The user's browser is outdated.

D

The firewall needs a policy to allow DNS traffic.

Why: When deep-inspection is used, the FortiGate decrypts the client-to-server traffic, inspects the content, and then re-encrypts it before forwarding to the client. If the web server uses a cipher suite that the FortiGate does not support for re-encryption (e.g., an obsolete or non-standard cipher), the FortiGate cannot complete the SSL handshake with the client, causing certificate errors or connection failures. This is the most likely reason because the firewall policy is correct and the CA certificate is valid.
Q4
easyFull explanation →

When configuring SSL inspection, which type of inspection decrypts and inspects all HTTPS traffic including applications using non-standard ports?

A

SSL Offloading

B

Certificate Inspection

C

Full SSL Inspection (Deep Inspection)

Deep inspection decrypts and inspects all traffic.

D

Flow-based Inspection

Why: Full SSL Inspection (Deep Inspection) is the correct answer because it performs a man-in-the-middle decryption and re-encryption of all HTTPS traffic, regardless of the port used. This allows the FortiGate to inspect the payload of encrypted sessions, including those on non-standard ports, for threats and policy violations.
Q5
mediumFull explanation →

A company wants to block downloads of executable files via HTTP and HTTPS while allowing other content. Which combination of security profiles should be applied to the firewall policy?

A

Web Filtering and Antivirus

Web filtering blocks file types, antivirus scans for malware.

B

Application Control and Antivirus

C

Web Filtering and IPS

D

DNS Filtering and Web Filtering

Why: To block executable file downloads over HTTP and HTTPS while allowing other content, a Web Filtering profile is required to filter based on URL category or content type, and an Antivirus profile is needed to scan and block files (such as .exe) within the HTTP/HTTPS stream. The Antivirus profile can detect and block executable files by file signature or MIME type, while Web Filtering controls access to download sites or file types. Together, they provide layered defense against malicious executable downloads without affecting other web content.
Q6
mediumFull explanation →

After enabling SSL inspection, a user receives a warning 'The certificate is not trusted' in the browser. The administrator has installed the CA certificate on the client. What else could be the cause?

A

The firewall policy denies the traffic.

B

The CA certificate is not added to the browser's trusted root store.

The CA must be trusted by the browser.

C

The FortiGate is not decrypting the traffic.

D

The web server's certificate has expired.

Why: Even though the administrator installed the CA certificate on the client, the browser uses its own trusted root store, which is separate from the operating system's certificate store. If the CA certificate is not specifically added to the browser's trusted root store (e.g., Chrome uses the system store but Firefox maintains its own), the browser will still flag the certificate as untrusted. This is a common misconfiguration when deploying SSL inspection with FortiGate.

Want more Security Profiles practice?

Practice this domain
5

Domain 5: High Availability and Diagnostics

All High Availability and Diagnostics questions
Q1
mediumFull explanation →

A network engineer is configuring an SD-WAN rule to steer voice traffic to the MPLS link with the lowest latency. The SLA target is set to latency < 50 ms and jitter < 10 ms. However, the MPLS link occasionally exceeds the latency threshold. What should the engineer do to ensure voice traffic uses the best available link without manual intervention?

A

Remove the latency performance SLA and rely only on jitter.

B

Configure the SD-WAN rule with a secondary strategy to use the broadband link when SLA is not met.

Correct; this allows automatic failover to the broadband link when MPLS fails SLA.

C

Increase the jitter threshold to 15 ms to avoid SLA violations.

D

Disable SLA enforcement on the SD-WAN rule so voice traffic always uses the MPLS link.

Why: Option B is correct because configuring a secondary strategy (e.g., fallback to broadband) allows the SD-WAN rule to automatically steer voice traffic to the best available link when the primary MPLS link fails the SLA (latency > 50 ms). This ensures continuous SLA compliance without manual intervention, leveraging Fortinet's SD-WAN dynamic path selection based on real-time performance metrics.
Q2
easyFull explanation →

An administrator has two FortiGate units in an active-passive HA cluster. The cluster is configured to use the heartbeat interface port3. During a failover test, the primary unit fails but the secondary does not take over. What is the most likely cause?

A

The secondary unit has an override enabled.

B

The heartbeat interface (port3) is down on the secondary unit.

Correct; heartbeat loss prevents failover.

C

Session pickup is disabled on the cluster.

D

The HA uptime on the secondary is less than the primary.

Why: In an active-passive HA cluster, the secondary unit monitors the primary's health via the heartbeat interface. If the heartbeat interface (port3) is down on the secondary, it cannot receive or send heartbeat packets, so it will not detect the primary's failure and will not initiate a failover. This is the most direct cause of the secondary not taking over.
Q3
hardFull explanation →

A company has two remote sites connected via an SD-WAN overlay. The headquarters uses a FortiGate with two WAN links: Fiber (priority 1) and LTE (priority 2). The SD-WAN rule for business-critical traffic uses the 'best quality' strategy with SLA targets for latency and jitter. The fiber link occasionally experiences high jitter but low latency. The engineer notices that traffic is not failing over to LTE even when jitter exceeds the threshold. What is the most likely reason?

A

The performance SLA for jitter is not configured, only latency.

Correct; only configured SLA targets are measured for failover.

B

The SD-WAN rule has SLA match set to 'either' instead of 'all'.

C

The LTE link has a higher cost and is not considered for failover.

D

The fiber link has a higher interface weight.

Why: Option A is correct because the SD-WAN rule uses the 'best quality' strategy, which selects the best link based on configured SLA metrics. If only latency is configured in the performance SLA, jitter exceeding the threshold will not trigger a failover, as the SLA only evaluates the configured metrics. The fiber link may still meet the latency SLA, so traffic remains on it despite high jitter.
Q4
easyFull explanation →

In an active-active HA cluster, which of the following must be identical on both FortiGate units?

A

HA priority

B

Management IP address

C

Virtual cluster ID

Correct; virtual cluster ID must match.

D

Hostname

Why: In an active-active HA cluster, the virtual cluster ID must be identical on both FortiGate units because it defines the cluster group and ensures that only units with the same ID can form an HA cluster. This ID is used in heartbeat packets to verify cluster membership and prevent accidental merging of separate clusters. Without a matching virtual cluster ID, the units will not recognize each other as part of the same HA group.
Q5
mediumFull explanation →

An SD-WAN rule is configured with a 'manual' strategy and multiple members. The engineer wants to ensure that voice traffic always uses the MPLS link as long as it meets the SLA, otherwise use the broadband link. Which configuration is required?

A

Set the strategy to 'volume' and configure MPLS as preferred.

B

Set the manual strategy with MPLS as first member and enable SLA check.

Correct; manual strategy with SLA check will use the first member if SLA is met, otherwise the next.

C

Use 'load balancing' strategy and assign MPLS a higher weight.

D

Set the strategy to 'best quality' and set MPLS with highest priority.

Why: Option B is correct because a manual strategy with ordered members and an SLA check allows the SD-WAN rule to first attempt the MPLS link; if the SLA is met, traffic uses MPLS, and if the SLA fails, the rule automatically fails over to the next member (broadband). This directly implements the engineer's requirement of 'MPLS if SLA met, otherwise broadband.'
Q6
mediumFull explanation →

Which TWO statements about FortiGate HA heartbeat interfaces are correct?

A

Heartbeat interfaces must be in the same VDOM.

B

Heartbeat interfaces must be dedicated management ports.

C

Heartbeat interfaces must be on the same subnet.

Correct; heartbeat requires L2 connectivity.

D

Heartbeat traffic is not encrypted by default.

Correct; encryption must be explicitly enabled.

E

Only two heartbeat interfaces can be configured.

Why: Option C is correct because FortiGate HA heartbeat interfaces must be on the same subnet to allow the heartbeat packets (typically UDP port 496) to be exchanged directly between the primary and secondary units. This ensures Layer 2 adjacency is maintained for reliable failure detection and synchronization.

Want more High Availability and Diagnostics practice?

Practice this domain

Frequently asked questions

How many questions are on the NSE4 exam?

The NSE4 exam has 60 questions and must be completed in 105 minutes. The passing score is 650/1000.

What types of questions appear on the NSE4 exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are NSE4 questions organised by domain?

The exam covers 5 domains: System and Network Administration, Firewall Policies and NAT, Authentication and VPN, Security Profiles, High Availability and Diagnostics. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual NSE4 exam questions?

No. These are original exam-style practice questions written against the official Fortinet NSE4 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 60 NSE4 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all NSE4 questionsTake a timed practice test