Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsNSE4Flashcards
Free — No Signup RequiredFortinet· Updated 2026

NSE4 Flashcards — Free Fortinet NSE 4 Network Security Professional NSE4 Study Cards

Reinforce NSE4 concepts with active-recall study cards covering all 5 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.

1000+ study cards5 domains coveredActive recall methodFull explanations included
Start 30-card session50-card shuffle
Exam OverviewPractice TestMock ExamStudy GuideFlashcards

Study Sessions

NSE4 Flashcards

Pick a session size:

⚡Quick 10📝20 Cards🎯30 Cards📊50 Cards💪100 Cards
1,000+ cards · All free

Domains

System and Network Administration
Firewall Policies and NAT
Authentication and VPN
Security Profiles
High Availability and Diagnostics

How to use NSE4 flashcards effectively

Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For NSE4 preparation, this means flashcards are one of the highest-return study tools available.

Attempt recall first

Read the NSE4 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.

Review wrong cards again

When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.

Study by domain

Group your NSE4 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real NSE4 exam requires.

Short sessions beat marathon reviews

20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass NSE4.

NSE4 flashcard preview

Sample cards from the NSE4 flashcard bank. Read the question, think of the answer, then read the explanation below.

1

A company wants to ensure that administrative access to FortiGate is only allowed from the internal trusted network (192.168.1.0/24) and that all other access attempts are blocked. Which CLI command should the administrator configure first?

System and Network Administration

config system admin; edit admin; set trusthost 192.168.1.0 255.255.255.0; end

Option A is correct because the `config system admin` command with `set trusthost` restricts administrative login attempts to only the specified source IP address or subnet. By setting `trusthost 192.168.1.0 255.255.255.0`, the FortiGate will only allow admin access from the 192.168.1.0/24 network, blocking all other sources. This is the foundational step to enforce source-based access control for administrative interfaces.

2

A network administrator configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to a web server (172.16.1.10). Users on the 10.0.0.0/8 network cannot access the web server, but other internal users can. The administrator checks the policy list and sees the policy is enabled and in the correct position. What is the most likely cause?

Firewall Policies and NAT

The firewall does not have a route to the 10.0.0.0/8 network

The most likely cause is that the firewall does not have a route to the 10.0.0.0/8 network. Even though the policy is enabled and correctly positioned, the firewall must have a return route to the source network (10.0.0.0/8) for the web server's response traffic to reach the users. Without this route, the firewall drops the return packets, causing connectivity failure for those specific users.

3

A remote user reports that they can connect to the FortiGate SSL VPN portal but cannot access internal resources. The administrator checks the SSL VPN settings and sees that the tunnel mode is enabled with split tunneling. What is the most likely cause?

Authentication and VPN

The routing table on the client is missing the internal network routes.

With split tunneling enabled, the FortiGate SSL VPN portal connection succeeds, but the client's routing table does not automatically include routes for the internal network. Without those routes, traffic to internal resources is sent to the default gateway instead of through the VPN tunnel, causing access failure. This is the most likely cause because the user can authenticate and establish the tunnel but cannot reach internal subnets.

4

A network administrator notices that users cannot access HTTPS websites after enabling SSL inspection. The firewall policy allows the traffic, and the certificate is trusted on the clients. What is the most likely cause?

Security Profiles

The CA certificate used for SSL inspection is not trusted by the clients.

Option A is correct because the most likely cause is that the CA certificate used for SSL inspection is not trusted by the clients. Even if the firewall policy allows the traffic and the certificate is trusted on the clients, if the CA certificate used to generate the inspection certificate is not trusted, the clients will not trust the certificate presented by the firewall, resulting in HTTPS access failures.

5

A network engineer is configuring an SD-WAN rule to steer voice traffic to the MPLS link with the lowest latency. The SLA target is set to latency < 50 ms and jitter < 10 ms. However, the MPLS link occasionally exceeds the latency threshold. What should the engineer do to ensure voice traffic uses the best available link without manual intervention?

High Availability and Diagnostics

Configure the SD-WAN rule with a secondary strategy to use the broadband link when SLA is not met.

Option B is correct because configuring a secondary strategy (e.g., fallback to broadband) allows the SD-WAN rule to automatically steer voice traffic to the best available link when the primary MPLS link fails the SLA (latency > 50 ms). This ensures continuous SLA compliance without manual intervention, leveraging Fortinet's SD-WAN dynamic path selection based on real-time performance metrics.

6

Refer to the exhibit. A network administrator configured an IPsec VPN between the main office and a branch office. Remote users at the branch office report that they cannot access resources in the main office. The tunnel status shows up on both sides. What is the most likely cause of the connectivity issue?

The phase2 configuration does not specify the local and remote subnets to protect.

Option C is correct because the phase2 configuration in an IPsec VPN must explicitly define the local and remote subnets (proxy IDs) that the tunnel is meant to protect. Without these subnets, the IPsec security associations (SAs) cannot be established for the actual traffic, even if the tunnel status shows as up (phase1 is complete). The tunnel status only indicates that IKE phase1 negotiation succeeded, but without phase2 proxy IDs, no traffic will be encrypted or routed through the tunnel, causing connectivity failures.

7

A company wants to allow FTP (TCP ports 20-21) from their internal network (192.168.1.0/24) to a specific external server (203.0.113.50). They also need to inspect FTP traffic for viruses. What should the admin configure?

Create a policy from internal to external with service FTP and enable antivirus

FTP traffic can be inspected by applying an antivirus profile directly to a regular firewall policy. An explicit proxy policy is not required; a simple policy from internal to external with FTP service and antivirus enabled is sufficient. Therefore, option A is correct.

8

Given the exhibit, a user in the internal network tries to SSH to a public server (203.0.113.10). What will happen and why?

The SSH connection will succeed because policy 1 allows all services before policy 2 is evaluated.

Policy 1 is an implicit allow-all rule that matches all traffic before policy 2 is evaluated. Since FortiGate processes policies in sequential order from top to bottom, the SSH connection to 203.0.113.10 matches policy 1 first, which permits all services, including SSH. Therefore, the connection succeeds without ever reaching policy 2.

9

Refer to the exhibit. An administrator is troubleshooting why SSL inspection is not working for web traffic. The policy shown is the only policy matching the traffic. What is the most likely reason SSL inspection is failing?

The policy is missing the 'set inspection-mode proxy' command.

Option A is correct because the policy is missing the 'set inspection-mode proxy' command. FortiGate requires proxy-based inspection mode to perform SSL/TLS interception; flow-based inspection cannot decrypt or re-encrypt HTTPS traffic. Without this command, the policy defaults to flow-based mode, causing SSL inspection to fail even if the ssl-ssh-profile is set to deep-inspection.

10

A company is deploying FortiGate for outbound web filtering. They want to block users from accessing social media sites during business hours, but still allow access to cloud-based productivity tools like Office 365. Which approach should the administrator use to meet this requirement?

Configure an application control profile with rules to block social media applications and allow Office 365 applications.

Application control is the correct approach because it can identify and control applications like social media and Office 365 based on their unique signatures, regardless of the ports or protocols they use. Unlike URL filtering or port blocking, application control can differentiate between Office 365 traffic and social media traffic even when both use HTTPS on TCP 443, allowing the administrator to block social media while permitting cloud productivity tools.

11

Refer to the exhibit. An administrator has created an IPS sensor with two entries. The first entry sets severity 'medium' and action 'block'. The second entry sets severity 'critical' and action 'block'. What will happen when a packet triggers an IPS signature with severity 'low'?

The packet will be allowed (pass).

The IPS sensor in the exhibit defines rules only for severity 'medium' and 'critical', both with action 'block'. When a packet triggers a signature with severity 'low', it does not match any entry in the sensor. Therefore, the default action for unmatched signatures is to allow (pass) the traffic. FortiGate IPS sensors apply actions only to explicitly configured severity levels; unlisted severities are not affected.

12

An administrator needs to configure a FortiGate to allow web traffic from the internal network to the Internet. The internal network is 192.168.1.0/24 and the WAN interface is port1 with IP 203.0.113.1. Which firewall policy is correct?

Source: internal, Destination: port1, Service: HTTP/HTTPS, Action: ACCEPT

Option A is correct because the firewall policy must match traffic originating from the internal network (source: internal) destined for the Internet via the WAN interface (destination: port1), and the service must be restricted to HTTP/HTTPS to allow web traffic only. The action ACCEPT permits the traffic. This aligns with the standard stateful inspection flow where source and destination interfaces are defined based on traffic direction.

13

Refer to the exhibit. The FortiGate has two default routes. The administrator attempts to ping 8.8.8.8 from the CLI and receives no response. What is the most likely reason?

The gateway 203.0.113.1 (port1) is unreachable

When a FortiGate has multiple default routes, it uses the route with the lowest distance (administrative distance) as the primary route. If the gateway for the primary route (203.0.113.1 on port1) is unreachable, the FortiGate will not be able to reach 8.8.8.8, even if a secondary default route exists. The ping fails because the device cannot ARP for the gateway or the next-hop is down, causing the route to be inactive.

14

A FortiGate administrator is troubleshooting a problem where users cannot access the Internet. The FortiGate has a default route pointing to the ISP gateway. The administrator runs 'execute ping 8.8.8.8' from the FortiGate CLI and it succeeds. However, internal users behind NAT are unable to reach external servers. Which is the most likely cause?

No NAT policy is configured for internal users

The administrator confirmed that the FortiGate itself can reach the Internet (ping 8.8.8.8 succeeds), so the default route and basic connectivity are working. However, internal users behind NAT cannot reach external servers, which indicates that traffic from internal users is either not being translated or is being blocked. The most likely cause is that no NAT policy (or firewall policy with NAT enabled) exists to perform source NAT for internal users, so their private IP addresses are not translated to the FortiGate's public IP, and the ISP gateway drops the packets because private addresses are not routable on the Internet.

15

A FortiGate HA cluster is set to active-active mode. The administrator notices that session synchronization is enabled but some sessions are not being synced between cluster units. Which of the following is a likely cause for incomplete session synchronization in active-active mode?

The 'set session-sync-id' is not configured or mismatched between cluster units

The correct answer is B. In active-active HA mode, session synchronization requires that the 'session-sync-id' be configured and match on all cluster units. If this ID is not set or mismatched, the cluster will not properly synchronize sessions. Option A is incorrect: unicast heartbeat affects heartbeat communication, not session sync. Option C is incorrect: heartbeat interface speed does not affect session synchronization. Option D is incorrect: HA override controls failover behavior, not session sync.

16

An administrator wants to view real-time debug output for traffic flowing through a FortiGate. Which command should they use to enable flow tracing with a specific source IP filter?

diagnose debug flow filter src

Option B is correct. The command 'diagnose debug flow filter src' sets a source IP filter for flow debugging, allowing real-time debug output for traffic from a specific source IP. 'diagnose debug enable' enables debug output but does not set filters; 'diagnose sys session filter src' filters session table listings, not flow traces; 'diagnose sniffer packet filter src' sets a filter for packet sniffing, not flow tracing.

17

A network administrator configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to a web server (172.16.1.10). Users on the 10.0.0.0/8 network cannot access the web server, but other internal users can. The administrator checks the policy list and sees the policy is enabled and in the correct position. What is the most likely cause?

The firewall does not have a route to the 10.0.0.0/8 network

The most likely cause is that the firewall does not have a route to the 10.0.0.0/8 network. Even though the policy is enabled and correctly positioned, the firewall must have a return route to the source network (10.0.0.0/8) for the web server's response traffic to reach the users. Without this route, the firewall drops the return packets, causing connectivity failure for those specific users.

18

Refer to the exhibit. An administrator runs 'diagnose firewall auth list' and sees two authenticated users. The firewall policy requires authentication for HTTP traffic from 10.0.0.0/24 to 192.168.1.10. User 'jsmith' has been idle for 20 minutes, but the authentication session is still active. The idle timeout is set to 30 minutes. What will happen after 30 minutes of inactivity?

The authentication session will expire, and the user must re-authenticate for new traffic

Option D is correct because the authentication idle timeout of 30 minutes governs the authentication session, not the firewall session. Once the user 'jsmith' has been idle for 30 minutes, the authentication session expires. Any new HTTP traffic from 10.0.0.0/24 to 192.168.1.10 will then require re-authentication, as the firewall policy enforces authentication for that traffic. The existing firewall session may persist briefly, but it will not allow new traffic without a valid authentication entry.

19

A company with multiple remote sites uses IPsec VPNs. One site reports intermittent connectivity. The administrator checks the logs and sees 'IPsec phase 2 negotiation failed' messages. Which configuration change is most likely to resolve the issue?

Enable Dead Peer Detection (DPD) on the Phase 1 interface.

Intermittent IPsec phase 2 negotiation failures often occur when one peer's Phase 2 security association (SA) expires while the other peer still considers it valid, causing a mismatch. Enabling Dead Peer Detection (DPD) on the Phase 1 interface allows the FortiGate to actively probe the peer's liveness and renegotiate Phase 1 and Phase 2 SAs before they expire, preventing the state mismatch that leads to intermittent failures.

20

A FortiGate administrator is troubleshooting a high CPU usage issue. The 'get system performance status' command shows that the CPU usage is consistently above 80% with no traffic. Which of the following is the most likely cause?

A process such as the IPS engine is stuck in an infinite loop.

When CPU usage remains high (above 80%) with no traffic, the most likely cause is a process stuck in an infinite loop, such as the IPS engine. This is a known software bug or process hang that consumes CPU cycles even without network traffic, and it can be verified using 'diagnose sys top' to identify the offending process.

21

An administrator configures a dial-up IPsec VPN with IKEv2 to allow remote users to connect. The Phase 1 is set to use certificate-based authentication (PKI). Users can establish Phase 1, but Phase 2 fails with 'no proposal chosen'. The administrator checks the Phase 2 proposal: AES256-SHA256, and the remote network is 10.0.0.0/8 (the corporate LAN). What is the MOST likely cause?

The remote network in Phase 2 is set to 10.0.0.0/8

The most likely cause is that the remote network (client subnet) in the Phase 2 configuration on the VPN gateway is set to 10.0.0.0/8 instead of the correct value (0.0.0.0/0) for dial-up clients. Since Phase 1 succeeds, authentication and encryption settings are correct. The 'no proposal chosen' error in Phase 2 indicates a traffic selector mismatch: the server expects the client's IP to be within the 10.0.0.0/8 range, but the client's actual IP typically falls outside that subnet. Therefore, the Phase 2 negotiation fails.

22

An administrator needs to configure a FortiGate to send logs to two different syslog servers for redundancy. Which configuration method should be used?

Under 'config log syslogd setting', set 'status enable' and then add multiple servers using 'set server <ip1> <ip2>'.

Option A is correct because FortiGate's syslog configuration allows you to specify multiple syslog servers in a single 'config log syslogd setting' block by using the 'set server' command with a space-separated list of IP addresses. This enables redundant log delivery without requiring separate configuration blocks or external devices. The FortiGate will attempt to send logs to the first server; if it fails, it automatically fails over to the next server in the list.

23

A large enterprise is deploying a FortiGate 600F as the perimeter firewall. The security team requires that all administrative access (SSH, HTTPS, and Ping) to the FortiGate must be restricted to a dedicated management network (10.10.10.0/24). Additionally, any failed login attempt from outside the management network should be logged and the source IP should be blocked for 30 minutes. The administrator has configured a local-in policy to deny all administrative access from non-management networks and enabled logging. However, the administrator wants to automatically block the offending IPs. The FortiGate is not connected to any FortiAnalyzer or FortiManager. What should the administrator do to achieve this?

Create an automation stitch that triggers on local-in policy logging and adds the source IP to a blocked list via CLI script.

Option A is correct because an automation stitch can directly react to local-in policy log events by executing a CLI script that adds the offending source IP to a local banned user list (e.g., via `diagnose user banned-ip add`). This provides automatic, immediate blocking without requiring external devices like FortiAnalyzer, and the 30-minute duration can be set via the ban-time parameter in the script or the local-in policy's block-session-ttl.

Study all 1000+ NSE4 cards

NSE4 flashcards by domain

The NSE4 flashcard bank covers all 5 official blueprint domains published by Fortinet. Cards are distributed proportionally, so domains with higher exam weight have more cards.

Domain Coverage

System and Network Administration

~1 cards

Firewall Policies and NAT

~1 cards

Authentication and VPN

~1 cards

Security Profiles

~1 cards

High Availability and Diagnostics

~1 cards

Flashcards vs practice tests: which is better for NSE4?

Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:

Flashcards — concept retention

Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that NSE4 questions assume you know.

Best in: weeks 1–3

Practice tests — application

Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.NSE4 questions test scenario reasoning — not just recall — so practice tests are essential.

Best in: weeks 3–6

The most effective NSE4 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.

NSE4 flashcards — frequently asked questions

Are the NSE4 flashcards free?

Yes. Courseiva provides free NSE4 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.

How many NSE4 flashcards are on Courseiva?

Courseiva has 1000+ original NSE4 flashcards across all 5 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Fortinet exam objectives.

How are Courseiva flashcards different from Anki or Quizlet?

Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official NSE4 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.

Can I use NSE4 flashcards offline?

Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.

Free forever · No credit card required

Track your NSE4 flashcard progress

Save your results, see which domains need more work, and get spaced repetition recommendations — all free.

Sign Up Free

Free forever · Every certification included

Start Studying

⚡Quick 10 cards📝20-card session🎯30-card session📊50-card shuffle💪100-card marathon

Also Study With

Practice TestMock ExamStudy GuideExam Domains