Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Firewall Policies and NAT practice sets

NSE4 Firewall Policies and NAT • Complete Question Bank

NSE4 Firewall Policies and NAT — All Questions With Answers

Complete NSE4 Firewall Policies and NAT question bank — all 0 questions with answers and detailed explanations.

237
Questions
Free
No signup
Certifications/NSE4/Practice Test/Firewall Policies and NAT/All Questions
Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to a web server (172.16.1.10). Users on the 10.0.0.0/8 network cannot access the web server, but other internal users can. The administrator checks the policy list and sees the policy is enabled and in the correct position. What is the most likely cause?

Question 2hardmultiple choice
Read the full VPN explanation →

An organization wants to authenticate VPN users using an LDAP server. They configure an LDAP server object and a user group. However, users are unable to authenticate. The administrator checks the logs and sees 'authentication failed' errors. What is the most common misconfiguration?

Question 3easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator needs to allow SMTP traffic from the internal network to an external mail server. The internal network uses source NAT to the external interface IP. Which firewall policy configuration is correct?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A FortiGate has this policy configured. Traffic from 10.0.1.0/24 to 192.168.1.10 on HTTP is being logged as allowed. However, users report that they cannot access the web server. What is the most likely issue?

Exhibit

config firewall policy
    edit 1
        set name "Allow-HTTP"
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "10.0.1.0/24"
        set dstaddr "192.168.1.10"
        set action accept
        set schedule "always"
        set service "HTTP"
        set logtraffic all
    next
end
Question 5hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An administrator runs 'diagnose firewall auth list' and sees two authenticated users. The firewall policy requires authentication for HTTP traffic from 10.0.0.0/24 to 192.168.1.10. User 'jsmith' has been idle for 20 minutes, but the authentication session is still active. The idle timeout is set to 30 minutes. What will happen after 30 minutes of inactivity?

Exhibit

FGT # diagnose firewall auth list
1: authid=1 type=ldap user=jsmith src=10.0.0.5 dst=192.168.1.10 proto=6 port=80 duration=1200 timeout=3600
2: authid=2 type=ldap user=ajones src=10.0.0.6 dst=192.168.1.10 proto=6 port=80 duration=600 timeout=3600
Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A company uses FSSO (Fortinet Single Sign-On) with a domain controller. Users authenticate to the domain, and the FortiGate retrieves the login events. The firewall policy uses the FSSO group. Some users report that after logging in, they cannot access resources that require authentication. The administrator checks the FSSO status and sees that the FortiGate is receiving login events. What is the most likely cause?

Question 7easymultiple choice
Read the full NAT/PAT explanation →

An administrator wants to create a firewall policy that blocks all traffic from a specific IP address (10.0.0.99) to the internet, but allows all other traffic. Which policy configuration is correct?

Question 8mediummulti select
Read the full NAT/PAT explanation →

Which TWO statements about firewall policy authentication are correct?

Question 9hardmulti select
Read the full NAT/PAT explanation →

Which THREE conditions must be met for a firewall policy with FSSO authentication to work correctly?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An administrator configures the policies as shown. Traffic from 10.0.0.0/8 to the internet on HTTP is denied. What is the most likely reason?

Exhibit

config firewall policy
    edit 0
        set name "Deny-All"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 1
        set name "Allow-HTTP"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "10.0.0.0/8"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "HTTP"
        set logtraffic all
    next
end
Question 11easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator wants to restrict access to a sensitive server (10.0.0.100) such that only users who authenticate via LDAP can access it. Which firewall policy configuration is required?

Question 12hardmultiple choice
Study the full SD-WAN breakdown →

A company has a FortiGate 100F with two ISPs (ISP1 and ISP2) for load balancing. They use SD-WAN to direct traffic. The firewall has a policy that allows HTTP and HTTPS traffic from internal users (10.0.0.0/8) to the internet. The policy uses FSSO authentication with an Active Directory domain controller. Recently, users on the 10.0.1.0/24 subnet report that they are prompted for authentication repeatedly, even though they are domain-joined and logged in. Users on other subnets do not have this issue. The administrator checks the FSSO configuration and sees that the collector agent is running and the FortiGate is receiving login events. The FortiGate's policy is configured with source address 10.0.0.0/8 and FSSO group 'Domain Users'. The administrator also notices that the FortiGate's SD-WAN rules are configured to use ISP1 for traffic from 10.0.0.0/8 except for traffic from 10.0.1.0/24, which uses ISP2. The FortiGate's FSSO collector agent is configured to listen on the IP address 192.168.1.1, which is the IP of the interface connected to ISP1. What is the most likely cause of the authentication issue?

Question 13hardmultiple choice
Open the full VLAN trunking answer →

A company uses FortiGate with firewall policies to control access between internal VLANs. Users in VLAN 10 report they can access internet but cannot reach a server in VLAN 20 on port 443. The server is reachable from other VLANs. The administrator checks the firewall policy configuration: there is a policy from VLAN10 to VLAN20 allowing HTTPS, with NAT disabled and logging enabled. The policy has a schedule set to 'Always'. The administrator also checks that there are no overlapping policies. What is the most likely cause?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

Given the exhibit, a user in the internal network tries to SSH to a public server (203.0.113.10). What will happen and why?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "Allow-Internet"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set logtraffic all
    next
    edit 2
        set name "Block-SSH"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "SSH"
        set logtraffic all
    next
end
Question 15easymultiple choice
Study the full SD-WAN breakdown →

A company has a FortiGate with two ISPs: wan1 (primary) and wan2 (backup). They want all outbound traffic from internal users to use wan1, and if wan1 fails, traffic should automatically fail over to wan2. The administrator configures static routes: default route via wan1 gateway with distance 10 and default route via wan2 gateway with distance 20. They also configure an SD-WAN zone with both interfaces and set a strategy of 'Manual' with 'Best Quality' for wan1. After testing, failover does not occur when wan1 goes down. What is the most likely reason?

Question 16mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to create a firewall policy allowing HTTP traffic from internal to DMZ into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 17mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure SSL VPN on FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 18mediummatching
Read the full NAT/PAT explanation →

Match each Fortinet product to its primary role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall

Security information and event management

Centralized logging and analytics

Centralized management and policy orchestration

Advanced threat detection and analysis

Question 19mediummatching
Read the full NAT/PAT explanation →

Match each FortiGate logging destination to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stored on the FortiGate's internal memory or disk

Centralized log collector and analyzer

Standard protocol to send logs to external servers

Cloud-based log storage and management

Used for monitoring device status and performance

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A network admin has configured a firewall policy allowing HTTPS traffic from the internal network to a DMZ web server. Users report that the web pages load slowly. The admin checks the policy and notices traffic shaping is not applied. What is the BEST action to ensure fair bandwidth distribution for HTTPS traffic?

Question 21easymultiple choice
Read the full NAT/PAT explanation →

A junior admin is creating firewall policies and wants to ensure that all traffic not explicitly permitted is denied. Which FortiGate mechanism provides this behavior by default?

Question 22mediummultiple choice
Read the full NAT/PAT explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 23hardmultiple choice
Read the full NAT/PAT explanation →

An admin is configuring a policy-based NAT rule (central NAT) to translate internal users' source IPs to the external IP of the FortiGate interface. However, users complain that some applications fail. The admin notices that the NAT rule is using 'dynamic IP pool' with overload. What is the MOST likely cause of the application failures?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate admin wants to create a firewall policy that allows traffic from the internal network to the internet. The source is a subnet 192.168.1.0/24, and the destination is 'all'. The admin wants to apply NAT to hide internal IPs. Which NAT configuration is BEST suited for this scenario?

Question 25hardmultiple choice
Read the full NAT/PAT explanation →

An admin notices that a firewall policy allowing inbound HTTPS to a server is not matching traffic. The policy has source set to 'all', destination to the server's IP, and service to HTTPS. The admin checks the policy list and sees that policy ID 1 matches the traffic. What is the MOST likely reason the intended policy (ID 10) is not matching?

Question 26easymultiple choice
Read the full NAT/PAT explanation →

Which of the following is a valid address object type in FortiGate that can be used to match traffic based on the domain name of the destination?

Question 27mediummultiple choice
Read the full NAT/PAT explanation →

An admin wants to block all traffic from a specific geographic region. Which address object type should be used in the firewall policy source?

Question 28mediummultiple choice
Read the full NAT/PAT explanation →

A company has a web server in the DMZ that must be accessible from the internet on both HTTP and HTTPS. The admin configures a VIP to map the public IP to the server's private IP. However, external users can only reach HTTP. What is the MOST likely cause?

Question 29hardmultiple choice
Read the full NAT/PAT explanation →

An admin configures a policy-based NAT rule (central SNAT) to translate source IPs from 10.0.0.0/24 to a dynamic IP pool of 203.0.113.1-203.0.113.10 with overload enabled. Users report that some connections are dropped. What is the MOST likely cause?

Question 30easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate admin wants to ensure that traffic destined to a specific web server is inspected by an IPS profile. Which configuration is necessary?

Question 31mediummultiple choice
Read the full NAT/PAT explanation →

An admin needs to allow inbound SMTP traffic from the internet to a mail server in the DMZ. The public IP is 203.0.113.10, and the mail server's private IP is 10.0.0.5. Which VIP configuration is correct?

Question 32mediummulti select
Read the full NAT/PAT explanation →

A FortiGate admin is troubleshooting a policy that should allow VoIP traffic. The admin suspects that the SIP ALG is interfering. Which TWO actions should the admin take to verify or resolve the issue?

Question 33hardmulti select
Read the full NAT/PAT explanation →

An admin is configuring a policy-based NAT (central SNAT) to translate internal users to a pool of public IPs using overload. The admin wants to ensure that specific applications using non-standard ports are not affected by NAT. Which THREE steps should the admin consider?

Question 34mediummulti select
Read the full NAT/PAT explanation →

A FortiGate admin needs to allow inbound HTTPS traffic to a web server while also applying an application control profile to block certain web applications. The web server has a VIP configured. Which TWO components are necessary for this configuration?

Question 35mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator configures a firewall policy allowing HTTP traffic from the internal network (10.0.0.0/8) to the internet. After applying the policy, users report they can browse the web, but the FortiGate logs show that all sessions are using the 'implicit deny' policy ID 0. What is the most likely cause?

Question 36mediummultiple choice
Read the full NAT/PAT explanation →

An administrator creates a firewall policy to allow outbound HTTP and HTTPS traffic from the internal network to the internet. The policy uses a dynamic IP pool for SNAT. Users report that some websites load slowly or fail to load intermittently. The administrator checks the firewall logs and sees 'session helper' warnings. What is the most likely cause?

Question 37hardmultiple choice
Read the full NAT/PAT explanation →

During a security audit, the administrator runs the command 'diagnose firewall policy list' and sees the following output: policy id=1: allow from port1 to port2, src=10.0.0.0/8, dst=any, action=accept policy id=2: deny from port1 to port2, src=10.0.0.0/8, dst=172.16.0.0/12, action=deny policy id=3: allow from port1 to port2, src=any, dst=any, action=accept A host with IP 10.0.1.5 sends traffic to 172.16.0.1. Which policy will match?

Question 38easymultiple choice
Read the full NAT/PAT explanation →

An administrator needs to block all traffic from a specific geographic region. Which object type should be used as the source in the firewall policy?

Question 39mediummultiple choice
Read the full NAT/PAT explanation →

A company has a web server in the DMZ that needs to be accessible from the internet on port 443 (HTTPS). The administrator configures a Virtual IP (VIP) mapping the public IP 203.0.113.10 to the private IP 10.0.1.10 port 443. Which firewall policy is required to allow inbound traffic?

Question 40hardmultiple choice
Read the full NAT/PAT explanation →

An administrator configures a Central SNAT policy to translate traffic from the internal network (10.0.0.0/8) to the internet using the IP pool 'pool1'. The administrator also has a firewall policy that uses policy-based NAT with an IP pool 'pool2'. Both policies match the same traffic. Which NAT will be applied?

Question 41easymultiple choice
Read the full NAT/PAT explanation →

Which of the following statements about firewall policy ordering in FortiGate is correct?

Question 42mediummultiple choice
Read the full NAT/PAT explanation →

An administrator wants to ensure that traffic from the engineering department (subnet 192.168.10.0/24) to the internet uses a specific public IP address for source NAT. Additionally, traffic from the marketing department (192.168.20.0/24) should use a different public IP. Which method should be used?

Question 43hardmultiple choice
Read the full NAT/PAT explanation →

An administrator uses 'diagnose sys session list' and sees the following output for a session: 'proto=6 proto_state=01 duration=3600 expire=3599'. The session is for HTTPS traffic. What does 'proto_state=01' typically indicate in FortiGate?

Question 44mediummultiple choice
Read the full VPN explanation →

An organization has multiple remote sites connected via IPsec VPN. The administrator needs to ensure that traffic from the internal network (10.0.0.0/8) to the VPN destination (10.10.0.0/16) uses a specific interface (port2) instead of the default route. Which feature should be configured?

Question 45easymultiple choice
Read the full NAT/PAT explanation →

Which of the following is NOT a valid address object type in FortiGate?

Question 46mediummultiple choice
Read the full NAT/PAT explanation →

An administrator configures a firewall policy with a schedule that allows traffic only during business hours (Monday to Friday, 09:00-18:00). At 17:55 on a Friday, a user establishes an SSH session that is still active at 18:05. What happens to the session when the schedule ends?

Question 47mediummulti select
Read the full NAT/PAT explanation →

A FortiGate administrator is troubleshooting why traffic from a specific host (10.0.1.100) to a web server (203.0.113.50) is being denied. The administrator has confirmed that a firewall policy exists that should allow the traffic. Which TWO diagnostic commands would help identify the issue?

Question 48hardmulti select
Read the full NAT/PAT explanation →

An organization requires that outbound HTTP and HTTPS traffic from the internal network be translated to a single public IP address (203.0.113.1) using overload NAT (PAT). Which TWO configurations are necessary?

Question 49mediummulti select
Read the full NAT/PAT explanation →

An administrator needs to allow inbound SSH access from the internet to a specific internal server (10.0.1.10) on port 22. The WAN IP is 203.0.113.10. Which THREE configuration steps are required?

Question 50easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator needs to allow inbound SSH access from the internet to a single internal server at IP 10.0.1.10. The public IP on the WAN interface is 203.0.113.5. Which type of object should be configured to map the public IP and port to the internal server?

Question 51mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate has two firewall policies: Policy 1 (from port1 to port2, source all, destination 10.0.1.0/24, schedule always, action accept) and Policy 2 (from port1 to port2, source all, destination all, schedule 'Business Hours', action accept). A user attempts to connect from port1 to 10.0.1.5 at 8 PM on a Saturday. The traffic is denied. What is the most likely reason?

Question 52mediummultiple choice
Read the full NAT/PAT explanation →

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

Question 53easymultiple choice
Read the full NAT/PAT explanation →

Which firewall policy matching parameter is evaluated FIRST when a packet arrives at a FortiGate interface?

Question 54hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate has a policy-based NAT rule that translates source IPs from subnet 192.168.1.0/24 to 203.0.113.10 when accessing the internet. The admin also enables Central SNAT with a rule that translates the same subnet to 203.0.113.20. If both are configured, which translation will be applied to traffic from 192.168.1.0/24 to the internet?

Question 55easymultiple choice
Read the full DNS explanation →

Which type of address object allows a FortiGate to perform DNS resolution to match traffic based on a domain name?

Question 56mediummultiple choice
Open the full VLAN trunking answer →

A network admin needs to log all traffic from the sales VLAN to the internet. The firewall policy is configured with logging enabled. However, the admin notices that only session start logs are generated, not detailed traffic logs. What setting must be enabled to capture per-packet or per-session details?

Question 57mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate admin configures a VIP to map 203.0.113.10:80 to 10.0.1.10:8080. However, when external users connect to http://203.0.113.10, they receive a connection timeout. The firewall policy allows the traffic. What is the most likely cause?

Question 58hardmultiple choice
Read the full NAT/PAT explanation →

An admin configures an IP Pool with type 'Overload' for outbound traffic from the 192.168.1.0/24 subnet. The pool uses a single public IP 203.0.113.10. After a few hours, users are unable to access external websites. The admin checks the session table and sees many sessions with the same public IP and different source ports. What is the most likely issue?

Question 59mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate has two policies for traffic from port1 to port3: Policy 1 (destination 10.0.1.0/24, schedule always, action accept) and Policy 2 (destination 10.0.2.0/24, schedule 'Weekdays', action accept). A packet destined to 10.0.2.10 arrives on Wednesday at 2 PM. Which policy is applied?

Question 60hardmultiple choice
Read the full NAT/PAT explanation →

An admin configures a one-to-one IP Pool to map 10.0.1.0/28 to 203.0.113.16/28. A host with IP 10.0.1.5 initiates a connection to the internet. Which source IP will be used for the translated packet?

Question 61easymultiple choice
Read the full NAT/PAT explanation →

Which of the following is the default action of a FortiGate firewall policy if no policy matches the traffic?

Question 62mediummulti select
Read the full NAT/PAT explanation →

A FortiGate admin wants to ensure that traffic from the internal network (192.168.1.0/24) to the internet uses a specific public IP (203.0.113.10) for source NAT, and that the same public IP is also used for inbound connections to an internal web server (10.0.1.10) on port 443. Which TWO configurations are required? (Choose two.)

Question 63hardmulti select
Open the full VLAN trunking answer →

A FortiGate admin is troubleshooting an issue where traffic from VLAN 10 to the internet is not being NATed even though a policy-based NAT rule is configured. The admin verifies that the firewall policy uses the correct IP Pool. Which THREE steps should the admin take to diagnose the problem? (Choose three.)

Question 64mediummulti select
Open the full VLAN trunking answer →

A FortiGate admin needs to block all traffic from the 'Guest' VLAN (192.168.100.0/24) to the internal network (10.0.0.0/8) except for DNS traffic (UDP 53) to the internal DNS server at 10.0.0.10. Which TWO firewall policy configuration elements are required to achieve this? (Choose two.)

Question 65easymultiple choice
Read the full DNS explanation →

A network administrator needs to allow only HTTPS traffic from the internal network (10.0.0.0/8) to the public DNS server (8.8.8.8). Which firewall policy configuration BEST enforces this restriction?

Question 66mediummultiple choice
Read the full NAT/PAT explanation →

An administrator configures a firewall policy allowing traffic from the internal network to the internet with NAT enabled. Users report that some outbound connections fail intermittently. The administrator runs 'diagnose sys session list' and sees many sessions in 'proto_state=01' with a short TTL. What is the most likely cause?

Question 67mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator needs to ensure that traffic from the LAN (192.168.1.0/24) to the DMZ (10.0.0.0/24) uses a specific outbound interface (port3) instead of the default route. Which feature should be configured to achieve this?

Question 68hardmultiple choice
Read the full NAT/PAT explanation →

An administrator configures a VIP for inbound HTTP traffic to an internal server (192.168.1.10:80). External users can reach the server via the VIP, but internal users on the same subnet as the server cannot access the server using its public IP. What is the most likely cause?

Question 69easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate has two firewall policies: Policy 1 (ID 1) allows HTTP from any to 10.0.0.0/8, and Policy 2 (ID 2) denies all traffic from 192.168.1.0/24 to any. Traffic from 192.168.1.10 to 10.0.0.5 on port 80 is received. Which policy will match first?

Question 70mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs to allow VoIP traffic from a remote branch (192.168.2.0/24) to the main office (10.0.0.0/8) using UDP ports 5060 and 10000-20000. What is the most efficient way to define the service in the firewall policy?

Question 71hardmultiple choice
Read the full NAT/PAT explanation →

An administrator configures Central SNAT with a dynamic IP pool for internet-bound traffic. Some users report that certain applications fail when they should be translated to a specific public IP. The administrator checks the policy-based NAT rules and finds none. What is the most likely reason for the failure?

Question 72easymultiple choice
Read the full NAT/PAT explanation →

Which statement about the implicit deny policy at the bottom of the firewall policy list is true?

Question 73mediummultiple choice
Read the full NAT/PAT explanation →

An administrator wants to log all traffic that is denied by the implicit deny rule. How can this be achieved?

Question 74hardmultiple choice
Read the full NAT/PAT explanation →

An administrator needs to allow traffic from a guest network (192.168.100.0/24) to the internet only during business hours (Mon-Fri, 08:00-18:00). The administrator creates a schedule object and applies it to the firewall policy. However, guests can still access the internet outside of the schedule. What is the most likely cause?

Question 75mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs to translate a single internal server (192.168.1.10:8080) to a public IP (203.0.113.10:80) so that external users can access it via HTTP. Which type of VIP should be configured?

Question 76mediummultiple choice
Read the full NAT/PAT explanation →

An administrator runs 'diagnose firewall iprope list 100000' and sees 'action=deny' entries for traffic that should be allowed. The policy list shows an allow policy with ID 1 for that traffic. What is the most likely cause of the deny?

Question 77mediummulti select
Read the full NAT/PAT explanation →

A FortiGate administrator needs to allow SMTP traffic (TCP port 25) from the internal network (10.0.0.0/8) to a mail server in the DMZ (172.16.0.10). The administrator wants to apply an antivirus profile and log all sessions. Which THREE configuration steps are required?

Question 78hardmulti select
Read the full NAT/PAT explanation →

An administrator needs to configure outbound NAT for 200 internal users using a single public IP (203.0.113.1). The public IP provides 2000 ports. Some applications require a deterministic source port range for logging. Which TWO NAT settings should be used?

Question 79mediummulti select
Read the full NAT/PAT explanation →

A company has two internet connections (WAN1 and WAN2). The administrator wants to route HTTP traffic from the internal network through WAN1, and all other traffic through WAN2. Which TWO configurations are needed?

Question 80mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator creates a firewall policy allowing HTTP traffic from the internal network to a web server in the DMZ. Users report that they cannot access the web server. The administrator runs 'diagnose firewall iprope list' and sees the policy is present. What is the MOST likely cause of the issue?

Question 81easymultiple choice
Read the full DNS explanation →

An administrator needs to allow outbound DNS traffic (UDP port 53) from multiple internal subnets to the internet. Which object type should be used to group the subnets into a single source in the firewall policy?

Question 82hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator configures a policy-based NAT using an IP pool with type 'Fixed Port Range' for internal users accessing a specific external server. Users report that after some time, they cannot establish new connections to the server. 'diagnose ip pool list' shows many entries with 'used_port=65535'. What is the MOST likely cause?

Question 83mediummultiple choice
Read the full wireless explanation →

An administrator creates a firewall policy with a traffic shaper to limit bandwidth for guest wireless users. After applying the policy, users can still consume high bandwidth. The administrator confirms the policy is matching. What is the MOST likely reason the traffic shaper is not effective?

Question 84easymultiple choice
Read the full NAT/PAT explanation →

What is the default action of the implicit deny policy at the end of the firewall policy list?

Question 85mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator wants to ensure that traffic from the internal network to an external FTP server uses a specific source IP address (203.0.113.10). The internal network uses RFC 1918 addresses. Which NAT configuration should be used?

Question 86hardmultiple choice
Read the full NAT/PAT explanation →

An administrator configures a firewall policy with a schedule object that is set to 'Available: Mon-Fri 09:00-17:00'. At 10:00 AM on Saturday, users report they cannot access the resource. The administrator checks the policy list and sees the policy is enabled. What is the MOST likely reason?

Question 87easymultiple choice
Read the full NAT/PAT explanation →

Which of the following best describes a Virtual IP (VIP) in FortiGate?

Question 88mediummultiple choice
Read the full NAT/PAT explanation →

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

Question 89hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate is configured with multiple VDOMs. The administrator creates a firewall policy in VDOM A that allows traffic from VDOM A to VDOM B using inter-VDOM links. Users in VDOM A can initiate traffic, but return traffic from VDOM B is not reaching them. What is the MOST likely cause?

Question 90mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs to block traffic from a specific geographic region (e.g., country) from reaching the corporate web server. Which type of address object should be used to define the source?

Question 91easymultiple choice
Read the full NAT/PAT explanation →

What is the purpose of policy-based routing (PBR) in FortiGate?

Question 92mediummulti select
Read the full NAT/PAT explanation →

A FortiGate administrator needs to allow inbound HTTPS traffic to a web server located at 192.168.1.10. The public IP is 203.0.113.5. The administrator wants to translate the destination to the internal server and also translate the source port to a fixed range for logging purposes. Which TWO configuration elements are required?

Question 93mediummulti select
Read the full NAT/PAT explanation →

An administrator is troubleshooting why traffic from a specific subnet (192.168.10.0/24) to the internet is not being matched by the expected firewall policy. The policy list shows an allow policy for this traffic at ID 10, but there is a deny policy at ID 5 for any traffic from 192.168.0.0/16. Which TWO statements are correct?

Question 94hardmulti select
Open the full VLAN trunking answer →

A FortiGate administrator is configuring a policy-based routing (PBR) rule to send all traffic from the 'Engineering' VLAN (10.1.0.0/16) to a dedicated internet link through gateway 203.0.113.1. The administrator also wants to apply a traffic shaper to limit bandwidth. Which THREE configuration tasks must be performed?

Question 95mediummultiple choice
Read the full NAT/PAT explanation →

A network admin configures a firewall policy allowing HTTP traffic from internal users to an external web server. The policy uses a service object 'HTTP' defined as TCP/80. However, users cannot reach the server. What is the MOST likely cause?

Question 96easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator needs to ensure that all internal users (10.0.0.0/8) accessing the internet use a single public IP address 203.0.113.10 for source NAT. Which NAT configuration should be used?

Question 97hardmultiple choice
Read the full NAT/PAT explanation →

An admin runs the command 'diagnose firewall iprope list 100000' and sees the following output: id=2000000000 action=deny flag=0x0 src-interface=any dst-interface=any proto=0 src-addr=0.0.0.0-255.255.255.255 dst-addr=0.0.0.0-255.255.255.255 What does this entry represent?

Question 98mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to allow FTP (TCP ports 20-21) from their internal network (192.168.1.0/24) to a specific external server (203.0.113.50). They also need to inspect FTP traffic for viruses. What should the admin configure?

Question 99mediummultiple choice
Read the full NAT/PAT explanation →

An admin wants to block access to malicious websites using FortiGuard Web Filtering. Which policy configuration is necessary to apply the web filter profile to HTTP/HTTPS traffic?

Question 100hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate is configured with multiple policies. The first policy allows traffic from 10.0.0.0/8 to any destination. The second policy denies traffic from 10.0.1.0/24 to any destination. What happens when a packet from 10.0.1.5 to 8.8.8.8 arrives?

Question 101easymultiple choice
Read the full NAT/PAT explanation →

An administrator wants to allow SSH access from the internet to a server inside the network at 192.168.1.10. Which NAT configuration is needed?

Question 102mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate admin runs 'diagnose sys session filter src 10.0.0.10' and gets no output. What does this indicate?

Question 103mediummultiple choice
Read the full NAT/PAT explanation →

An organization needs to restrict internet access for employees to business hours only (Monday to Friday, 8:00 to 18:00). Which object should the admin use in the firewall policy?

Question 104easymultiple choice
Read the full NAT/PAT explanation →

Which statement best describes the 'implicit deny' policy on a FortiGate?

Question 105hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate has a policy that allows traffic from 10.0.0.0/8 to any destination with NAT enabled using an IP pool 'Pool1' (203.0.113.10-203.0.113.20). The admin notices that internal servers using fixed ports (e.g., SIP) are failing. What is the likely cause?

Question 106mediummultiple choice
Read the full NAT/PAT explanation →

An admin needs to create a firewall policy that matches traffic based on the destination being a specific geographic location (e.g., France). Which address object should be used?

Question 107hardmulti select
Read the full NAT/PAT explanation →

A FortiGate admin is troubleshooting an issue where internal users cannot access a specific external service over TCP/443. The admin confirms that the firewall policy allows HTTP/HTTPS. Which TWO CLI commands should the admin use to diagnose? (Choose two.)

Question 108mediummulti select
Read the full NAT/PAT explanation →

An organization wants to implement least privilege for firewall policies. Which THREE best practices should be followed? (Choose three.)

Question 109mediummulti select
Read the full NAT/PAT explanation →

A FortiGate admin needs to configure source NAT for traffic from the internal network (10.0.0.0/8) to the internet. The requirement is to translate all internal IPs to a range of public IPs (203.0.113.1-203.0.113.10) while preserving the source port for specific applications. Which TWO configurations can achieve this? (Choose two.)

Question 110mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate admin has configured a firewall policy allowing traffic from the internal network (10.0.1.0/24) to the internet (any). Users report that they cannot access a specific website (203.0.113.5). The admin runs 'diagnose firewall fqdn list' and sees that the FQDN object used in a policy above the allow policy resolves to an IP that includes 203.0.113.5. What is the MOST likely cause?

Question 111mediummultiple choice
Read the full NAT/PAT explanation →

An admin needs to ensure that all traffic from the 10.0.1.0/24 network to the internet uses a specific public IP address (203.0.113.10) as the source IP, with port translation enabled. The FortiGate has multiple WAN interfaces. Which NAT configuration should the admin use on the firewall policy?

Question 112hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate admin configures a firewall policy to allow outbound HTTP traffic and applies a web filter profile. The admin notices that some users can access a known malicious URL while others are blocked. All users are in the same source subnet (10.0.1.0/24). What is the MOST likely cause of this inconsistent behavior?

Question 113easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator wants to allow traffic from the internal network to a specific external server using its fully qualified domain name (FQDN) rather than an IP address, because the server's IP changes frequently. Which type of address object should the administrator create for the destination?

Question 114mediummultiple choice
Read the full NAT/PAT explanation →

An admin runs 'diagnose sys session filter saddr 10.0.1.10' and 'diagnose sys session list' to check sessions from a specific internal host. The output shows multiple sessions with destination IP 203.0.113.50 using source port 12345. The admin then checks the firewall policy and sees that the policy uses an IP pool for source NAT. What does the source port 12345 indicate?

Question 115mediummultiple choice
Read the full NAT/PAT explanation →

A company has a FortiGate with two WAN interfaces (port1 and port2) connected to different ISPs. The admin wants to ensure that traffic from a specific internal server (10.0.1.100) destined to the internet always exits via port2, while all other traffic uses port1. Which feature should the admin configure on the firewall policy for that server?

Question 116hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate has a firewall policy with NAT enabled using an IP pool of type 'Fixed Port Range'. The pool range is 203.0.113.10-203.0.113.20 with port range 10000-20000. A user initiates a connection to an external server. Which of the following describes how the FortiGate will assign the source address and port?

Question 117easymultiple choice
Read the full NAT/PAT explanation →

An administrator is creating firewall policies for a FortiGate that separates the internal network (10.0.1.0/24) from a DMZ (192.168.1.0/24). The goal is to allow HTTP traffic from the internal network to the DMZ web server (192.168.1.10) but deny all other traffic. What is the recommended security posture for the implicit deny policy?

Question 118mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator is configuring a Virtual IP (VIP) to allow external users to access an internal web server (192.168.1.10) using the public IP 203.0.113.10 on port 80. The admin creates a VIP with mapped IP 192.168.1.10 and port 80. A firewall policy is created from WAN to DMZ with destination set to the VIP. External users report that they can access the web server. What additional step is needed to allow the internal server to respond correctly?

Question 119easymultiple choice
Read the full NAT/PAT explanation →

An administrator needs to block access to specific websites based on their FQDN (e.g., *.example.com). The FortiGate should match the destination domain regardless of the IP address the domain resolves to. Which type of address object should the admin use in the firewall policy destination?

Question 120hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate has two firewall policies: Policy ID 1 (source: 10.0.1.0/24, destination: 203.0.113.0/24, action: allow, NAT: enabled) and Policy ID 2 (source: 10.0.1.0/24, destination: all, action: allow, NAT: enabled, IP pool: pool1). A user from 10.0.1.10 sends traffic to 203.0.113.5. Which policy will the traffic match and why?

Question 121mediummultiple choice
Read the full NAT/PAT explanation →

An admin configures a firewall policy with a schedule object that restricts access to Monday to Friday from 9:00 to 17:00. A user attempts to connect on Saturday at 10:00. Which of the following best describes what happens?

Question 122mediummulti select
Read the full NAT/PAT explanation →

A FortiGate admin is troubleshooting an issue where traffic from a specific internal host (10.0.1.50) to the internet is not being NATed as expected. The firewall policy has NAT enabled with an IP pool of type Overload. Which TWO conditions could cause the traffic to bypass the IP pool?

Question 123hardmulti select
Read the full NAT/PAT explanation →

An admin needs to configure a FortiGate to allow multiple internal servers to be accessible from the internet using the same public IP but different ports. For example, internal server A (192.168.1.10:80) should be reachable via 203.0.113.10:8080, and internal server B (192.168.1.20:443) via 203.0.113.10:8443. Which TWO configuration steps are required?

Question 124easymulti select
Read the full NAT/PAT explanation →

A FortiGate admin is creating a firewall policy to allow outbound HTTP and HTTPS traffic from the internal network. The admin wants to ensure that traffic is inspected by security profiles (antivirus, web filter). Which THREE of the following must be configured on the firewall policy to achieve this?

Question 125mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator notices that traffic from the internal network (10.0.1.0/24) to the internet is not being matched by the intended firewall policy (ID 10). The policy uses source address 'internal_subnet' (10.0.1.0/24) and destination address 'all'. There is another policy (ID 5) with source 'all' and destination 'all' that also matches this traffic. What is the most likely reason policy 10 is not being matched?

Question 126easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator needs to create a firewall policy that allows outbound traffic to the internet but denies access to a specific list of malicious IP addresses. The malicious IP list is updated frequently. Which address object type should be used for the destination addresses to block?

Question 127mediummultiple choice
Read the full NAT/PAT explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 128hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator configures a Central SNAT policy to translate internal IPs to a single public IP for internet access. However, traffic from a specific internal server (10.0.1.100) must use a different public IP. The administrator also creates a policy-based NAT rule in the firewall policy for that server. Which NAT method takes precedence?

Question 129easymultiple choice
Read the full NAT/PAT explanation →

An administrator wants to restrict access to a web server from only specific countries. The FortiGate is located at the network edge. Which address object type should be used in the source field of the firewall policy?

Question 130mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate has multiple WAN interfaces (port1, port2) connected to different ISPs. The administrator wants traffic from the internal network to use port1 for general internet access but use port2 for traffic to a specific cloud service (203.0.113.0/24). Which feature should be used to achieve this?

Question 131hardmultiple choice
Read the full NAT/PAT explanation →

An administrator configures a Virtual IP (VIP) to map public IP 203.0.113.10 to internal server 10.0.1.10 on port 443. The firewall policy uses the VIP as the destination address. External users report they cannot connect. The administrator checks the policy and sees the destination interface is 'wan1' and source interface is 'wan1'. What is the most likely issue?

Question 132mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs to ensure that a firewall policy applies only during business hours (Monday to Friday, 9:00 AM to 6:00 PM). What object should be configured and applied to the policy?

Question 133easymultiple choice
Read the full NAT/PAT explanation →

Which of the following describes the implicit deny action in FortiGate firewall policies?

Question 134mediummultiple choice
Read the full NAT/PAT explanation →

An administrator configures a firewall policy with source address 'internal_net' (10.0.0.0/16) and destination address 'server_farm' (10.10.10.0/24). The action is set to ACCEPT with NAT enabled. However, traffic from 10.0.1.100 to 10.10.10.50 is being denied. What is the most likely cause?

Question 135hardmultiple choice
Read the full NAT/PAT explanation →

An administrator configures a VIP for port forwarding: public IP 203.0.113.10 port 8080 to internal server 10.0.1.10 port 80. External users can connect to http://203.0.113.10:8080 but receive a timeout. The firewall policy allows traffic from any to the VIP on destination port 8080. The internal server is reachable from internal hosts. What is the most likely problem?

Question 136mediummultiple choice
Read the full NAT/PAT explanation →

An administrator wants to limit the bandwidth for a specific application (e.g., YouTube) across all users. The administrator creates a traffic shaper and applies it to the firewall policy. What additional configuration is needed to identify YouTube traffic?

Question 137mediummulti select
Read the full NAT/PAT explanation →

A FortiGate administrator needs to configure source NAT for a group of internal servers (10.0.1.100-10.0.1.110) so that each server uses a unique public IP from the range 203.0.113.20-203.0.113.30. The requirement is that each internal IP maps to a fixed external IP (one-to-one mapping) and not port overload. Which TWO settings should be configured in the IP Pool? (Choose two.)

Question 138hardmulti select
Read the full NAT/PAT explanation →

An administrator notices that VoIP traffic (SIP) is not being inspected by the IPS profile applied to the firewall policy. The administrator suspects the traffic is being accelerated by NPU offloading. Which TWO actions can prevent NPU offloading for SIP traffic to ensure IPS inspection? (Choose two.)

Question 139easymulti select
Read the full NAT/PAT explanation →

Which THREE of the following are valid address object types in FortiGate? (Choose three.)

Question 140mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator has configured a firewall policy allowing traffic from the internal network (10.0.0.0/8) to the internet. Users report that some websites are not loading. The administrator runs 'diagnose firewall iprope list 100000' and sees the policy listed with a hit count of zero. What is the MOST likely cause?

Question 141easymultiple choice
Read the full NAT/PAT explanation →

Which of the following statements about FortiGate policy lookup order is correct?

Question 142mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs to configure a firewall policy that allows internal users to access a specific web server on the internet using its domain name. The web server's IP address may change. Which type of address object should be used as the destination in the policy?

Question 143hardmultiple choice
Read the full NAT/PAT explanation →

You run the following command on a FortiGate: 'diagnose sys session filter dport 443' and see: proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate?

Question 144mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator wants to ensure that traffic from the 192.168.1.0/24 network to the internet is translated to a single public IP address using overload (PAT). Which NAT configuration should be used?

Question 145hardmultiple choice
Read the full NAT/PAT explanation →

An organization has a FortiGate with two internet connections (WAN1 and WAN2). They want traffic to a specific web service (203.0.113.50 port 443) to always exit via WAN2. All other internet traffic should use WAN1. Which feature should be used to achieve this?

Question 146easymultiple choice
Read the full NAT/PAT explanation →

What is the purpose of the 'implicit deny' policy on a FortiGate?

Question 147mediummultiple choice
Read the full NAT/PAT explanation →

An administrator configures a Virtual IP (VIP) to map the public IP 203.0.113.10 port 8080 to the internal server 192.168.1.100 port 80. External users report they cannot connect. The firewall policy allows inbound traffic to the VIP. What is the MOST likely missing configuration?

Question 148hardmultiple choice
Read the full NAT/PAT explanation →

You execute 'get firewall policy 5' and see the following output: policyid=5 name="test" status=enable schedule="always" logtraffic=all What does 'logtraffic=all' mean?

Question 149easymultiple choice
Read the full NAT/PAT explanation →

Which address object type can be used to match traffic based on the source country?

Question 150mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator observes that traffic from a specific subnet is being denied even though there is an allow policy for that subnet. The administrator checks the policy list and sees an explicit deny policy above the allow policy. What should the administrator do to allow the traffic?

Question 151hardmultiple choice
Read the full NAT/PAT explanation →

An administrator configures a policy-based NAT rule to translate traffic from 10.0.0.0/8 to 203.0.113.1 using an IP Pool with overload. Later, they also enable Central SNAT for the same traffic. The traffic is not being NAT'd as expected. What is the MOST likely reason?

Question 152mediummulti select
Read the full NAT/PAT explanation →

A FortiGate administrator is troubleshooting why traffic from a specific internal host is not being allowed through a firewall policy. The policy appears correct and is enabled. Which TWO diagnostic commands could the administrator use to determine if the traffic is matching a different policy?

Question 153hardmulti select
Read the full NAT/PAT explanation →

A company needs to allow inbound HTTPS traffic from the internet to a web server behind the FortiGate. The public IP is 203.0.113.10, and the internal server is 192.168.1.10. The server must receive the original source IP of the client. Which THREE configurations are required to achieve this?

Question 154mediummulti select
Read the full NAT/PAT explanation →

An administrator wants to configure traffic shaping to limit bandwidth for YouTube video streaming. Which THREE objects or settings must be configured on the FortiGate to apply traffic shaping?

Question 155easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator configures a firewall policy to allow HTTP traffic from internal users to the internet. The policy uses source address 'internal_subnet', destination address 'all', and service 'HTTP'. After applying the policy, users report they cannot access websites. What is the most likely cause?

Question 156mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator needs to create a firewall policy that allows traffic from the internal network (10.0.0.0/8) to a public web server (203.0.113.10) on port 443. The policy must also perform source NAT using the FortiGate's external IP (198.51.100.1). Which NAT configuration should be applied?

Question 157hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate has the following policy list: ID 1: allow from trust to untrust, source 10.0.0.0/24, destination all, service HTTP, NAT enabled. ID 2: allow from trust to untrust, source 10.0.1.0/24, destination all, service ALL, NAT enabled. A host 10.0.1.50 sends an HTTP request to 203.0.113.5. Which policy matches?

Question 158easymultiple choice
Read the full NAT/PAT explanation →

An administrator wants to allow access to an internal web server from the internet using a public IP address 203.0.113.10. The internal server has IP 10.0.0.5. Which FortiGate feature should be configured to translate the destination IP?

Question 159mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator runs the following command and sees output: diagnose sys session filter dport 443 diagnose sys session list ... proto=6 proto_state=01 duration=3600 expire=3599 What does this output indicate about the session?

Question 160hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate has a policy that enables NAT with an IP pool that uses overload (port address translation). The administrator notices that some applications are failing because they require a fixed source port range. What should the administrator do to resolve this?

Question 161easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator needs to block all traffic from a specific geographic region (country) from accessing the internal network. Which type of address object should be used in the firewall policy?

Question 162mediummultiple choice
Read the full NAT/PAT explanation →

An administrator has configured a firewall policy that allows outbound traffic from a subnet to the internet, with NAT enabled. The external IP is 203.0.113.1. However, the administrator wants all traffic from a specific internal server (10.0.0.10) to appear with source IP 203.0.113.2. What should the administrator do?

Question 163mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate has multiple VDOMs. The administrator needs to allow traffic from VDOM A (port1) to VDOM B (port2). What type of firewall policy is required?

Question 164hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate is configured with two policies: Policy A allows traffic from trust to untrust with schedule 'WorkHours' (Mon-Fri 9-17). Policy B allows traffic from trust to untrust with schedule 'Always'. A user sends traffic at 8:00 AM on Saturday. Which policy matches?

Question 165mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs to apply traffic shaping to limit bandwidth for video streaming traffic on a firewall policy. Which configuration step is required?

Question 166easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator wants to create a firewall policy that matches traffic based on the destination domain name (e.g., *.example.com). Which type of address object should be used?

Question 167mediummulti select
Read the full NAT/PAT explanation →

A FortiGate administrator is troubleshooting a connectivity issue where internal clients cannot reach a public web server. The administrator has confirmed that routing is correct and there are no security profiles blocking traffic. Which TWO debugging steps should the administrator take? (Choose two.)

Question 168hardmulti select
Read the full NAT/PAT explanation →

An administrator needs to configure destination NAT for multiple internal servers using a single public IP address by differentiating based on destination port. The public IP 203.0.113.10 should map to: (A) 10.0.0.1:80 for HTTP, (B) 10.0.0.2:443 for HTTPS. Which TWO configuration steps are required? (Choose two.)

Question 169mediummulti select
Read the full NAT/PAT explanation →

A FortiGate administrator is implementing a policy to allow outbound traffic from the internal network to the internet. The requirements are: (1) all traffic from internal users must be source NATed to the external interface IP, (2) traffic from a specific server must use a different public IP, (3) HTTP traffic must be shaped to 10 Mbps. Which THREE configuration elements should the administrator create? (Choose three.)

Question 170mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate admin creates a new firewall policy with source address object 'Internal_Net' and destination 'All'. After saving, traffic from 'Internal_Net' is not matching the new policy but instead matches an older policy with a broader source. What is the MOST likely cause?

Question 171easymultiple choice
Read the full NAT/PAT explanation →

An admin needs to allow outbound HTTP and HTTPS traffic from the internal network to the internet. Which two built-in service objects can be used in a single firewall policy to achieve this?

Question 172hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate has a central SNAT policy that translates internal users to a single IP pool address. The admin wants specific traffic (e.g., from a particular subnet) to use a different IP pool. What is the correct approach?

Question 173mediummultiple choice
Read the full NAT/PAT explanation →

An admin configures a firewall policy to allow SMTP traffic from a mail server to the internet with NAT enabled. External recipients report that the email source IP is the FortiGate's external interface IP. The admin wants the source to be a specific IP from a pool. What should the admin configure?

Question 174easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate policy allows traffic from the internal network to a DMZ server. The admin wants to limit access to only specific hours. Which object type should be used in the policy?

Question 175mediummultiple choice
Read the full NAT/PAT explanation →

An admin runs 'diagnose sys session filter dport 443' and sees output showing sessions with 'proto=6' and 'expire=3599'. The admin notices that these sessions are not being cleaned up after the firewall policy that allowed them is deleted. What is the reason?

Question 176mediummultiple choice
Read the full NAT/PAT explanation →

A company has a FortiGate with multiple VDOMs. An admin creates a firewall policy in the root VDOM to allow traffic from a subnet to the internet. The traffic is not matching the policy. What is the most likely cause?

Question 177hardmultiple choice
Read the full NAT/PAT explanation →

An admin configures a VIP to map a public IP to an internal server. The firewall policy uses the VIP as the destination. External users can access the server, but the server's logs show the source IP as the FortiGate's internal interface IP instead of the original client IP. Why is this happening?

Question 178easymultiple choice
Read the full NAT/PAT explanation →

Which statement best describes the implicit deny policy at the end of a FortiGate policy list?

Question 179mediummultiple choice
Read the full NAT/PAT explanation →

An admin needs to allow traffic from a specific IP to a web server on port 8080. The web server is behind a VIP that forwards port 80 to port 8080. When configuring the security policy, which destination should be used?

Question 180hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate with multiple WAN interfaces uses policy-based routing (PBR) to route traffic from a specific subnet out of a particular interface. The admin also has a firewall policy allowing that subnet to the internet. However, the traffic is not being routed as expected. What could be the issue?

Question 181easymultiple choice
Read the full NAT/PAT explanation →

An admin wants to allow traffic only from specific countries to access a web server. Which type of address object should be used in the firewall policy?

Question 182mediummulti select
Read the full NAT/PAT explanation →

An admin is troubleshooting why traffic from a specific host (10.0.1.10) to a web server (203.0.113.50:80) is being denied. The FortiGate has several policies. Which TWO CLI commands should the admin use to identify which policy is matching the traffic? (Choose two.)

Question 183hardmulti select
Read the full NAT/PAT explanation →

An admin needs to configure NAT for internal users accessing the internet. The requirements are: 1) All internal users must be translated to a single public IP. 2) The translation should use port address translation (PAT). 3) The configuration must allow tracking of which internal user initiated a connection. Which THREE settings must be configured? (Choose three.)

Question 184mediummulti select
Read the full NAT/PAT explanation →

An admin is configuring a firewall policy to allow FTP traffic from a client to a server. The server is behind a VIP that translates public IP 203.0.113.10 port 21 to private IP 10.0.0.10 port 21. The admin wants to ensure the FTP data channel works correctly. Which TWO additional configurations are required? (Choose two.)

Question 185mediummultiple choice
Read the full NAT/PAT explanation →

A network admin runs 'diag sys session filter proto 6' and 'diag sys session list' and sees many sessions with state 'SYN_SENT' to a public web server. The firewall policy allows TCP/443. What is the MOST likely cause?

Question 186easymultiple choice
Read the full NAT/PAT explanation →

An admin wants to block all traffic from the internet to a specific internal server except for the IP address 203.0.113.50. Which firewall policy configuration achieves this using the principle of least privilege?

Question 187hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate has policy-based NAT enabled. The admin wants to translate the source IP of internal users to the interface IP for internet traffic. The firewall policy has NAT enabled. However, traffic from the internal network to the internet shows the original source IP instead of the interface IP. What is the MOST likely reason?

Question 188mediummultiple choice
Read the full NAT/PAT explanation →

An admin creates a firewall policy allowing HTTP traffic from internal users to the internet. Users complain that they cannot access HTTPS websites. The admin checks and sees that the policy only has HTTP service. What is the BEST course of action to allow HTTPS while maintaining security?

Question 189easymultiple choice
Read the full NAT/PAT explanation →

What is the order of evaluation for firewall policies on a FortiGate?

Question 190mediummultiple choice
Read the full NAT/PAT explanation →

An admin configures a VIP to map public IP 203.0.113.10 to internal server 10.0.1.100 on port 80. External users can reach the server via the public IP. However, internal users cannot access the server using the public IP. What is the MOST likely cause?

Question 191mediummultiple choice
Read the full NAT/PAT explanation →

You run the following CLI command on a FortiGate:

# diagnose debug flow filter saddr 192.168.1.10
# diagnose debug flow show function enable
# diagnose debug enable

You then initiate a ping from 192.168.1.10 to 8.8.8.8. The output shows 'no matching policy'. What does this indicate?

Question 192hardmultiple choice
Read the full NAT/PAT explanation →

An admin configures a central SNAT rule to translate source IP 10.0.0.0/24 to IP pool 203.0.113.1-203.0.113.10 using overload (PAT). A policy-based NAT on a specific policy also translates the same source to the interface IP. Traffic from 10.0.0.0/24 to the internet shows source IP as the interface IP, not from the IP pool. What is the reason?

Question 193easymultiple choice
Read the full NAT/PAT explanation →

Which address object type allows you to match traffic based on the domain name in the HTTPS SNI field?

Question 194mediummultiple choice
Study the full QoS explanation →

An admin wants to apply different QoS markings to traffic from two different departments. The admin creates two firewall policies: one for Sales (policy ID 1) and one for Engineering (policy ID 2). Both policies have traffic shaping enabled. However, traffic from both departments receives the same QoS marking. What is the MOST likely mistake?

Question 195hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate with multiple VDOMs has a policy that allows traffic from VDOM A to VDOM B. The admin notices that traffic from VDOM A to a specific server in VDOM B is being dropped. The session log shows 'deny by forward policy check'. What is the MOST likely cause?

Question 196easymultiple choice
Read the full NAT/PAT explanation →

What is the purpose of a schedule object in a firewall policy?

Question 197mediummulti select
Read the full NAT/PAT explanation →

An admin needs to configure NAT so that internal users (10.0.0.0/24) accessing the internet (any destination) are translated using an IP pool (203.0.113.10-203.0.113.20) with overload. The admin also needs to ensure that traffic from a specific server (10.0.0.100) always uses a fixed source port range (10000-20000) when translated. Which TWO configuration steps are required? (Choose two.)

Question 198hardmulti select
Read the full NAT/PAT explanation →

An admin troubleshoots an issue where internal users cannot access an internal server using its public IP address. The server is published via a VIP. The admin has already verified that the firewall policy allows traffic from internal to the VIP. Which THREE checks should the admin perform to resolve the issue? (Choose three.)

Question 199mediummulti select
Read the full NAT/PAT explanation →

A FortiGate has two firewall policies for HTTP traffic to the internet: Policy A (source: 10.0.1.0/24) and Policy B (source: 10.0.2.0/24). Both policies have the same destination and service. The admin wants to apply a traffic shaper to limit bandwidth for Policy B. Which TWO actions are correct? (Choose two.)

Question 200mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate admin configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to the internet. Users report that they cannot access web pages. The admin runs 'diagnose debug flow' and sees packets hitting the policy but being dropped. What is the MOST likely cause?

Question 201easymultiple choice
Read the full NAT/PAT explanation →

Which of the following best describes the policy lookup order on a FortiGate firewall?

Question 202hardmultiple choice
Read the full NAT/PAT explanation →

An admin configures a Central SNAT rule to translate internal 192.168.1.0/24 to 203.0.113.10 when accessing the internet. However, traffic from 192.168.1.100 to 8.8.8.8 shows source IP 192.168.1.100 in logs. What is the MOST likely cause?

Question 203mediummultiple choice
Read the full NAT/PAT explanation →

When creating a firewall policy, an admin wants to ensure that traffic from a specific user group is allowed only during business hours (Monday to Friday, 09:00-18:00). Which object type must be configured and applied to the policy?

Question 204mediummultiple choice
Read the full NAT/PAT explanation →

An admin configures a VIP to map public IP 203.0.113.10:80 to internal server 10.0.0.10:8080. Users on the internet can reach the server. However, internal users trying to access the public IP from inside the network fail. What is the MOST likely reason?

Question 205mediummultiple choice
Read the full NAT/PAT explanation →

An admin wants to block traffic from a specific geographic region (e.g., North Korea) from reaching the FortiGate's external interface. Which address object type should be used in the firewall policy?

Question 206easymultiple choice
Read the full NAT/PAT explanation →

Which statement about the implicit deny policy on a FortiGate is true?

Question 207hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate with multiple WAN interfaces uses policy-based routing (PBR) to route traffic from subnet 10.0.0.0/24 through port1 and 10.0.1.0/24 through port2. However, traffic from 10.0.0.0/24 is still using port2. The PBR rule appears correctly configured. What is the MOST likely issue?

Question 208easymultiple choice
Read the full NAT/PAT explanation →

An admin needs to translate the source IP of traffic from multiple internal hosts to a single public IP when accessing the internet, while keeping track of each session. Which NAT method should be used?

Question 209mediummultiple choice
Read the full NAT/PAT explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 210mediummultiple choice
Read the full NAT/PAT explanation →

An admin wants to ensure that VoIP traffic (UDP ports 5060-5061) from the internal network to the internet is prioritized over other traffic when the WAN link is congested. Which feature should be configured on the firewall policy?

Question 211hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate admin configures an IP pool with type 'Fixed Port Range' to translate source IPs from 192.168.1.0/24 to 203.0.113.0/28 using port range 10000-20000. After applying the IP pool to a policy, some users cannot establish connections while others work. What is the MOST likely cause?

Question 212mediummulti select
Read the full VPN explanation →

A network admin needs to configure a FortiGate to allow remote VPN users (IPsec VPN) to access a web server in the DMZ. The VPN users are assigned IPs from 10.10.10.0/24. The web server is at 192.168.2.10:80. Which TWO objects must be created to define the traffic for the firewall policy? (Choose two.)

Question 213hardmulti select
Open the full VLAN trunking answer →

An admin is troubleshooting why traffic from VLAN 10 to the internet is not being translated by a Central SNAT rule. The Central SNAT rule is configured with source interface 'port2.10', destination interface 'wan1', source address '192.168.10.0/24', and IP pool 'pool1'. The firewall policy for internet access has NAT enabled but no IP pool attached. Which THREE steps should the admin take to resolve the issue? (Choose three.)

Question 214mediummulti select
Read the full NAT/PAT explanation →

An admin needs to create a firewall policy that allows SMTP traffic (TCP/25) from the internal network (10.0.0.0/24) to a mail server in the DMZ (172.16.1.10). Additionally, the admin wants to ensure that the mail server can only be accessed by the internal network, not from the internet. Which THREE settings must be configured in the firewall policy? (Choose three.)

Question 215easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator wants to ensure that traffic from the internal network to the internet is translated to a single public IP address. Which NAT method should be used?

Question 216mediummultiple choice
Read the full NAT/PAT explanation →

A network admin has configured a firewall policy allowing traffic from the 'internal' zone to the 'external' zone. The policy uses a service object 'HTTP' (TCP/80). Users report they can access HTTP websites but not HTTPS. The admin confirms no other policies block HTTPS. What is the most likely cause?

Question 217hardmultiple choice
Read the full NAT/PAT explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

Question 218mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs to allow FTP traffic from the internal network to a specific server on the internet. The FTP server uses passive mode. Which service object should be used in the firewall policy to ensure proper operation?

Question 219mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate has multiple firewall policies. Policy ID 1 allows HTTP from LAN to WAN. Policy ID 2 allows all traffic from DMZ to WAN. A packet arrives from the DMZ interface destined to a web server on the internet using HTTPS. Which policy is matched?

Question 220hardmultiple choice
Read the full NAT/PAT explanation →

An administrator is configuring a VIP to map a public IP to an internal server. The server hosts both HTTP and HTTPS services. The admin creates a VIP with port forwarding for port 80 to internal port 80, and another VIP for port 443 to internal port 443. Both VIPs use the same public IP. Users can access HTTP but not HTTPS. What is the most likely issue?

Question 221easymultiple choice
Read the full NAT/PAT explanation →

Which of the following is a characteristic of policy-based NAT on a FortiGate?

Question 222mediummulti select
Read the full NAT/PAT explanation →

An administrator is troubleshooting a connectivity issue where users in the 10.0.0.0/24 subnet cannot access the internet. The FortiGate has the following policies (in order): 1: allow 10.0.0.0/24 -> any, service: HTTP, HTTPS 2: deny any -> any, service: all Users can browse HTTP but not HTTPS. Which TWO actions would resolve the issue?

Question 223mediummulti select
Read the full NAT/PAT explanation →

An administrator needs to allow internal users to access a public web server using the server's private IP address, while external users access it via a public IP. Which TWO components are required?

Question 224hardmulti select
Read the full NAT/PAT explanation →

A FortiGate is configured with policy-based NAT and multiple IP pools. The administrator wants traffic from the 192.168.1.0/24 subnet to use IP pool 'POOL1' (203.0.113.1-203.0.113.10) and traffic from 192.168.2.0/24 to use IP pool 'POOL2' (203.0.113.11-203.0.113.20). Which THREE steps are necessary?

Question 225easymulti select
Read the full NAT/PAT explanation →

Which TWO statements about firewall policy order are true?

Question 226hardmulti select
Read the full NAT/PAT explanation →

An administrator is configuring traffic shaping on a firewall policy to limit bandwidth for YouTube. Which THREE components are required?

Question 227mediummulti select
Read the full NAT/PAT explanation →

An administrator needs to block access to a specific website using FQDN address objects. Which TWO steps are necessary?

Question 228hardmulti select
Read the full NAT/PAT explanation →

A FortiGate has a policy that matches traffic from LAN to WAN with NAT enabled and an IP pool. The pool contains IPs 203.0.113.1 to 203.0.113.5. The administrator notices that all traffic appears to come from 203.0.113.1. Which THREE reasons could explain this?

Question 229mediummulti select
Read the full NAT/PAT explanation →

An administrator wants to apply policy-based routing (PBR) to route traffic from a specific subnet through a different ISP. Which TWO elements must be configured?

Question 230mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator has configured a firewall policy allowing HTTP traffic from the internal network (10.0.1.0/24) to the DMZ server (192.168.1.10). The policy is placed after a deny-all policy that blocks traffic from internal to DMZ. Even though the allow policy is more specific, traffic is still being denied. What is the most likely cause?

Question 231hardmultiple choice
Read the full NAT/PAT explanation →

An administrator configures Central SNAT for traffic going from internal network (10.0.0.0/8) to the internet. The rule uses an IP Pool with overload (PAT) and the pool address is 203.0.113.10. However, traffic from 10.0.0.10 to a public server is not being NATed; the source IP remains 10.0.0.10. The firewall policy allows the traffic. What is the most likely cause?

Question 232easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator needs to allow all internal users (10.0.0.0/8) to access a web server in the DMZ (192.168.1.100) using HTTPS. The administrator wants to apply a web filter profile to block malicious URLs while allowing legitimate traffic. Which of the following is the correct policy configuration?

Question 233mediummultiple choice
Read the full NAT/PAT explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

Question 234mediummulti select
Read the full NAT/PAT explanation →

A FortiGate administrator is configuring a firewall policy to allow inbound HTTPS traffic from the internet to an internal web server. The web server has a private IP address 10.0.0.10. The administrator wants to translate the destination IP to the internal server using a Virtual IP (VIP). Which TWO of the following must be configured for the VIP to work correctly? (Choose two.)

Question 235hardmulti select
Open the full VLAN trunking answer →

An administrator is troubleshooting why traffic from a specific VLAN (192.168.10.0/24) to the internet is not being NATed correctly. The firewall policy allows the traffic with NAT enabled and uses an IP Pool (overload) for the source translation. The IP Pool is configured with the address 203.0.113.10. However, the traffic still shows the original source IP. Which THREE of the following could cause this issue? (Choose three.)

Question 236easymulti select
Read the full NAT/PAT explanation →

A FortiGate administrator needs to block all traffic from a specific IP address (10.0.0.100) to the internet, but allow all other internal users. The administrator has created a firewall policy with source=10.0.0.100, destination=all, service=all, action=DENY, and placed it at the top of the policy list. Which TWO additional steps should the administrator take to ensure the block is effective? (Choose two.)

Question 237mediummulti select
Read the full NAT/PAT explanation →

An administrator is configuring policy-based routing (PBR) on a FortiGate to route traffic from a specific subnet (172.16.1.0/24) through a different internet connection (wan2) instead of the default route via wan1. The administrator has created a PBR rule matching source 172.16.1.0/24 and set the gateway to the next-hop IP on wan2. The traffic is still using wan1. Which THREE of the following could be causing the issue? (Choose three.)

Practice tests

Scored 10-question sessions with instant feedback and explanations.

NSE4 Practice Test 1 — 10 Questions→NSE4 Practice Test 2 — 10 Questions→NSE4 Practice Test 3 — 10 Questions→NSE4 Practice Test 4 — 10 Questions→NSE4 Practice Test 5 — 10 Questions→NSE4 Practice Exam 1 — 20 Questions→NSE4 Practice Exam 2 — 20 Questions→NSE4 Practice Exam 3 — 20 Questions→NSE4 Practice Exam 4 — 20 Questions→Free NSE4 Practice Test 1 — 30 Questions→Free NSE4 Practice Test 2 — 30 Questions→Free NSE4 Practice Test 3 — 30 Questions→NSE4 Practice Questions 1 — 50 Questions→NSE4 Practice Questions 2 — 50 Questions→NSE4 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

System and Network AdministrationFirewall Policies and NATAuthentication and VPNSecurity ProfilesHigh Availability and Diagnostics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Firewall Policies and NAT setsAll Firewall Policies and NAT questionsNSE4 Practice Hub