Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Authentication and VPN practice sets

NSE4 Authentication and VPN • Complete Question Bank

NSE4 Authentication and VPN — All Questions With Answers

Complete NSE4 Authentication and VPN question bank — all 0 questions with answers and detailed explanations.

186
Questions
Free
No signup
Certifications/NSE4/Practice Test/Authentication and VPN/All Questions
Question 1easymultiple choice
Read the full VPN explanation →

A remote user reports that they can connect to the FortiGate SSL VPN portal but cannot access internal resources. The administrator checks the SSL VPN settings and sees that the tunnel mode is enabled with split tunneling. What is the most likely cause?

Question 2mediummultiple choice
Read the full VPN explanation →

An administrator is configuring a site-to-site IPsec VPN between two FortiGates. After applying the configuration, the VPN status shows 'down'. Phase 1 parameters are identical on both sides. What is the most likely cause of the failure?

Question 3hardmultiple choice
Read the full VPN explanation →

A company with multiple remote sites uses IPsec VPNs. One site reports intermittent connectivity. The administrator checks the logs and sees 'IPsec phase 2 negotiation failed' messages. Which configuration change is most likely to resolve the issue?

Question 4easymultiple choice
Read the full VPN explanation →

An administrator is troubleshooting an SSL VPN connection issue. Users can authenticate but receive 'No available tunnel' error. What is the most likely cause?

Question 5mediummulti select
Read the full VPN explanation →

A site-to-site IPsec VPN is configured with IKEv2. The tunnel establishes but traffic does not pass. Which two troubleshooting steps should the administrator perform first?

Question 6hardmulti select
Read the full VPN explanation →

A FortiGate administrator is designing an SSL VPN solution for 500 remote users. The users need full network access. Which two design considerations are most important?

Question 7easymulti select
Read the full VPN explanation →

An administrator is configuring a dialup IPsec VPN for remote users. Which two settings must be configured on the FortiGate to allow clients to connect?

Question 8hardmultiple choice
Read the full VPN explanation →

A company has a FortiGate at headquarters running FortiOS 7.2 and a remote office with a FortiGate 60F running FortiOS 7.0. They have an IPsec VPN tunnel between them for site-to-site connectivity. Recently, the remote office upgraded their FortiGate from 6.4 to 7.0. After the upgrade, the VPN tunnel is down. The Phase 1 status shows 'negotiating' but never completes. The administrator has verified that the pre-shared key, IKE version (IKEv2), and authentication method are the same on both sides. The Phase 1 proposal on the headquarters is: encryption: AES256, SHA256, DH group 14, lifetime 86400. The remote office uses: encryption: AES256, SHA1, DH group 14, lifetime 86400. What is the most likely cause of the failure?

Question 9mediummultiple choice
Read the full VPN explanation →

A company wants to provide remote access to internal resources for employees using laptops that may connect from untrusted networks. The security team requires that all traffic between the remote users and the corporate network be encrypted, and that users must authenticate using a username/password plus a one-time passcode from a hardware token. Which FortiGate VPN solution best meets these requirements?

Question 10hardmulti select
Read the full VPN explanation →

Which TWO are best practices for configuring IPsec VPN on FortiGate to ensure high availability and security?

Question 11easymultiple choice
Read the full VPN explanation →

Refer to the exhibit. A network administrator configured an IPsec VPN between the main office and a branch office. Remote users at the branch office report that they cannot access resources in the main office. The tunnel status shows up on both sides. What is the most likely cause of the connectivity issue?

Exhibit

Refer to the exhibit.
config vpn ipsec phase1-interface
    edit "to_Branch"
        set interface "wan1"
        set ike-version 2
        set keylife 86400
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dhgroup 14
        set remote-gw 203.0.113.5
        set psksecret ENC ...
    next
end
config vpn ipsec phase2-interface
    edit "to_Branch_p2"
        set phase1name "to_Branch"
        set proposal aes256-sha256
        set pfs enable
        set dhgrp 14
        set auto-negotiate enable
        set keylifeseconds 3600
    next
end
Question 12mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to upgrade FortiGate firmware via the web interface into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 13mediummatching
Read the full VPN explanation →

Match each FortiGate VPN type to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connects two networks over the internet securely

Provides remote access via web browser or client software

Legacy VPN protocol with weaker security

Combines Layer 2 tunneling with IPsec encryption

Auto-discovery VPN that dynamically establishes shortcuts

Question 14mediummultiple choice
Read the full VPN explanation →

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. Phase 1 is up, but Phase 2 fails to establish. The debug command 'diagnose vpn ike log' shows: 'no suitable proposal found'. What is the most likely cause?

Question 15hardmultiple choice
Read the full VPN explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 16easymultiple choice
Read the full VPN explanation →

An organization wants to use FortiToken for two-factor authentication on SSL VPN logins. Which authentication method must be enabled on the FortiGate to support this?

Question 17mediummultiple choice
Read the full VPN explanation →

A FortiGate is configured with FSSO for firewall authentication. Users report they are prompted for credentials every time they access the internet, even though they are logged into the domain. What is the most likely cause?

Question 18hardmultiple choice
Read the full VPN explanation →

An administrator configures a dial-up IPsec VPN using IKEv2 with certificates. Remote users can connect, but traffic is not routed through the tunnel. The Phase 1 status shows 'up', but Phase 2 shows 'down'. What is the most likely issue?

Question 19mediummultiple choice
Read the full wireless explanation →

A company wants to use captive portal authentication on a guest Wi-Fi network. The FortiGate is connected to the switchport of the access point. Which firewall configuration is required to redirect unauthenticated users to the captive portal?

Question 20easymultiple choice
Read the full VPN explanation →

What is the primary difference between route-based and policy-based IPsec VPNs on a FortiGate?

Question 21mediummultiple choice
Read the full VPN explanation →

An administrator configures an SSL VPN portal with web mode and split tunneling enabled. Remote users can access internal web applications but cannot reach the internet through the VPN. What needs to be checked?

Question 22mediummultiple choice
Read the full VPN explanation →

During an IPsec VPN troubleshooting, you run 'diagnose vpn ike config' and see the output includes 'peer-id: any'. What does this mean?

Question 23hardmultiple choice
Read the full VPN explanation →

A FortiGate is configured in an HA active-passive cluster. When the active unit fails, the passive unit takes over, but IPsec VPN tunnels fail to re-establish. The configuration is synchronized. What is the most likely cause?

Question 24easymultiple choice
Read the full VPN explanation →

What is the purpose of a 'realm' in FortiGate SSL VPN configuration?

Question 25mediummultiple choice
Read the full VPN explanation →

An administrator wants to use ZTNA (Zero Trust Network Access) to secure access to an internal application. Which component is required on the client device to enforce ZTNA policies?

Question 26mediummulti select
Read the full VPN explanation →

An administrator needs to configure a hub-and-spoke IPsec VPN topology. Which TWO settings must be configured on the hub FortiGate to allow spokes to communicate with each other through the hub?

Question 27hardmulti select
Read the full VPN explanation →

A FortiGate administrator is troubleshooting an SSL VPN issue where users can authenticate but cannot access any internal resources. The SSL VPN status shows 'connected'. Which THREE commands or actions should be used to diagnose the problem?

Question 28mediummulti select
Read the full VPN explanation →

An organization uses LDAP authentication for firewall policies. Users complain that they are frequently prompted for credentials. Which TWO settings can reduce the frequency of authentication prompts?

Question 29mediummultiple choice
Read the full VPN explanation →

A network administrator configures an IPsec VPN between two FortiGate devices. Phase 1 completes successfully, but Phase 2 fails to establish. The administrator runs 'diagnose vpn ike log' and sees the error 'proposal mismatch'. What is the MOST likely cause?

Question 30hardmultiple choice
Read the full VPN explanation →

A FortiGate administrator is troubleshooting a dial-up IPsec VPN where remote users can connect but traffic does not pass. The Phase 1 and Phase 2 status show 'up'. The administrator runs 'diagnose vpn tunnel list' and sees the tunnel is up. However, 'diagnose sys session list' shows no sessions for the remote user's IP. What is the MOST likely cause?

Question 31easymultiple choice
Read the full VPN explanation →

A FortiGate administrator wants to authenticate VPN users against an existing LDAP server. The administrator creates an LDAP user group on the FortiGate. What additional configuration is REQUIRED to use this group for IPsec VPN authentication?

Question 32mediummultiple choice
Read the full VPN explanation →

An administrator receives a report that some users cannot authenticate via captive portal on a FortiGate. The captive portal is configured for firewall authentication. The administrator checks the authentication logs and sees 'Authentication failed: invalid credentials'. However, the users confirm they are entering the correct username and password. What is the MOST likely cause?

Question 33mediummultiple choice
Read the full VPN explanation →

A FortiGate administrator is configuring an SSL VPN web mode portal. The administrator wants users to access only a specific internal web application (https://internal-app.company.local) and nothing else. Which SSL VPN setting should be configured to achieve this?

Question 34hardmultiple choice
Read the full VPN explanation →

A FortiGate administrator is configuring a route-based IPsec VPN between two FortiGate devices. After setting up the tunnel and firewall policies, traffic does not flow. The administrator runs 'diagnose vpn tunnel list' and sees the tunnel is up. 'get router info routing-table all' shows routes on both sides. However, pings from the local network to the remote network fail. What is the MOST likely cause?

Question 35easymultiple choice
Read the full VPN explanation →

Which authentication method allows a FortiGate to transparently authenticate users based on their Active Directory login events without prompting for credentials?

Question 36mediummultiple choice
Read the full VPN explanation →

A FortiGate admin is troubleshooting an IPsec VPN tunnel that fails to establish. The remote site uses aggressive mode. The local FortiGate is configured for main mode. The admin sees 'no proposal chosen' in the IKE debug. What is the MOST likely cause?

Question 37easymultiple choice
Read the full VPN explanation →

A FortiGate administrator wants to enforce two-factor authentication for SSL VPN users. The organization uses FortiToken mobile tokens. What must be configured on the FortiGate to enable FortiToken authentication?

Question 38hardmultiple choice
Read the full VPN explanation →

A FortiGate administrator is configuring ZTNA to secure access to an internal application. The administrator creates a ZTNA access proxy and a ZTNA rule. However, users connecting from the internet receive a 403 Forbidden error. The administrator verifies that the users are authenticated and the application is reachable. What is the MOST likely cause?

Question 39mediummultiple choice
Read the full VPN explanation →

An administrator runs 'diagnose debug application fnbamd -1' on a FortiGate to troubleshoot authentication issues. The output shows that the FortiGate successfully contacts the LDAP server but the user authentication fails. What does this indicate?

Question 40mediummultiple choice
Read the full VPN explanation →

A FortiGate admin is configuring a hub-and-spoke IPsec VPN. The hub has multiple phase 2 configurations for each spoke. The spokes can communicate with the hub but not with each other. The admin wants to allow spoke-to-spoke traffic through the hub. Which configuration change is required on the hub?

Question 41mediummulti select
Read the full VPN explanation →

A FortiGate administrator is configuring an SSL VPN tunnel mode for remote users. The administrator wants to ensure that only traffic destined for the corporate network (192.168.1.0/24) goes through the VPN, and all other traffic (e.g., internet) goes directly from the user's device. Which TWO configuration steps are required?

Question 42hardmulti select
Read the full VPN explanation →

A FortiGate administrator is troubleshooting an IPsec VPN between two FortiGates. The tunnel is established, but traffic is not passing. The administrator runs 'diagnose vpn ike log' and sees the following output: IKE: phase 2 negotiation completed IKE: IPsec SA up What THREE possible causes should the administrator investigate?

Question 43mediummulti select
Read the full VPN explanation →

A FortiGate administrator is configuring FSSO to authenticate users transparently. The FSSO collector agent is installed on a Windows server in the domain. Which TWO requirements must be met for FSSO to work correctly?

Question 44mediummultiple choice
Read the full VPN explanation →

You are troubleshooting an IPsec VPN between two FortiGates. The Phase 1 is up, but Phase 2 is not coming up. You check the Phase 2 configuration on both sides. What is a common cause of this issue?

Question 45easymultiple choice
Read the full VPN explanation →

A FortiGate administrator wants to configure a captive portal to authenticate users before granting network access. Which authentication method is used by the captive portal?

Question 46hardmultiple choice
Read the full VPN explanation →

A FortiGate administrator runs 'diagnose vpn tunnel list' and sees the following output for an IPsec tunnel: 'status: up', 'incoming: 0 packets', 'outgoing: 100 packets'. Phase 1 and Phase 2 both show state 'up'. What is the MOST likely cause of zero incoming packets?

Question 47mediummultiple choice
Read the full VPN explanation →

A FortiGate admin has configured FSSO (Fortinet Single Sign-On) using Active Directory polling. Users authenticate to the domain but when accessing the internet through the FortiGate, they are still prompted for credentials. What is the MOST likely cause?

Question 48easymultiple choice
Read the full VPN explanation →

Which authentication server type can be used with FortiGate to authenticate remote VPN users with two-factor authentication using FortiTokens?

Question 49mediummultiple choice
Read the full VPN explanation →

An admin is configuring a dial-up IPsec VPN for remote users. The users will connect from various public IP addresses. Which Phase 1 configuration is required for the FortiGate to accept connections from unknown remote gateways?

Question 50hardmultiple choice
Read the full VPN explanation →

You run 'diagnose debug application ike -1' and see the following output: 'Initiator: no acceptable proposal'. What is the MOST likely cause of this error?

Question 51easymultiple choice
Read the full VPN explanation →

In Fortinet ZTNA, what is the primary purpose of the ZTNA access proxy component?

Question 52mediummultiple choice
Read the full VPN explanation →

An admin needs to configure an SSL VPN for remote users that only provides access to specific internal applications, not full network access. What feature should be configured?

Question 53hardmultiple choice
Read the full VPN explanation →

A FortiGate administrator has configured a hub-and-spoke IPsec VPN. The hub FortiGate has two Phase 2 selectors with spokes, but traffic between spokes is not routed via the hub. What must be configured on the hub to allow spoke-to-spoke communication?

Question 54mediummultiple choice
Read the full VPN explanation →

An administrator configures an LDAP user group for firewall authentication. Users are able to authenticate, but the FortiGate does not retrieve group membership information. What is likely misconfigured?

Question 55mediummultiple choice
Open the full BGP breakdown →

You are configuring a route-based IPsec VPN with BGP over the tunnel. After Phase 2 is up, the BGP session does not establish. You run 'diagnose debug ipsec' and see no errors. What should you check next?

Question 56mediummulti select
Read the full VPN explanation →

An administrator is troubleshooting an SSL VPN connection. Users can connect but cannot access internal resources. Which TWO commands would help diagnose the issue?

Question 57hardmulti select
Read the full VPN explanation →

A FortiGate is configured with FSSO and Active Directory polling. Users report that they are frequently prompted for authentication even though they are logged into the domain. Which THREE possible causes should the administrator investigate?

Question 58mediummulti select
Read the full VPN explanation →

A network admin is configuring a hub-and-spoke VPN with three spokes. Which TWO statements are correct about route-based VPN in this topology?

Question 59mediummultiple choice
Read the full VPN explanation →

A network admin configures a site-to-site IPsec VPN between two FortiGates using IKEv1 main mode. The tunnel establishes successfully, but no traffic passes. What is the MOST likely cause?

Question 60easymultiple choice
Read the full VPN explanation →

An admin needs to authenticate remote users connecting via SSL VPN. The users are in an Active Directory domain. Which authentication method should be configured on the FortiGate to allow users to log in with their domain credentials?

Question 61hardmultiple choice
Read the full VPN explanation →

You run the command 'diagnose vpn ike log filter name vpn1' and then 'diagnose vpn ike log filter type phase1'. The log shows: 'IKEv1 exchange:f4470f07:00000000: responder: main mode: received IKE_SA_INIT (aggressive mode not allowed)'. What is the problem?

Question 62mediummultiple choice
Read the full VPN explanation →

A FortiGate with multiple VDOMs is configured for FSSO with Active Directory polling. Users in VDOM1 are authenticated correctly, but users in VDOM2 are not. What should be checked FIRST?

Question 63mediummultiple choice
Read the full VPN explanation →

An administrator wants to enable two-factor authentication for SSL VPN users using FortiToken. Which configuration is required on the FortiGate?

Question 64easymultiple choice
Read the full VPN explanation →

Which IPsec VPN mode uses IP addresses and ports to define interesting traffic, and requires a separate security policy for each tunnel?

Question 65hardmultiple choice
Read the full VPN explanation →

You are troubleshooting an SSL VPN connection. The user can reach the SSL VPN portal but cannot ping or access any internal resources. The portal shows the user as authenticated. Which configuration is MOST likely missing?

Question 66easymultiple choice
Read the full VPN explanation →

What is the primary purpose of the captive portal feature on a FortiGate?

Question 67mediummultiple choice
Read the full VPN explanation →

A FortiGate administrator is setting up a dial-up IPsec VPN for remote employees. Each employee uses a FortiClient. Which authentication method should be used to allow individual user identities?

Question 68mediummultiple choice
Read the full VPN explanation →

You have a hub-and-spoke IPsec VPN with 10 spokes. The central FortiGate (hub) has 10 phase2 selectors, one for each spoke. You need to add a new spoke. What is the MOST efficient way to configure the hub?

Question 69hardmultiple choice
Read the full VPN explanation →

After upgrading FortiOS, an IPsec VPN tunnel fails to come up. The diagnose output shows 'negotiation failed: no acceptable proposal'. The remote peer is a third-party device. Which step should you take first?

Question 70mediummultiple choice
Read the full VPN explanation →

An admin wants users to authenticate once via AD and have their network access controlled without repeated logins. Which feature should be used?

Question 71mediummulti select
Read the full VPN explanation →

A FortiGate administrator is troubleshooting an SSL VPN issue where remote users cannot access internal resources after successful authentication. Which TWO steps should the admin take to resolve the issue? (Select two.)

Question 72hardmulti select
Read the full VPN explanation →

A company sets up a hub-and-spoke IPsec VPN where all spokes must communicate through the hub. The hub uses policy-based IPsec. Which THREE configurations are required on the hub to allow spoke-to-spoke traffic? (Select three.)

Question 73easymulti select
Read the full VPN explanation →

An organization wants to implement ZTNA (Zero Trust Network Access) on their FortiGate. Which TWO components are essential for ZTNA? (Select two.)

Question 74mediummultiple choice
Read the full VPN explanation →

A network administrator has configured an IPsec VPN between two FortiGate devices. The Phase 1 proposal includes AES256-SHA256-DH14. The Phase 2 proposal includes AES128-SHA1. The VPN tunnel fails to establish. Which of the following is the MOST likely cause?

Question 75hardmultiple choice
Read the full VPN explanation →

An administrator runs 'diagnose debug application ike -1' and sees the following output: ike 0:come to x.x.x.x:500, IKEv1, cookie 123456789abcdef0 ike 0:incoming IKE packet: src y.y.y.y:500, dst x.x.x.x:500, len 456 ike 0:send IKE packet: src x.x.x.x:500, dst y.y.y.y:500, len 456 ike 0:phase 1 negotiation failed due to time out. What is the likely cause?

Question 76easymultiple choice
Read the full VPN explanation →

An administrator wants to allow remote users to access internal resources using a web browser without installing any client software. Which VPN type should be configured on the FortiGate?

Question 77mediummultiple choice
Read the full VPN explanation →

A company uses Active Directory for user authentication. They want users to automatically authenticate to the FortiGate without entering credentials when accessing the internet. Which authentication method should the administrator configure?

Question 78mediummultiple choice
Read the full VPN explanation →

An administrator has configured an SSL VPN. Remote users can connect and authenticate but cannot access internal resources. The SSL VPN policy allows all traffic from the SSL VPN interface to internal servers. What is the MOST likely missing configuration?

Question 79hardmultiple choice
Read the full VPN explanation →

An administrator is troubleshooting an IPsec VPN that fails to establish. The 'diagnose vpn ike log' shows 'initial contact received'. What does this message indicate?

Question 80easymultiple choice
Read the full VPN explanation →

Which of the following FortiGate features allows users to authenticate using a one-time password generated by a mobile app?

Question 81mediummultiple choice
Read the full VPN explanation →

An administrator needs to configure a site-to-site IPsec VPN where both sites have dynamic public IP addresses. Which IKE mode should be used?

Question 82easymultiple choice
Read the full VPN explanation →

An administrator wants to restrict SSL VPN access to only users who have a valid client certificate issued by the company's internal CA. Which setting should be configured?

Question 83mediummultiple choice
Read the full VPN explanation →

A FortiGate administrator has configured a route-based IPsec VPN. After Phase 2 is up, traffic is not passing. The administrator verifies that the firewall policy allows traffic and the routes are correct. What should the administrator check next?

Question 84hardmultiple choice
Read the full VPN explanation →

An administrator is configuring ZTNA on a FortiGate. The goal is to allow access to an internal web server only if the client device has a specific security posture (e.g., antivirus running). Which ZTNA component is responsible for verifying the client's security posture?

Question 85mediummultiple choice
Read the full VPN explanation →

An administrator has configured LDAP authentication on a FortiGate. When testing the LDAP connectivity, the test succeeds. However, users cannot authenticate through the captive portal. What is a possible cause?

Question 86mediummulti select
Read the full VPN explanation →

An administrator is troubleshooting an IPsec VPN that is not passing traffic. The Phase 1 and Phase 2 are both up. Which TWO CLI commands can be used to verify the VPN tunnel status and traffic flow? (Choose two.)

Question 87hardmulti select
Read the full VPN explanation →

A company has multiple branch offices connected via IPsec VPN in a hub-and-spoke topology. They want to enable direct communication between branch offices without routing traffic through the hub. Which THREE configurations are required on the hub FortiGate? (Choose three.)

Question 88easymulti select
Read the full VPN explanation →

An administrator wants to configure two-factor authentication for SSL VPN users. Which TWO components must be configured? (Choose two.)

Question 89easymultiple choice
Read the full VPN explanation →

Which authentication method allows FortiGate to authenticate users against an Active Directory domain without storing domain credentials locally?

Question 90mediummultiple choice
Read the full VPN explanation →

A remote user connects via SSL VPN web mode but cannot access internal resources. The SSL VPN portal is configured with the default settings. What is the most likely reason?

Question 91mediummultiple choice
Read the full VPN explanation →

You run the following command on a FortiGate: diagnose vpn ike gateway list. The output shows a gateway with state=DOWN. What is the most likely cause?

Question 92hardmultiple choice
Read the full VPN explanation →

A FortiGate is configured with IPsec VPN using IKEv2 and a policy-based tunnel. The remote subnet is 10.0.2.0/24, and the local subnet is 192.168.1.0/24. The tunnel is up, but traffic from 192.168.1.0/24 to 10.0.2.0/24 fails. The administrator checks the firewall policy and sees a policy allowing traffic from the local interface (port1) to the remote interface (virtual ipsec interface) with the action set to IPSEC. What is the most likely missing configuration?

Question 93easymultiple choice
Read the full VPN explanation →

What is the primary function of Fortinet Single Sign-On (FSSO) in a FortiGate deployment?

Question 94hardmultiple choice
Read the full VPN explanation →

An administrator configures a dial-up IPsec VPN with IKEv1 main mode. Remote clients can connect successfully, but the administrator notices that the Phase 1 negotiation takes a long time. Which change would most improve the negotiation speed without compromising security?

Question 95mediummultiple choice
Read the full VPN explanation →

A captive portal is configured on a FortiGate to authenticate users before allowing internet access. Users report that after entering credentials, they are redirected to the original website, but then they cannot access other sites. What is the most likely issue?

Question 96mediummultiple choice
Read the full VPN explanation →

You run 'diagnose debug application sslvpn -1' and see the following output: sslvpn: SSL VPN tunnel mode connection from 10.0.0.5:12345 to 192.168.1.100:443 sslvpn: User 'john' authenticated successfully sslvpn: Error: no matching policy for the request. What does this indicate?

Question 97easymultiple choice
Read the full VPN explanation →

What is the purpose of a ZTNA (Zero Trust Network Access) tag on a FortiGate?

Question 98mediummultiple choice
Read the full VPN explanation →

A FortiGate is configured as a hub in a hub-and-spoke IPsec VPN. The spokes are remote branches. The hub has a Phase 2 selector set to 0.0.0.0/0 for both local and remote subnets. What is the advantage of this configuration?

Question 99hardmultiple choice
Read the full VPN explanation →

An administrator needs to implement two-factor authentication for SSL VPN access using FortiToken. Which configuration steps are required?

Question 100easymultiple choice
Read the full VPN explanation →

Which of the following is a characteristic of route-based IPsec VPN compared to policy-based IPsec VPN?

Question 101mediummulti select
Read the full VPN explanation →

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. The tunnel is established, but traffic is not passing. The administrator runs 'diagnose vpn tunnel list' and sees the tunnel is up. Which two additional diagnostics should the administrator run to isolate the issue?

Question 102hardmulti select
Read the full VPN explanation →

A company wants to implement SSL VPN split tunneling to allow remote users to access both internal resources and the internet directly. Which three configurations are required on the FortiGate?

Question 103mediummulti select
Read the full VPN explanation →

An administrator is configuring Active Directory polling for FSSO. Which two components must be set up correctly for FSSO to work?

Question 104mediummultiple choice
Read the full VPN explanation →

A network administrator configured an IPsec VPN between two FortiGates. Phase 1 is up, but Phase 2 fails to establish. The diagnose output shows 'no matching proposal'. What is the MOST likely cause?

Question 105easymultiple choice
Read the full VPN explanation →

A FortiGate admin wants to authenticate VPN users against an existing Microsoft Active Directory. Which authentication method should be configured on the FortiGate?

Question 106hardmultiple choice
Read the full VPN explanation →

An SSL VPN user connects via web mode but cannot access internal resources. The admin checks the SSL VPN settings: tunnel mode is disabled, split tunneling is enabled, and the user's realm is configured correctly. What is the MOST likely cause?

Question 107mediummultiple choice
Read the full VPN explanation →

A FortiGate is configured with FSSO to poll Active Directory for user logon events. Users report that their logins are not being detected. What is the FIRST step to troubleshoot?

Question 108easymultiple choice
Read the full VPN explanation →

Which IPsec VPN mode is typically used for site-to-site VPNs and is more secure because it negotiates Phase 1 in six messages?

Question 109mediummultiple choice
Read the full VPN explanation →

A FortiGate admin is configuring a dial-up IPsec VPN for remote users. The users have dynamic IP addresses. Which Phase 1 configuration is appropriate?

Question 110hardmultiple choice
Read the full VPN explanation →

A FortiGate administrator notices that the IPsec VPN tunnel is established but traffic is not passing. The firewall policy allowing traffic from the remote subnet to the local subnet is in place. What is the MOST likely cause?

Question 111mediummultiple choice
Read the full wireless explanation →

A FortiGate admin configures a captive portal for guest users on a wireless network. Users can connect to the SSID but cannot access the internet. The admin verifies the firewall policy permits traffic from the captive portal interface to the internet. What is missing?

Question 112mediummultiple choice
Read the full VPN explanation →

An administrator runs 'diagnose vpn ike config' and sees the output includes 'P2 proposals: aes128-sha256, aes256-sha1'. What does this indicate?

Question 113hardmultiple choice
Read the full VPN explanation →

A FortiGate in a hub-and-spoke VPN topology has multiple spoke sites connecting via IPsec. The hub administrator wants to enable direct spoke-to-spoke communication without routing traffic through the hub. What technology should be used?

Question 114easymultiple choice
Read the full VPN explanation →

Which of the following is a benefit of using IKEv2 over IKEv1 for IPsec VPN?

Question 115mediummultiple choice
Read the full VPN explanation →

A FortiGate admin configures a remote user for SSL VPN tunnel mode. The user can connect but cannot access resources on the internal network. The admin checks the SSL VPN settings: tunnel mode enabled, split tunneling disabled. What is the issue?

Question 116mediummulti select
Read the full VPN explanation →

A FortiGate admin is troubleshooting an IPsec VPN where Phase 1 is up but Phase 2 fails to establish. Which TWO diagnostic commands would provide the most relevant information?

Question 117hardmulti select
Read the full VPN explanation →

An organization is implementing two-factor authentication for SSL VPN access using FortiToken. Which THREE components are necessary for this setup?

Question 118mediummulti select
Read the full VPN explanation →

A FortiGate admin wants to implement ZTNA to secure access to an internal application. Which TWO components are required for a basic ZTNA configuration?

Question 119easymultiple choice
Read the full VPN explanation →

A network administrator wants to authenticate VPN users against an existing LDAP server. Which authentication method should be configured on the FortiGate?

Question 120mediummultiple choice
Read the full VPN explanation →

An administrator configures an IPsec VPN with IKEv1 main mode. The remote peer reports that Phase 1 fails with a 'no proposal chosen' error. The local Phase 1 settings include: encryption AES128, authentication SHA1, DH group 2, lifetime 86400. Which remote peer setting is MOST likely causing the mismatch?

Question 121hardmultiple choice
Read the full VPN explanation →

You run the following CLI command on a FortiGate: 'diagnose vpn ike config list'. The output includes: 'src 10.0.1.0/24:0 dst 192.168.1.0/24:0'. What does this indicate?

Question 122easymultiple choice
Read the full VPN explanation →

Which of the following best describes the purpose of a captive portal on a FortiGate?

Question 123mediummultiple choice
Read the full VPN explanation →

An administrator wants to use FortiToken two-factor authentication for SSL VPN users. In addition to configuring the user's FortiToken, which setting must be enabled on the firewall policy to force two-factor authentication?

Question 124hardmultiple choice
Read the full VPN explanation →

An administrator is troubleshooting an IPsec VPN that fails to establish Phase 2. The Phase 1 is up. The administrator runs 'diagnose vpn ike log' and sees the message 'no matching phase2 proposal found'. What is the MOST likely cause?

Question 125mediummultiple choice
Read the full VPN explanation →

What is the primary advantage of using IKEv2 over IKEv1 for IPsec VPN?

Question 126easymultiple choice
Read the full VPN explanation →

When configuring a route-based IPsec VPN, which of the following must be created to allow traffic to flow through the tunnel?

Question 127mediummultiple choice
Read the full VPN explanation →

A FortiGate administrator is configuring a hub-and-spoke IPsec VPN. The hub has multiple Phase 2 selectors for each spoke. What is the recommended way to simplify configuration on the hub when adding new spokes?

Question 128hardmultiple choice
Read the full VPN explanation →

An administrator has configured an SSL VPN with tunnel mode and split tunneling enabled. However, remote users report that all internet traffic is going through the VPN tunnel. What is the MOST likely cause?

Question 129mediummultiple choice
Read the full VPN explanation →

An administrator wants to use Fortinet Single Sign-On (FSSO) with Active Directory to transparently authenticate users. Which component is responsible for polling Active Directory for user logon events?

Question 130hardmultiple choice
Read the full VPN explanation →

An administrator runs 'diagnose debug application sslvpn -1' on a FortiGate and sees the following output: 'SSLVPN_ERROR:ERR_AUTH_FAIL' for a user. The user is in an LDAP group and has the correct password. What is the MOST likely cause?

Question 131mediummulti select
Read the full VPN explanation →

An administrator is configuring a dial-up IPsec VPN for remote users. Which TWO settings are required on the FortiGate for the dial-up server? (Choose two.)

Question 132hardmulti select
Read the full VPN explanation →

A FortiGate administrator is troubleshooting an IPsec VPN that is dropping traffic intermittently. The administrator runs 'diagnose vpn ike log' and sees many 'DPD' messages. Which THREE conditions could cause frequent DPD (Dead Peer Detection) retransmissions? (Choose three.)

Question 133mediummulti select
Read the full VPN explanation →

An administrator is configuring a FortiGate for ZTNA (Zero Trust Network Access). Which TWO components are essential for ZTNA to function? (Choose two.)

Question 134mediummultiple choice
Read the full VPN explanation →

A network administrator wants to implement two-factor authentication for SSL VPN users using FortiToken. The users are already authenticated against an LDAP server. Which configuration step is required to enforce two-factor authentication?

Question 135hardmultiple choice
Read the full VPN explanation →

You run the CLI command 'diagnose vpn ike gateway list' and see that an IPsec VPN gateway is in 'up' state with 'initiator' mode, but no Phase 2 selectors are established. What is the most likely cause?

Question 136easymultiple choice
Read the full VPN explanation →

What is the primary purpose of configuring split tunneling on an SSL VPN?

Question 137mediummultiple choice
Read the full VPN explanation →

A FortiGate administrator is configuring IPsec VPN between two sites. The Phase 1 negotiation fails with the error 'no proposal chosen'. Which two settings must match on both VPN peers?

Question 138hardmultiple choice
Read the full VPN explanation →

An administrator configures FSSO (Fortinet Single Sign-On) with Active Directory polling. Users report that their web traffic is being blocked by the firewall even though they are logged into the domain. Which CLI command can the administrator use to verify the FSSO login status for a specific user?

Question 139mediummultiple choice
Read the full VPN explanation →

A FortiGate administrator wants to configure a dial-up IPsec VPN where remote users connect using VPN clients with pre-shared key authentication. The company has recently experienced a data breach where the PSK was compromised. What is the best method to improve security without changing all clients immediately?

Question 140easymultiple choice
Read the full VPN explanation →

Which IPsec VPN mode is typically used when the VPN peer has a dynamic public IP address?

Question 141mediummultiple choice
Read the full VPN explanation →

A FortiGate administrator configures an SSL VPN web mode portal. Users can access internal web applications but cannot access internal file shares via SMB. What is the most likely reason?

Question 142hardmultiple choice
Read the full VPN explanation →

You receive an alert that a user's FortiToken synchronization is off. You need to resynchronize the token. Which CLI command achieves this?

Question 143mediummultiple choice
Read the full VPN explanation →

In a hub-and-spoke IPsec VPN topology with FortiGate, the spoke sites cannot communicate directly with each other. What configuration change allows direct spoke-to-spoke communication?

Question 144easymultiple choice
Read the full VPN explanation →

What is the primary advantage of using route-based IPsec VPN over policy-based IPsec VPN?

Question 145mediummultiple choice
Read the full VPN explanation →

A FortiGate administrator is troubleshooting an SSL VPN connection issue. Users can connect but cannot access internal resources. The administrator checks the SSL VPN policy and confirms it allows access to the internal subnet. What should the administrator check next?

Question 146hardmulti select
Read the full VPN explanation →

A FortiGate administrator is configuring ZTNA for a web application. Which TWO components are required for a ZTNA configuration to function?

Question 147mediummulti select
Read the full VPN explanation →

A FortiGate administrator is configuring RADIUS authentication for firewall users. Which THREE steps are required to complete the configuration? (Select THREE.)

Question 148mediummulti select
Read the full VPN explanation →

An administrator is troubleshooting an IPsec VPN tunnel that is not establishing. The Phase 1 status shows 'down'. Which TWO commands can help diagnose the issue? (Choose TWO.)

Question 149mediummultiple choice
Read the full VPN explanation →

A FortiGate is configured with an IPsec VPN to a remote site using IKEv1. The VPN tunnel goes down intermittently. The admin runs 'diagnose vpn ike gateway list' and sees 'state=UP' but no Phase2 selectors. What is the most likely cause?

Question 150easymultiple choice
Read the full VPN explanation →

An administrator wants to use Active Directory credentials to authenticate firewall administrators. Which authentication server type should be configured on the FortiGate?

Question 151hardmultiple choice
Read the full VPN explanation →

A FortiGate in a hub-and-spoke VPN topology is configured with a single IPsec tunnel to each spoke. The hub has a route-based VPN with a tunnel interface for each spoke. After a reboot, traffic between spoke A and spoke B fails, although each spoke can reach the hub. What is the likely cause?

Question 152mediummultiple choice
Read the full VPN explanation →

A client connects to a FortiGate SSL VPN in web mode. The user can access internal web applications but cannot ping or RDP to servers. The administrator wants to allow these services. What must be changed?

Question 153mediummultiple choice
Read the full VPN explanation →

The output of 'diagnose debug application ike -1' shows 'no proposal chosen' for a Phase1 negotiation. Which action should the administrator take to resolve this?

Question 154easymultiple choice
Read the full VPN explanation →

A FortiGate administrator needs to authenticate VPN users against an LDAP server. What is the primary purpose of the 'CN=,OU=,DC=' distinguished name (DN) configured in the LDAP server settings?

Question 155hardmultiple choice
Read the full VPN explanation →

During an SSL VPN tunnel mode connection, the client reports that they cannot access any internal resources, but the VPN connection is established. The FortiGate debug shows 'no matching policy'. The administrator has configured a policy allowing the SSL VPN interface to internal. What else must be configured?

Question 156mediummultiple choice
Read the full VPN explanation →

An administrator is troubleshooting an IPsec VPN that uses aggressive mode. The VPN establishes successfully, but the administrator is concerned about security. Which statement is true regarding aggressive mode?

Question 157easymultiple choice
Read the full VPN explanation →

A company uses Fortinet Single Sign-On (FSSO) to authenticate users for firewall policies. The FSSO collector agent is installed on a Windows server and configured with Active Directory polling. What does the collector agent do?

Question 158hardmultiple choice
Read the full VPN explanation →

An administrator runs 'diagnose vpn ssl stat' and sees 'tun-num: 5, clients: 0'. Users are unable to connect to the SSL VPN. The SSL VPN settings are correct and the certificate is valid. What could be the cause?

Question 159mediummultiple choice
Read the full VPN explanation →

An administrator configures a captive portal on the FortiGate to authenticate guest users via a local user database. Users can connect to the SSID, but after entering credentials on the captive portal, they are not redirected to the internet. What is the most likely missing configuration?

Question 160mediummulti select
Read the full VPN explanation →

An administrator needs to deploy two-factor authentication for SSL VPN users. The company uses FortiTokens. Which two steps are required to enable FortiToken for SSL VPN users? (Choose two.)

Question 161mediummulti select
Read the full VPN explanation →

An administrator is configuring an IPsec VPN between two FortiGates using IKEv1. The tunnel must use main mode and support multiple subnets behind each gate. Which Phase2 settings are required to allow multiple subnets? (Choose two.)

Question 162hardmulti select
Read the full VPN explanation →

A FortiGate admin is troubleshooting an IPsec VPN that fails to establish. The output of 'diagnose debug application ike -1' shows: 'IKE: No proposal chosen from x.x.x.x'. The admin checks the Phase1 configuration. Which of the following mismatches could cause this error? (Choose three.)

Question 163easymulti select
Read the full VPN explanation →

An administrator needs to configure ZTNA (Zero Trust Network Access) on a FortiGate to provide secure remote access to an internal application. Which components are required for a basic ZTNA configuration? (Choose three.)

Question 164mediummultiple choice
Read the full VPN explanation →

A network administrator configures an IPsec VPN between two FortiGates using IKEv1 main mode. The Phase 1 negotiation fails with the error 'no proposal chosen'. The administrator checks both sides and confirms the IKE version, encryption algorithm (AES256), authentication (SHA256), and Diffie-Hellman group (14) match. Which additional parameter is MOST likely mismatched?

Question 165easymultiple choice
Read the full VPN explanation →

A FortiGate administrator wants to authenticate VPN users against an existing Active Directory server. The administrator creates a user group referencing a remote LDAP server and configures the firewall policy to authenticate using that group. However, users report authentication failures. What is the FIRST step to troubleshoot?

Question 166hardmultiple choice
Read the full VPN explanation →

An administrator configures a dial-up IPsec VPN with IKEv2 to allow remote users to connect. The Phase 1 is set to use certificate-based authentication (PKI). Users can establish Phase 1, but Phase 2 fails with 'no proposal chosen'. The administrator checks the Phase 2 proposal: AES256-SHA256, and the remote network is 10.0.0.0/8 (the corporate LAN). What is the MOST likely cause?

Question 167mediummultiple choice
Read the full VPN explanation →

A FortiGate is configured with FSSO (Fortinet Single Sign-On) to authenticate users from Active Directory. Users are logging in to their domain-joined computers, but the FortiGate does not see the user sessions. The polling connector is configured correctly. What is the MOST likely reason?

Question 168easymultiple choice
Read the full VPN explanation →

An administrator wants to configure SSL VPN web mode to allow remote users to access a specific internal web application without installing any client software. Which authentication method is required?

Question 169hardmultiple choice
Read the full VPN explanation →

An administrator runs 'diagnose vpn ike gateway list' on a FortiGate and sees the following output for a dial-up IPsec VPN: gateway name: 'dialup' version: IKEv1 mode: aggressive local IP: 203.0.113.1 remote IP: 0.0.0.0 state: up peers: 0 What does 'peers: 0' indicate?

Question 170mediummultiple choice
Read the full VPN explanation →

A FortiGate administrator configures a captive portal on a VDOM to authenticate users connecting to a guest SSID. The authentication method is set to LDAP. Users can reach the captive portal login page, but after entering valid credentials, they receive an authentication failure. The LDAP server is reachable from the FortiGate. What is the MOST likely cause?

Question 171easymultiple choice
Read the full VPN explanation →

What is the primary advantage of using IKEv2 over IKEv1 for IPsec VPN?

Question 172mediummultiple choice
Read the full VPN explanation →

An administrator configures a route-based IPsec VPN between two FortiGates. The Phase 1 and Phase 2 are up. The administrator adds a static route on each FortiGate pointing to the remote subnet via the virtual tunnel interface (e.g., 'to_remote'). Traffic between the subnets fails. What is the MOST likely missing configuration?

Question 173mediummultiple choice
Read the full VPN explanation →

An administrator needs to configure two-factor authentication for SSL VPN users using FortiToken. Which configuration is required on the FortiGate?

Question 174hardmulti select
Read the full VPN explanation →

A FortiGate administrator is troubleshooting an IPsec VPN that fails to establish. The Phase 1 status shows 'init' and then resets. The administrator runs 'diagnose debug application ike -1' and sees the message 'no acceptable proposal'. Which TWO parameters are MOST likely mismatched?

Question 175mediummulti select
Read the full VPN explanation →

An administrator wants to implement ZTNA (Zero Trust Network Access) on a FortiGate to secure access to an internal application. Which TWO components are essential for a ZTNA configuration?

Question 176hardmulti select
Read the full DNS explanation →

A FortiGate is configured for SSL VPN tunnel mode with split tunneling enabled. The administrator wants to ensure that traffic to the corporate DNS server (10.0.1.10) goes through the tunnel while all other traffic goes directly to the internet. Which THREE configuration steps are required?

Question 177easymulti select
Read the full VPN explanation →

An administrator needs to authenticate users on a FortiGate using RADIUS. Which TWO of the following are required to configure RADIUS authentication?

Question 178mediummulti select
Read the full DNS explanation →

A FortiGate administrator is configuring a hub-and-spoke IPsec VPN with three spokes. Each spoke has a dial-up connection to the hub. The hub uses a dynamic DNS name. Which THREE settings are necessary on each spoke to establish the VPN?

Question 179mediummultiple choice
Read the full VPN explanation →

A network admin configures an IPsec VPN between two FortiGates using IKEv2. Phase 1 completes successfully, but Phase 2 fails to establish. The admin runs 'diagnose vpn ike log' and sees the error 'proposal mismatch'. What is the most likely cause?

Question 180easymultiple choice
Read the full VPN explanation →

An administrator wants to authenticate VPN users against an external LDAP server. Which authentication method should be configured in the user group for the SSL VPN portal?

Question 181hardmultiple choice
Read the full VPN explanation →

A FortiGate is configured with FSSO using a DC agent. Users authenticate to the domain, but the firewall policy using FSSO groups is not matching traffic. The admin runs 'diagnose debug authd fsso list' and sees user entries. However, the traffic is being denied by the default deny policy. What is the most likely issue?

Question 182easymultiple choice
Read the full VPN explanation →

Which mode of SSL VPN provides full network-layer access to the remote network, allowing any application to function as if the client is directly connected?

Question 183mediummulti select
Read the full VPN explanation →

An administrator is troubleshooting an IPsec VPN between two FortiGates. Phase 1 is up but Phase 2 is down. The admin runs 'diagnose vpn ike log' and sees 'no matching proposal'. To resolve this issue, which TWO settings should be checked on both ends?

Question 184mediummulti select
Read the full VPN explanation →

A company requires two-factor authentication for SSL VPN access. They already have an LDAP server for user credentials. Which TWO components are necessary to implement this?

Question 185hardmulti select
Read the full VPN explanation →

An administrator is configuring a hub-and-spoke IPsec VPN with a FortiGate as the hub. The spokes must be able to communicate with each other through the hub. Which THREE settings must be enabled on the hub FortiGate?

Question 186hardmulti select
Read the full VPN explanation →

An administrator is troubleshooting an SSL VPN connection. Users can connect and authenticate, but they cannot access any internal resources. The firewall policy allows the SSL VPN interface to the internal network. Which THREE commands or configuration checks should the administrator use to diagnose the issue?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

NSE4 Practice Test 1 — 10 Questions→NSE4 Practice Test 2 — 10 Questions→NSE4 Practice Test 3 — 10 Questions→NSE4 Practice Test 4 — 10 Questions→NSE4 Practice Test 5 — 10 Questions→NSE4 Practice Exam 1 — 20 Questions→NSE4 Practice Exam 2 — 20 Questions→NSE4 Practice Exam 3 — 20 Questions→NSE4 Practice Exam 4 — 20 Questions→Free NSE4 Practice Test 1 — 30 Questions→Free NSE4 Practice Test 2 — 30 Questions→Free NSE4 Practice Test 3 — 30 Questions→NSE4 Practice Questions 1 — 50 Questions→NSE4 Practice Questions 2 — 50 Questions→NSE4 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

System and Network AdministrationFirewall Policies and NATAuthentication and VPNSecurity ProfilesHigh Availability and Diagnostics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Authentication and VPN setsAll Authentication and VPN questionsNSE4 Practice Hub