Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← System and Network Administration practice sets

NSE4 System and Network Administration • Complete Question Bank

NSE4 System and Network Administration — All Questions With Answers

Complete NSE4 System and Network Administration question bank — all 0 questions with answers and detailed explanations.

200
Questions
Free
No signup
Certifications/NSE4/Practice Test/System and Network Administration/All Questions
Question 1mediummultiple choice
Read the full System and Network Administration explanation →

A company wants to ensure that administrative access to FortiGate is only allowed from the internal trusted network (192.168.1.0/24) and that all other access attempts are blocked. Which CLI command should the administrator configure first?

Question 2hardmultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator is troubleshooting a high CPU usage issue. The 'get system performance status' command shows that the CPU usage is consistently above 80% with no traffic. Which of the following is the most likely cause?

Question 3easymultiple choice
Read the full System and Network Administration explanation →

An administrator needs to back up the FortiGate configuration to a TFTP server at 10.0.0.10. Which command should be used?

Question 4hardmultiple choice
Read the full network assurance explanation →

Refer to the exhibit. An administrator wants to enable SNMP access on the wan1 interface. Which of the following is the most efficient method?

Exhibit

config system interface
    edit "wan1"
        set vdom "root"
        set ip 10.0.0.1 255.255.255.0
        set allowaccess ping https ssh
        set type wan
        set role wan
        set snmp-index 1
    next
end
Question 5mediummulti select
Read the full System and Network Administration explanation →

Which TWO of the following are valid methods to upgrade the FortiGate firmware? (Choose two.)

Question 6hardmulti select
Read the full System and Network Administration explanation →

An administrator is troubleshooting a FortiGate that is not passing traffic. The policy allows traffic, but the session table shows no sessions. Which THREE steps should the administrator take to diagnose the issue? (Choose three.)

Question 7mediummultiple choice
Study the full SD-WAN breakdown →

A FortiGate is configured with two ISPs (WAN1 and WAN2) and uses SD-WAN for load balancing. The administrator notices that traffic to a critical SaaS application is being sent over the slower link. What should the administrator do to ensure this traffic uses the faster link?

Question 8easymultiple choice
Read the full System and Network Administration explanation →

What is the default administrative account on a FortiGate?

Question 9hardmultiple choice
Read the full network assurance explanation →

An administrator needs to configure a FortiGate to send logs to two different syslog servers for redundancy. Which configuration method should be used?

Question 10mediummultiple choice
Read the full System and Network Administration explanation →

Refer to the exhibit. The administrator notices that traffic from internal to wan1 is being logged, but the logs do not show the original source IP. What is the most likely reason?

Exhibit

config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end
Question 11easymulti select
Read the full System and Network Administration explanation →

Which TWO of the following are prerequisites for configuring a high availability (HA) cluster on FortiGate? (Choose two.)

Question 12hardmulti select
Read the full System and Network Administration explanation →

Which THREE statements about FortiGate's 'config system global' settings are true? (Choose three.)

Question 13mediummultiple choice
Study the full SD-WAN breakdown →

A company has a FortiGate 200F with FortiOS 7.2 and two ISPs (WAN1: 100 Mbps, WAN2: 50 Mbps). The company uses SD-WAN to load balance outbound internet traffic. Recently, the company added a new VoIP application that requires low latency and jitter. The administrator configured an SD-WAN rule to match the VoIP traffic and set the strategy to 'best quality' with a performance SLA measuring latency and jitter. However, after testing, the VoIP traffic is still using WAN2 (the slower link) even when WAN1 has lower latency. The performance SLA shows both links meeting the SLA thresholds. What is the most likely reason?

Question 14hardmultiple choice
Read the full System and Network Administration explanation →

A large enterprise is deploying a FortiGate 600F as the perimeter firewall. The security team requires that all administrative access (SSH, HTTPS, and Ping) to the FortiGate must be restricted to a dedicated management network (10.10.10.0/24). Additionally, any failed login attempt from outside the management network should be logged and the source IP should be blocked for 30 minutes. The administrator has configured a local-in policy to deny all administrative access from non-management networks and enabled logging. However, the administrator wants to automatically block the offending IPs. The FortiGate is not connected to any FortiAnalyzer or FortiManager. What should the administrator do to achieve this?

Question 15easymultiple choice
Read the full System and Network Administration explanation →

Which command is used to display the current FortiGate firmware version?

Question 16mediummultiple choice
Read the full System and Network Administration explanation →

A company is deploying a FortiGate HA cluster in active-passive mode across two data centers. The network team reports that after a failover, some existing TCP sessions are dropped. Which configuration change should be applied to maintain session persistence during failover?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator is troubleshooting a problem where users cannot access the Internet. The FortiGate has a default route pointing to the ISP gateway. The administrator runs 'execute ping 8.8.8.8' from the FortiGate CLI and it succeeds. However, internal users behind NAT are unable to reach external servers. Which is the most likely cause?

Question 18easymultiple choice
Read the full System and Network Administration explanation →

An administrator needs to configure a FortiGate to allow web traffic from the internal network to the Internet. The internal network is 192.168.1.0/24 and the WAN interface is port1 with IP 203.0.113.1. Which firewall policy is correct?

Question 19mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator notices that the device's disk usage is critically high, causing logging failures. The administrator wants to free up space without losing important logs. Which action should be taken first?

Question 20hardmultiple choice
Review the full routing breakdown →

Refer to the exhibit. The FortiGate has two default routes. The administrator attempts to ping 8.8.8.8 from the CLI and receives no response. What is the most likely reason?

Exhibit

Refer to the exhibit.
config router static
    edit 1
        set device port1
        set gateway 203.0.113.1
        set dst 0.0.0.0 0.0.0.0
        set distance 10
    next
    edit 2
        set device port2
        set gateway 10.0.0.1
        set dst 0.0.0.0 0.0.0.0
        set distance 20
    next
end
Question 21mediummulti select
Read the full System and Network Administration explanation →

Which TWO configuration changes can reduce the risk of unauthorized administrative access to a FortiGate?

Question 22hardmulti select
Read the full System and Network Administration explanation →

Which THREE configuration steps are required to enable transparent proxy mode on a FortiGate?

Question 23hardmultiple choice
Read the full DNS explanation →

A medium-sized enterprise has a FortiGate 100F in NAT/Route mode with three interfaces: port1 (WAN, 203.0.113.1/24, gateway 203.0.113.254), port2 (internal, 192.168.1.1/24), and port3 (DMZ, 10.0.0.1/24). The internal network hosts a web server at 192.168.1.10 and a mail server at 192.168.1.20. The DMZ hosts a public web server at 10.0.0.10 and a public DNS server at 10.0.0.20. The company has a single public IP 203.0.113.1. The administrator has configured the following: - Port forwarding: external HTTP to DMZ web server (10.0.0.10:80) and external DNS to DMZ DNS server (10.0.0.20:53). - Outbound NAT (IP Pool) for internal users to 203.0.113.1. - Firewall policies allowing internal to external, DMZ to external, and external to DMZ (for forwarded services).

Users report that they can access the Internet but cannot reach the internal web server (192.168.1.10) via its public IP (203.0.113.1:80). The DMZ web server is accessible from the Internet. What is the most likely cause?

Question 24mediumdrag order
Review the full routing breakdown →

Drag and drop the steps to configure a static route on a FortiGate firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 25mediumdrag order
Read the full System and Network Administration explanation →

Drag and drop the steps to troubleshoot a user unable to access the internet through FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 26mediummatching
Read the full System and Network Administration explanation →

Match each Fortinet security feature to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Detects and prevents network intrusions

Identifies and controls application traffic

Blocks access to malicious or unauthorized websites

Scans and removes malware from traffic

Decrypts and inspects encrypted traffic

Question 27mediummatching
Read the full System and Network Administration explanation →

Match each FortiGate security profile component to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Scans files for malware

Controls access to URLs and web categories

Identifies and allows/denies application traffic

Detects and blocks network attacks

Decrypts encrypted traffic for inspection

Question 28easymultiple choice
Read the full System and Network Administration explanation →

A network administrator needs to configure a FortiGate to allow HTTPS access to the GUI from the internal network. Which two steps must be performed?

Question 29mediummultiple choice
Review the full routing breakdown →

An administrator runs 'diagnose sniffer packet any "host 10.0.1.100" 4' and sees packets being sent but no response. The FortiGate has a static route for 10.0.1.0/24 via 192.168.1.1. The administrator checks the routing table and sees the route is present. What is the most likely cause of no response?

Question 30hardmultiple choice
Read the full System and Network Administration explanation →

A FortiGate is configured in transparent mode. The administrator notices that traffic passing through the FortiGate is not being logged, even though log all sessions is enabled on the policy. What is the most likely reason?

Question 31mediummultiple choice
Read the full System and Network Administration explanation →

An administrator wants to aggregate two physical interfaces (port1 and port2) on a FortiGate to increase bandwidth and provide redundancy. Which interface type should be created?

Question 32easymultiple choice
Read the full System and Network Administration explanation →

An administrator needs to back up the FortiGate configuration to a remote server using SCP. Which command is correct?

Question 33mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate is configured with two equal-cost static routes to the same destination network (0.0.0.0/0) via two different ISPs. The administrator wants to use both links simultaneously for load balancing. What must be enabled?

Question 34hardmultiple choice
Read the full System and Network Administration explanation →

During a firmware upgrade, the FortiGate reboots and the administrator cannot access the GUI via HTTPS. The CLI shows the system is running the previous firmware. What is the most likely cause?

Question 35mediummultiple choice
Read the full network assurance explanation →

An administrator configures SNMP on a FortiGate to monitor CPU and memory usage. After applying the configuration, the NMS cannot reach the FortiGate via SNMP. The FortiGate's interface has SNMP access enabled. What is the most likely missing configuration?

Question 36easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate is configured in NAT/Route mode. Which statement is correct about this mode?

Question 37hardmultiple choice
Review the full subnetting walkthrough →

An administrator attempts to configure a policy route to route specific traffic from an internal subnet (10.1.1.0/24) to the internet via a different ISP. The policy route is created but traffic is still using the default route. What is the most likely cause?

Question 38mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator wants to synchronize the system time with an external NTP server. Which CLI command should be used to configure the NTP server?

Question 39mediummultiple choice
Read the full System and Network Administration explanation →

An administrator needs to integrate a FortiGate with FortiAnalyzer for centralized logging. After configuring the FortiAnalyzer IP and enabling logging, the FortiGate shows 'connection refused' for FortiAnalyzer. What is the most likely cause?

Question 40mediummulti select
Read the full System and Network Administration explanation →

An administrator is configuring a FortiGate HA cluster in active-passive mode. Which two statements are correct about this configuration?

Question 41hardmulti select
Read the full VPN explanation →

A FortiGate administrator is troubleshooting a VPN tunnel that is not coming up. The phase 1 parameters match on both sides. Which three configuration items should the administrator verify?

Question 42mediummulti select
Read the full System and Network Administration explanation →

An administrator is configuring a FortiGate to use FortiManager for centralized management. Which three steps are required?

Question 43easymultiple choice
Read the full network assurance explanation →

A network administrator needs to configure a FortiGate to participate in SNMP monitoring. Which CLI command enables SNMP agent on the FortiGate?

Question 44mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate is configured with two equal-cost static default routes via two ISPs. The administrator wants to use both links simultaneously for outbound traffic, distributing sessions per source-destination pair. Which ECMP load balancing method should be configured under config system settings?

Question 45mediummultiple choice
Read the full System and Network Administration explanation →

An administrator is configuring a FortiGate in a transparent mode. Which of the following features is NOT available in transparent mode?

Question 46hardmultiple choice
Read the full System and Network Administration explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 47easymultiple choice
Read the full System and Network Administration explanation →

What is the purpose of configuring an aggregate interface on a FortiGate?

Question 48mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator needs to allow remote management from the internet only from a specific IP address. Which configuration achieves this?

Question 49hardmultiple choice
Read the full NAT/PAT explanation →

An administrator plans to upgrade FortiGate firmware from version 6.0 to 7.2. The current version is 6.0.10. Which upgrade path is correct?

Question 50easymultiple choice
Read the full System and Network Administration explanation →

Which command is used to back up the FortiGate configuration to a TFTP server?

Question 51mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate is set to NAT/Route mode. The admin wants traffic from internal users to the internet to use an IP address on the WAN interface for source NAT. Which configuration is required?

Question 52mediummultiple choice
Read the full System and Network Administration explanation →

You notice that the FortiGate HA cluster is not failing over when the primary unit loses power. The HA configuration shows 'set ha-priority 250' on the primary and 'set ha-priority 200' on the secondary. What is the most likely cause?

Question 53hardmultiple choice
Review the full subnetting walkthrough →

An administrator configures a policy route to send all traffic from a specific subnet to a different next-hop. However, traffic from that subnet is still using the default route. Which configuration could be causing this?

Question 54easymultiple choice
Read the full System and Network Administration explanation →

Which of the following is required to allow a FortiGate to synchronize its clock with an NTP server?

Question 55mediummulti select
Read the full System and Network Administration explanation →

An administrator needs to configure a FortiGate to send logs to a FortiAnalyzer. Which two configurations are required? (Choose two.)

Question 56hardmulti select
Read the full System and Network Administration explanation →

An administrator is configuring a FortiGate HA cluster in active-passive mode with two units. Which three conditions must be met for failover to occur? (Choose three.)

Question 57mediummulti select
Read the full System and Network Administration explanation →

A FortiGate admin needs to create a loopback interface for management purposes. Which two statements about loopback interfaces are correct? (Choose two.)

Question 58mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator is configuring a new FortiGate and needs to ensure that all traffic from the internal network to the internet is source NATed to the public IP address on port1. The default route points to port1. Which configuration step is required to achieve this?

Question 59easymultiple choice
Open the full VLAN trunking answer →

An administrator is configuring a VLAN interface on a FortiGate. The physical interface is port2 and the VLAN ID is 100. Which of the following correctly creates the VLAN interface?

Question 60hardmultiple choice
Read the full System and Network Administration explanation →

You run the following CLI command on a FortiGate: 'diagnose sys session filter dport 443' and see this output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 61mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs to upgrade the firmware on a FortiGate from version 6.4.10 to 7.0.1. The device currently runs FortiOS 6.4.10. Which upgrade path should be followed?

Question 62easymultiple choice
Read the full NAT/PAT explanation →

Which FortiGate operating mode allows the device to act as a transparent layer 2 bridge, forwarding traffic without performing NAT or routing?

Question 63hardmultiple choice
Read the full System and Network Administration explanation →

A FortiGate in an HA active-passive cluster is experiencing frequent failovers. The administrator checks the HA statistics and sees that the primary unit's heartbeat interface has a high error rate. What is the most likely cause?

Question 64mediummultiple choice
Review the full subnetting walkthrough →

An administrator needs to allow SSH access to the FortiGate's management interface from a specific management subnet (10.0.1.0/24). Which configuration achieves this?

Question 65easymultiple choice
Read the full System and Network Administration explanation →

What is the purpose of configuring a loopback interface on a FortiGate?

Question 66mediummultiple choice
Read the full System and Network Administration explanation →

An administrator is troubleshooting a connectivity issue. A ping from the FortiGate to 8.8.8.8 succeeds, but traffic from internal hosts to the internet is failing. The firewall policy allows the traffic. What is the most likely cause?

Question 67hardmultiple choice
Review the full subnetting walkthrough →

A FortiGate is configured with two WAN links (port1 and port2) and uses ECMP routing. The administrator wants to ensure that traffic from a specific internal subnet (192.168.10.0/24) always uses port1, while all other traffic uses ECMP. Which configuration should be applied?

Question 68mediummultiple choice
Read the full System and Network Administration explanation →

An administrator wants to send FortiGate logs to a FortiAnalyzer for centralized logging and reporting. Which configuration step is required on the FortiGate?

Question 69easymultiple choice
Read the full System and Network Administration explanation →

Which of the following statements about FortiGate backup is true?

Question 70mediummulti select
Read the full System and Network Administration explanation →

A FortiGate administrator needs to configure NTP to ensure accurate time on the device. Which two steps are required? (Choose two.)

Question 71hardmulti select
Open the full VLAN trunking answer →

An administrator is configuring a FortiGate in transparent mode and needs to forward traffic between two VLANs. Which three configurations are required? (Choose three.)

Question 72mediummulti select
Read the full network assurance explanation →

An administrator is setting up SNMP monitoring on a FortiGate. Which two configurations are necessary for a basic SNMP setup? (Choose two.)

Question 73mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

Question 74hardmultiple choice
Read the full System and Network Administration explanation →

An admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 75easymultiple choice
Read the full System and Network Administration explanation →

What is the primary purpose of configuring a loopback interface on a FortiGate?

Question 76mediummultiple choice
Read the full System and Network Administration explanation →

An admin configures an aggregate interface on a FortiGate using two physical ports. After configuration, the admin notices that traffic is not load-balancing evenly. What is the MOST likely cause?

Question 77hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate in NAT/Route mode has a policy with NAT enabled. The admin needs the source IP of traffic from internal users (192.168.1.0/24) to be translated to the interface IP of port1 (203.0.113.1) when accessing the internet. Which configuration is necessary?

Question 78easymultiple choice
Read the full System and Network Administration explanation →

Which command is used to back up the full FortiGate configuration including all settings and objects?

Question 79mediummultiple choice
Read the full NAT/PAT explanation →

An admin configures two static routes to the same destination with different distances. The route with distance 10 points to ISP1, and the route with distance 20 points to ISP2. The admin wants to use ISP2 only if ISP1 fails. What is the expected behavior?

Question 80mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate is operating in transparent mode. The admin needs to allow HTTP traffic from users to a web server. Which type of firewall policy is required?

Question 81hardmultiple choice
Read the full System and Network Administration explanation →

During a firmware upgrade, the admin uploads the image via the GUI and clicks 'Upgrade'. The FortiGate reboots but comes up with the old firmware. What is the MOST likely cause?

Question 82easymultiple choice
Read the full System and Network Administration explanation →

Which CLI command is used to configure NTP on a FortiGate?

Question 83mediummultiple choice
Read the full network assurance explanation →

An admin wants to monitor CPU and memory usage on a FortiGate using SNMP. Which configuration is required?

Question 84hardmultiple choice
Review the full routing breakdown →

A FortiGate is configured in an HA active-passive cluster. The primary unit fails. After the secondary takes over, a policy route configured on the primary is not working. What is the MOST likely reason?

Question 85mediummulti select
Read the full System and Network Administration explanation →

An admin needs to configure a FortiGate to send logs to a FortiAnalyzer. Which TWO steps must be performed? (Choose two.)

Question 86hardmulti select
Review the full subnetting walkthrough →

An admin wants to ensure that traffic between two internal subnets (10.0.1.0/24 and 10.0.2.0/24) is inspected by the FortiGate but does not have its source IP translated. Which THREE configuration elements are required? (Choose three.)

Question 87easymulti select
Read the full NAT/PAT explanation →

An admin is configuring ECMP (Equal Cost Multi-Path) on a FortiGate with two ISPs. Which TWO conditions must be met for ECMP to load balance traffic across both links? (Choose two.)

Question 88mediummultiple choice
Review the full subnetting walkthrough →

A network administrator notices that after configuring a new static route on a FortiGate, traffic to a remote subnet is still being forwarded via the default route. The administrator confirms the static route is present in the routing table with a lower distance than the default route. What is the MOST likely cause?

Question 89easymultiple choice
Read the full System and Network Administration explanation →

An administrator needs to configure a FortiGate to allow remote management via HTTPS from the internet. Which configuration step is required?

Question 90mediummultiple choice
Read the full System and Network Administration explanation →

You run the following command on a FortiGate:

``` diagnose sys session filter dport 443 diagnose sys session list ```

The output shows: ``` proto=6 proto_state=01 duration=3600 expire=3599 ```

What does this indicate?

Question 91hardmultiple choice
Review the full routing breakdown →

An administrator configures a FortiGate in transparent mode to be deployed between a router and a switch. After installation, traffic passes through but the administrator cannot access the FortiGate's management IP from the management network. What is the MOST likely reason?

Question 92mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator needs to upgrade the firmware from FortiOS 6.4 to 7.0. The administrator downloads the upgrade image but when uploading via the GUI, the FortiGate reboots and comes back with the same firmware version. What is the most likely cause?

Question 93easymultiple choice
Review the full routing breakdown →

An administrator wants to ensure that traffic to a specific web server always exits through a particular ISP link, regardless of route changes. Which feature should be configured?

Question 94mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate is configured with two WAN interfaces in an active-passive HA cluster. The administrator notices that the passive unit is not synchronizing configuration changes from the active unit. What is the MOST likely cause?

Question 95hardmulti select
Open the full VLAN trunking answer →

An administrator configures a VLAN interface on a FortiGate trunk port. The VLAN is allowed on the trunk, but the FortiGate cannot ping the default gateway of that VLAN. Which two items must be verified? (Choose two.)

Question 96easymultiple choice
Read the full System and Network Administration explanation →

An administrator needs to back up the FortiGate configuration to a remote server. Which protocol is supported for backup?

Question 97mediummultiple choice
Read the full network assurance explanation →

A FortiGate administrator configures SNMPv2c on the FortiGate to send traps to a monitoring server. However, no traps are received. The monitoring server can ping the FortiGate. What is the MOST likely cause?

Question 98mediummultiple choice
Read the full System and Network Administration explanation →

An administrator configures a FortiGate to use NTP for time synchronization. After configuration, the FortiGate still shows the wrong time. Which command should the administrator run to verify NTP status?

Question 99hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate is configured with multiple WAN interfaces and ECMP routing. The administrator notices that traffic to a particular destination is intermittently failing. What is the MOST likely cause?

Question 100mediummulti select
Read the full System and Network Administration explanation →

An administrator needs to integrate a FortiGate with FortiManager for centralized management. Which two steps are required? (Choose two.)

Question 101mediummulti select
Read the full System and Network Administration explanation →

An administrator is configuring a loopback interface on a FortiGate for management purposes. Which three statements are true about loopback interfaces? (Choose three.)

Question 102easymulti select
Read the full DNS explanation →

An administrator needs to configure DNS on a FortiGate so that internal hosts can resolve external domain names. Which two settings are required? (Choose two.)

Question 103easymultiple choice
Read the full System and Network Administration explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 104easymultiple choice
Review the full subnetting walkthrough →

A network administrator needs to allow SSH access to the FortiGate from a management subnet 10.0.1.0/24. Which configuration step is required on the interface connected to that subnet?

Question 105easymultiple choice
Study the full SD-WAN breakdown →

A FortiGate has been configured with two WAN interfaces (wan1, wan2) in an SD-WAN zone. The administrator wants to ensure that traffic for a specific internal server uses only wan1. What is the most appropriate method?

Question 106mediummultiple choice
Read the full System and Network Administration explanation →

An administrator configures two FortiGate units in an active-passive HA cluster. After a failover, some existing TCP sessions are dropped. What is the most likely reason for this behavior?

Question 107mediummultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator needs to upgrade the firmware from 7.0.5 to 7.2.0. The current firmware is 7.0.5. What is the recommended upgrade path?

Question 108mediummultiple choice
Read the full System and Network Administration explanation →

You run 'get system performance status' and see CPU usage at 95% with high context switch rate. The FortiGate is not passing any traffic. What is the most likely cause?

Question 109mediummultiple choice
Read the full NAT/PAT explanation →

An administrator creates a firewall policy to allow internal users to access the internet. The source interface is 'internal', destination interface is 'wan1', and NAT is enabled. Users complain that they cannot access external resources. The administrator verifies that the default route points to the ISP gateway. What is the most likely missing configuration?

Question 110mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator wants to send logs to a FortiAnalyzer. The FortiAnalyzer IP is 192.168.1.100, and logging is configured under Log & Report. However, no logs are being received. Which command should the administrator use on the FortiGate to verify connectivity to the FortiAnalyzer?

Question 111hardmultiple choice
Read the full System and Network Administration explanation →

An organization has two FortiGate units in an HA cluster. They need to perform a firmware upgrade on the primary unit without causing a failover. Which procedure should be followed?

Question 112hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate is configured with two equal-cost default routes to different ISPs. The administrator notices that traffic for a specific destination is load-balanced across both links as expected. However, they want all traffic from a specific source IP to use only ISP1, while other traffic remains load-balanced. Which configuration should be applied?

Question 113hardmultiple choice
Review the full routing breakdown →

After upgrading FortiGate firmware, the administrator notices that the 'config router static' command now shows a new keyword 'distance' instead of 'weight'. The upgrade also changed the ECMP load-balancing behavior. What was the likely change in the ECMP algorithm?

Question 114easymultiple choice
Read the full System and Network Administration explanation →

A FortiGate is configured in transparent mode. Which of the following statements is true?

Question 115mediummulti select
Read the full network assurance explanation →

A FortiGate administrator needs to allow SNMP monitoring from a management station at 10.10.10.50. Which TWO configuration steps are required? (Choose two.)

Question 116mediummulti select
Read the full NAT/PAT explanation →

A FortiGate in NAT/Route mode has multiple internal networks. The administrator wants to configure a loopback interface for management access. Which THREE statements about loopback interfaces are correct? (Choose three.)

Question 117hardmulti select
Read the full System and Network Administration explanation →

You are troubleshooting a FortiGate HA cluster that is not failing over correctly. The cluster has two units in active-passive mode. You check the HA status and see both units are in 'standalone' mode. Which THREE configurations could cause this? (Choose three.)

Question 118mediummultiple choice
Review the full subnetting walkthrough →

A network administrator configures a new FortiGate as the default gateway for a subnet. The FortiGate has two WAN interfaces (port1 and port2) connected to different ISPs. The admin wants to load-balance outbound traffic across both links. Which configuration method will achieve this goal?

Question 119easymultiple choice
Review the full subnetting walkthrough →

A FortiGate administrator is setting up a new FortiGate in a network that requires the firewall to bridge traffic between two subnets without routing. Which operating mode should the administrator select?

Question 120hardmultiple choice
Read the full System and Network Administration explanation →

An administrator configures an HA cluster of two FortiGates in active-passive mode. The cluster is synchronized, but after a failover, some existing TCP sessions are dropped. What is the most likely cause?

Question 121mediummultiple choice
Read the full System and Network Administration explanation →

You run the following CLI command on a FortiGate: diagnose sys session filter dport 443 diagnose sys session list And you see the output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 122easymultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator needs to allow remote management of a FortiGate from the internet. Which administrative access protocols should be enabled on the WAN interface? (Choose the best single answer.)

Question 123mediummultiple choice
Review the full subnetting walkthrough →

An administrator configures a policy route to force traffic from a specific source subnet to use a particular WAN interface. After applying the configuration, the traffic still uses the default route. What is the most likely cause?

Question 124hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator is upgrading firmware from version 6.0 to 7.0. The upgrade path requires multiple steps. Which of the following is the recommended method to ensure a successful upgrade?

Question 125mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate is configured with an aggregate interface (link aggregation group) consisting of two physical ports. The administrator notices that traffic is not being distributed evenly across the two links. Which configuration setting should be verified to improve load balancing?

Question 126easymultiple choice
Read the full System and Network Administration explanation →

An administrator needs to back up the full configuration of a FortiGate, including all system settings, policies, and objects. Which CLI command should be used?

Question 127mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator wants to integrate the FortiGate with a FortiAnalyzer for centralized logging. Which configuration step is required on the FortiGate?

Question 128hardmultiple choice
Open the full VLAN trunking answer →

An administrator configures a VLAN interface on a FortiGate's physical port with the IP 192.168.10.1/24. The VLAN ID is 10. The administrator connects a switch port configured as an access port (untagged) in VLAN 10. The devices on the switch cannot ping the FortiGate's VLAN interface. What is the most likely cause?

Question 129mediummultiple choice
Read the full DNS explanation →

A FortiGate administrator needs to ensure that all DNS queries from internal clients are forwarded to a specific DNS server for security filtering. Which configuration should be applied?

Question 130hardmulti select
Read the full System and Network Administration explanation →

A FortiGate is configured in an HA cluster with two units. The cluster is working, but the administrator wants to ensure that configuration changes made on the primary unit are automatically synchronized to the secondary unit. Which two conditions must be met? (Choose TWO.)

Question 131mediummulti select
Read the full network assurance explanation →

A network administrator is configuring SNMP on a FortiGate for monitoring. Which three pieces of information are required to complete the SNMPv2c configuration? (Choose THREE.)

Question 132mediummulti select
Read the full System and Network Administration explanation →

An administrator wants to use FortiManager to manage multiple FortiGates. Which three steps must be performed to establish communication between a FortiGate and FortiManager? (Choose THREE.)

Question 133easymultiple choice
Read the full System and Network Administration explanation →

A network administrator is configuring a FortiGate for the first time and needs to enable administrative access via HTTPS from the internal network. Which configuration step is required?

Question 134mediummultiple choice
Read the full System and Network Administration explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 135hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate configured in NAT/Route mode is connected to the internet via port1 with an IP 10.0.0.1/24. The internal network uses 192.168.1.0/24. Users can browse the internet but cannot reach a public server at 203.0.113.5. A static default route exists. What is the most likely cause?

Question 136mediummultiple choice
Read the full System and Network Administration explanation →

An administrator wants to upgrade the FortiGate firmware from version 6.4.9 to 7.0.1. What is the most important consideration before proceeding?

Question 137easymultiple choice
Read the full NAT/PAT explanation →

Which FortiGate operating mode is used when the device acts as a Layer 2 bridge without performing NAT?

Question 138mediummultiple choice
Review the full subnetting walkthrough →

An administrator notices that traffic to a particular subnet is being load-balanced across two WAN links, but they want all traffic to that subnet to use a single link. Which feature should be configured?

Question 139easymultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator needs to allow SSH management access from a specific IP address 10.0.0.100. Which configuration is required?

Question 140mediummultiple choice
Read the full System and Network Administration explanation →

An administrator wants to synchronize the FortiGate's time with a reliable NTP server. After configuring the NTP server, they notice the time is still incorrect. What could be the issue?

Question 141hardmultiple choice
Review the full routing breakdown →

A FortiGate has two internet connections: port1 (ISP1) and port2 (ISP2). An administrator configures two static default routes with equal distance and priority. Traffic to a specific public IP is observed going out port1, but the admin wants it to go out port2. What should be configured?

Question 142mediummultiple choice
Read the full System and Network Administration explanation →

An administrator wants to back up the FortiGate configuration to a remote FTP server. Which command should be used?

Question 143hardmultiple choice
Study the full SD-WAN breakdown →

A FortiGate is configured with two WAN interfaces in an SD-WAN zone. The administrator wants to ensure voice traffic uses the interface with the lowest latency. Which SD-WAN configuration should be used?

Question 144easymultiple choice
Read the full System and Network Administration explanation →

Which protocol does FortiGate use to synchronize sessions between HA cluster members?

Question 145mediummulti select
Read the full System and Network Administration explanation →

An administrator is configuring a FortiGate to send logs to a FortiAnalyzer. Which TWO of the following are required? (Choose two.)

Question 146hardmulti select
Read the full System and Network Administration explanation →

A FortiGate administrator is planning an upgrade from FortiOS 6.4 to 7.2. Which THREE steps should be performed before the upgrade? (Choose three.)

Question 147mediummulti select
Read the full System and Network Administration explanation →

An administrator wants to configure HA on two FortiGate units. Which TWO of the following must match on both units for the cluster to form? (Choose two.)

Question 148easymultiple choice
Review the full routing breakdown →

A FortiGate administrator needs to configure a static route to reach a remote network 192.168.100.0/24 via next-hop 10.0.0.1. Which CLI command should be used?

Question 149mediummultiple choice
Review the full subnetting walkthrough →

An administrator wants to allow management access to a FortiGate from a specific subnet 10.10.10.0/24 via HTTPS. Which configuration achieves this?

Question 150hardmultiple choice
Read the full System and Network Administration explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

Question 151mediummultiple choice
Read the full System and Network Administration explanation →

An administrator configures a FortiGate in transparent mode. Which of the following is correct regarding transparent mode operation?

Question 152easymultiple choice
Read the full System and Network Administration explanation →

Which of the following is the correct way to upgrade the firmware on a FortiGate from the CLI?

Question 153mediummultiple choice
Read the full network assurance explanation →

An administrator wants to configure SNMP on a FortiGate to allow a monitoring server 192.168.1.100 to poll read-only information. Which set of commands is correct?

Question 154hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate has two WAN interfaces (wan1, wan2) configured with ECMP routes to the same destination. The administrator notices that traffic for a single session is being load-balanced across both links, causing performance issues. What should be configured to ensure sessions stick to one link?

Question 155mediummultiple choice
Read the full System and Network Administration explanation →

An administrator wants to back up the FortiGate configuration to a TFTP server at 10.10.10.10. Which CLI command should be used?

Question 156easymultiple choice
Read the full System and Network Administration explanation →

What is the purpose of configuring an NTP server on a FortiGate?

Question 157mediummultiple choice
Read the full System and Network Administration explanation →

An administrator needs to ensure that all traffic from the internal network to the internet goes through a web proxy for content filtering. Which configuration is required on the FortiGate?

Question 158hardmultiple choice
Read the full System and Network Administration explanation →

A FortiGate in HA active-passive cluster is experiencing failover events. The administrator runs 'get system ha status' and sees that the 'sync status' is 'out of sync'. What is the most likely cause?

Question 159mediummultiple choice
Review the full subnetting walkthrough →

An administrator configures a policy route to send all traffic from subnet 172.16.1.0/24 to a specific next-hop 10.0.0.2. However, the traffic is still using the default route. What could be the reason?

Question 160mediummulti select
Read the full System and Network Administration explanation →

An administrator is configuring a new FortiGate and wants to ensure it can be managed centrally via FortiManager. Which TWO steps are required?

Question 161hardmulti select
Read the full System and Network Administration explanation →

A FortiGate is configured in active-active HA mode. An administrator notices that session failover is not working properly during a failover event. Which THREE configurations should be checked?

Question 162easymulti select
Read the full System and Network Administration explanation →

An administrator wants to integrate FortiGate with FortiAnalyzer for logging. Which TWO steps are necessary?

Question 163mediummultiple choice
Review the full subnetting walkthrough →

A network administrator needs to configure a FortiGate to allow administrative access from a specific management subnet only. Which configuration step should be taken?

Question 164easymultiple choice
Review the full routing breakdown →

A FortiGate is configured with two WAN interfaces (port1 and port2) connected to different ISPs. The administrator wants to load-balance outbound traffic across both links using equal-cost routes. Which routing configuration should be applied?

Question 165hardmultiple choice
Read the full System and Network Administration explanation →

An administrator runs the following CLI command on a FortiGate: 'diagnose sys session filter dport 443' and sees output indicating sessions with proto_state=01 and duration=3600. What does this indicate about the sessions?

Question 166mediummultiple choice
Open the full VLAN trunking answer →

A FortiGate is operating in transparent mode. The administrator needs to configure a new VLAN interface for segmenting traffic. Which statement about VLAN interfaces in transparent mode is correct?

Question 167easymultiple choice
Read the full System and Network Administration explanation →

An administrator wants to upgrade the FortiOS firmware on a FortiGate. Which step is critical before starting the upgrade process?

Question 168mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator needs to integrate with FortiAnalyzer for centralized logging. After configuring the FortiAnalyzer IP and enabling logging, the FortiGate shows 'connection status: disconnected'. What is the most likely cause?

Question 169hardmultiple choice
Read the full System and Network Administration explanation →

An administrator configures a FortiGate HA cluster with two units in active-passive mode. After setup, the secondary unit shows 'standby' status but traffic is not failing over when the primary is shut down. What is the most likely cause?

Question 170easymultiple choice
Read the full DNS explanation →

A FortiGate needs to resolve DNS names for outbound traffic. The administrator configures DNS servers under System > DNS. However, internal DNS queries for private domains fail. What additional configuration is required?

Question 171mediummultiple choice
Read the full System and Network Administration explanation →

An administrator needs to configure a loopback interface on a FortiGate for management purposes. Which of the following is true regarding loopback interfaces?

Question 172hardmultiple choice
Review the full subnetting walkthrough →

A FortiGate administrator configures policy-based routing (PBR) to direct traffic from subnet 192.168.1.0/24 to the internet via ISP1. However, traffic from that subnet is still using the default route via ISP2. What is the most likely cause?

Question 173mediummultiple choice
Read the full network assurance explanation →

An administrator wants to configure SNMPv3 on a FortiGate for secure monitoring. Which configuration is required?

Question 174easymultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator needs to backup the configuration to a remote TFTP server. Which CLI command should be used?

Question 175mediummulti select
Read the full System and Network Administration explanation →

A network administrator has two FortiGate units that need to be configured as an HA cluster. Which TWO of the following are prerequisites for HA formation?

Question 176hardmulti select
Open the full VLAN trunking answer →

A FortiGate administrator needs to configure a VLAN interface and an aggregate interface. Which THREE statements are correct regarding these interface types?

Question 177mediummulti select
Review the full routing breakdown →

An administrator is troubleshooting why traffic from a specific source IP is not being matched by a policy route. Which THREE steps should the administrator take to diagnose the issue?

Question 178mediummultiple choice
Read the full System and Network Administration explanation →

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

Question 179mediummultiple choice
Read the full System and Network Administration explanation →

An administrator is configuring a new FortiGate and wants to allow management access from the internal network via HTTPS. The internal interface is port2 with IP 192.168.1.1/24. Which CLI command correctly enables HTTPS administrative access on port2?

Question 180mediummultiple choice
Review the full routing breakdown →

After upgrading FortiGate firmware from 6.0 to 7.2, an administrator notices that a static route pointing to a next-hop IP 10.0.0.1 is no longer working. The route is present in the configuration but the FortiGate shows it as 'not active'. What is the MOST likely cause?

Question 181easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate is deployed in NAT/Route mode. The administrator wants to create a policy that allows internal users to access the internet and also translates their private IP addresses to the public IP of the FortiGate's WAN interface. Which policy configuration is required?

Question 182hardmultiple choice
Read the full System and Network Administration explanation →

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

Question 183mediummultiple choice
Review the full routing breakdown →

A FortiGate administrator needs to configure a policy route to send all traffic destined to 10.10.10.0/24 out through interface port3 instead of the default route. Which configuration steps are necessary?

Question 184easymultiple choice
Read the full System and Network Administration explanation →

An administrator has configured two FortiGate units in an active-passive HA cluster. The primary unit fails. How does the secondary unit become active?

Question 185hardmultiple choice
Read the full System and Network Administration explanation →

An administrator configures an aggregate interface (port1 and port2) on a FortiGate. After connecting the switch ports, the aggregate interface shows 'down'. The individual member ports are up. What is the MOST likely cause?

Question 186mediummultiple choice
Read the full VPN explanation →

An administrator is troubleshooting a loss of connectivity between two sites connected via a VPN tunnel. The FortiGate logs show 'Tunnel: phase 1 negotiation failed'. Which two parameters MUST match on both peers for phase 1 to succeed? (Select two. Not all options are used.)

Question 187easymultiple choice
Read the full System and Network Administration explanation →

A FortiGate administrator wants to ensure that all firewall policies are backed up before performing a firmware upgrade. Which backup method preserves the configuration in a format that can be restored to the same or different FortiGate model?

Question 188mediummultiple choice
Read the full System and Network Administration explanation →

An administrator needs to forward logs from a FortiGate to a FortiAnalyzer for centralized logging. The FortiAnalyzer IP is 10.10.10.10. Which configuration is required on the FortiGate?

Question 189mediummulti select
Read the full NAT/PAT explanation →

An administrator is configuring ECMP (Equal-Cost Multi-Path) on a FortiGate. Which TWO conditions are required for ECMP to load balance traffic across multiple routes?

Question 190hardmulti select
Open the full VLAN trunking answer →

A FortiGate configured in transparent mode needs to allow HTTP traffic between two VLANs. The administrator has created a firewall policy. However, traffic is still blocked. Which TWO additional configurations are necessary for transparent mode operation?

Question 191mediummulti select
Review the full subnetting walkthrough →

An administrator wants to allow only HTTPS and SSH administrative access to the FortiGate from a specific management subnet 192.168.100.0/24. Which TWO steps must be taken on the FortiGate?

Question 192mediummulti select
Read the full System and Network Administration explanation →

An administrator is planning a firmware upgrade from FortiOS 6.0 to 7.2. Which THREE steps should be performed before starting the upgrade process?

Question 193mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator has configured a static route on a FortiGate with a distance of 10 and a priority of 0. Later, they add another static route to the same destination with a distance of 15 and priority of 0. Which route will be used for traffic forwarding?

Question 194hardmultiple choice
Read the full System and Network Administration explanation →

You are troubleshooting a FortiGate HA cluster (active-passive) and notice that after a failover, some existing TCP sessions are not being maintained. The hbdev heartbeat interfaces are configured correctly, and session synchronization is enabled. What is the MOST likely cause?

Question 195easymultiple choice
Read the full NAT/PAT explanation →

Which of the following FortiGate operating modes allows the firewall to act as a Layer 3 device, performing NAT and routing between interfaces?

Question 196mediummultiple choice
Review the full subnetting walkthrough →

An administrator configures a policy route to direct traffic from subnet 10.1.1.0/24 to the internet via ISP1 with a gateway of 203.0.113.1. However, traffic from that subnet is still using the default route via ISP2. What is the MOST likely cause?

Question 197hardmultiple choice
Read the full System and Network Administration explanation →

You run the following diagnose command on a FortiGate and see the output:

diagnose sys session filter dport 443 diagnose sys session list

... proto=6 proto_state=01 duration=3600 expire=3599 ...

What does the 'proto_state=01' indicate?

Question 198mediummulti select
Read the full System and Network Administration explanation →

A FortiGate administrator needs to configure a backup and restore strategy for the FortiGate configuration. Which TWO statements are correct regarding configuration backup and restore?

Question 199mediummulti select
Read the full network assurance explanation →

An administrator is configuring SNMP on a FortiGate for monitoring. Which THREE items are required for SNMPv3 configuration?

Question 200hardmulti select
Read the full System and Network Administration explanation →

A FortiGate administrator is setting up a new FortiGate and needs to integrate it with FortiAnalyzer and FortiManager. Which THREE statements are correct regarding this integration?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

NSE4 Practice Test 1 — 10 Questions→NSE4 Practice Test 2 — 10 Questions→NSE4 Practice Test 3 — 10 Questions→NSE4 Practice Test 4 — 10 Questions→NSE4 Practice Test 5 — 10 Questions→NSE4 Practice Exam 1 — 20 Questions→NSE4 Practice Exam 2 — 20 Questions→NSE4 Practice Exam 3 — 20 Questions→NSE4 Practice Exam 4 — 20 Questions→Free NSE4 Practice Test 1 — 30 Questions→Free NSE4 Practice Test 2 — 30 Questions→Free NSE4 Practice Test 3 — 30 Questions→NSE4 Practice Questions 1 — 50 Questions→NSE4 Practice Questions 2 — 50 Questions→NSE4 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

System and Network AdministrationFirewall Policies and NATAuthentication and VPNSecurity ProfilesHigh Availability and Diagnostics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All System and Network Administration setsAll System and Network Administration questionsNSE4 Practice Hub