Fortinet NSE 4 Network Security Professional NSE4 (NSE4) — Questions 901975

1000 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
Multi-Selecthard

A FortiGate administrator needs to configure an active-passive HA cluster to ensure that management access is available via a dedicated IP address that moves with the active unit. Which THREE configuration steps are required? (Choose three.)

Select 3 answers
A.Set the management interface under config system ha -> set ha-mgmt-status enable and assign an IP
B.Configure the management interface as part of the 'ha-mgmt-interface' under config system ha
C.Configure a dedicated heartbeat interface
D.Ensure the management interface is included in the HA synchronization by adding it to 'ha-mgmt-interface'
E.Assign a virtual MAC address to the management interface
AnswersA, B, D

This enables the floating management IP on the designated interface.

Why this answer

To provide a floating management IP, the admin must set a dedicated management interface (which can be a physical interface or VLAN), assign an IP to that interface in the HA configuration, and ensure the interface is part of the HA managed interfaces so it synchronizes.

902
MCQhard

An administrator configures a FortiGate HA cluster with two units in active-passive mode. After setup, the secondary unit shows 'standby' status but traffic is not failing over when the primary is shut down. What is the most likely cause?

A.The HA heartbeat interface is not configured on the same subnet.
B.The cluster is in active-active mode.
C.The session failover feature is disabled.
D.The primary unit's configuration changes were not synchronized to the secondary.
AnswerD

Why this answer

Option D is correct because in an active-passive HA cluster, the secondary unit must have a synchronized copy of the primary's configuration to take over traffic. If configuration synchronization is not enabled or fails, the secondary remains in standby but lacks the necessary policies and settings to handle traffic, so failover does not occur even though HA status appears normal.

Exam trap

The trap here is that candidates assume 'standby' status guarantees failover readiness, but FortiGate requires configuration synchronization to be explicitly enabled and successful for the standby unit to take over traffic; otherwise, it remains a passive observer without operational policies.

How to eliminate wrong answers

Option A is wrong because if the heartbeat interface were not on the same subnet, the units would not form an HA cluster at all—they would not detect each other, and the secondary would not show 'standby' status. Option B is wrong because the cluster is explicitly configured in active-passive mode, as stated in the question, so it cannot be in active-active mode; the secondary showing 'standby' confirms passive operation. Option C is wrong because session failover (FGSP or session-pickup) is a feature for preserving existing sessions during failover, but basic traffic failover (new connections) does not depend on it; the cluster will still fail over traffic without session failover enabled.

903
MCQhard

A FortiGate administrator needs to configure a policy so that traffic to a specific external server is exempted from SSL deep inspection. Which method should be used?

A.Add the server's address to the 'SSL/SSH Inspection Profile' exemptions list
B.Create a separate firewall policy without SSL inspection for that server
C.Disable the IPS sensor on that policy
D.Set the antivirus profile to 'monitor' only
AnswerA

Exemptions in the SSL inspection profile allow bypassing deep inspection for specific destinations while keeping the profile applied.

Why this answer

Exemptions can be added in the SSL/SSH inspection profile to bypass inspection for specific destinations.

904
MCQhard

An administrator configures a VIP for inbound HTTP traffic to an internal server (192.168.1.10:80). External users can reach the server via the VIP, but internal users on the same subnet as the server cannot access the server using its public IP. What is the most likely cause?

A.The internal users do not have a route to the VIP's public IP
B.The firewall policy for internal-to-DMZ traffic has NAT disabled
C.The VIP is configured on the wrong interface
D.NAT reflection (hairpin NAT) is not enabled
AnswerD

Why this answer

Option D is correct because internal users on the same subnet as the server (192.168.1.10) attempting to reach the server via its public VIP (e.g., 203.0.113.10) will send packets to the FortiGate, which performs destination NAT (DNAT) to the private IP. Without NAT reflection (also called hairpin NAT or NAT loopback), the FortiGate does not translate the source IP for traffic that enters and leaves the same interface, so the server sees the source as the internal user's private IP and replies directly, bypassing the FortiGate. This breaks the return path because the internal user's packet was destined for the VIP but the reply comes from the private IP, causing asymmetric routing and connection failure.

Exam trap

The trap here is that candidates often assume internal users can reach the server via the public IP because the VIP works for external users, overlooking the fact that hairpin NAT is a separate feature required for traffic that enters and exits the same FortiGate interface.

How to eliminate wrong answers

Option A is wrong because internal users on the same subnet as the server do not need a route to the VIP's public IP; they already have a default route via the FortiGate, and the issue is not about routing but about NAT behavior for traffic that hairpins. Option B is wrong because the scenario involves inbound HTTP traffic from external users (which works) and internal users accessing the VIP; the firewall policy for internal-to-DMZ traffic is irrelevant here since the traffic is from internal users to the VIP (which is typically on the WAN interface), and NAT is not disabled for that policy—the problem is the lack of source NAT for hairpin traffic. Option C is wrong because the VIP is correctly configured for inbound traffic (external users can reach the server), so the interface assignment is not the issue; the problem is specific to internal users initiating connections to the VIP.

905
MCQmedium

An administrator configures an application control profile to block social media applications. Users can still access Facebook and Twitter via web browsers. What is the most likely reason?

A.The application signatures for Facebook and Twitter are not up to date
B.The firewall policy has SSL/SSH inspection set to 'certificate-inspection' instead of 'deep-inspection'
C.The application control profile is set to 'monitor' instead of 'block'
D.The firewall policy is configured with flow-based inspection
AnswerB

Certificate inspection only checks the certificate; deep inspection decrypts traffic to identify applications.

Why this answer

Application control relies on signatures to detect applications. If deep inspection is not enabled, encrypted traffic may not be identified correctly.

906
MCQhard

A FortiGate is configured with flow-based antivirus and an IPS profile on a policy. The administrator runs 'diagnose ips packet-list' and sees that packets are being forwarded without inspection. What is the most likely reason?

A.The session is offloaded to the NPU and is not being sent to the IPS engine
B.The antivirus profile is set to proxy-based, conflicting with flow-based IPS
C.The IPS profile is configured with 'monitor' mode instead of 'protect'
D.The traffic is UDP and flow-based inspection does not inspect UDP
AnswerA

In flow-based mode, sessions can be offloaded to hardware accelerators (NPU). When offloaded, the IPS engine does not inspect each packet; only session setup is checked. This is expected behavior for flow-based inspection.

Why this answer

Flow-based inspection offloads traffic to the network processor (NPU) for forwarding without sending all packets to the CPU for inspection. The IPS diagnostic output showing packets forwarded without inspection indicates flow-based mode is skipping inspection for non-TCP traffic or when a session is offloaded.

907
MCQhard

Refer to the exhibit. The HA cluster has been operational for 5 days. The primary unit suddenly loses power. Which of the following will happen?

A.The secondary unit will become primary, but all existing sessions will be dropped.
B.The cluster will remain without a primary until the original unit is restored.
C.The secondary unit will become primary and maintain only TCP sessions.
D.The secondary unit will become primary and maintain existing UDP sessions.
AnswerD

Session pickup and session-pickup-connectionless are enabled, so UDP sessions are preserved.

Why this answer

In a FortiGate HA cluster, session synchronization is enabled by default for UDP sessions but not for TCP sessions (unless specifically configured). When the primary unit fails, the secondary unit takes over as primary and maintains all synchronized sessions, which includes UDP sessions. TCP sessions are not synchronized by default and will be dropped upon failover.

Exam trap

The trap here is that candidates often assume all sessions are synchronized in an HA cluster, but FortiGate defaults to synchronizing only UDP sessions, not TCP sessions, unless session pickup is explicitly enabled for TCP.

How to eliminate wrong answers

Option A is wrong because the secondary unit will become primary, but existing UDP sessions are maintained due to session synchronization; not all sessions are dropped. Option B is wrong because the HA cluster will elect the secondary unit as the new primary immediately upon failure of the original primary; it does not remain without a primary. Option C is wrong because TCP sessions are not synchronized by default in FortiGate HA; only UDP sessions are maintained, not TCP sessions.

908
Multi-Selectmedium

A FortiGate administrator is configuring a hub-and-spoke IPsec VPN with three spokes. Each spoke has a dial-up connection to the hub. The hub uses a dynamic DNS name. Which THREE settings are necessary on each spoke to establish the VPN?

Select 3 answers
A.A static route on the spoke for the hub's local networks
B.The pre-shared key or certificate for authentication
C.Hub's public IP address or FQDN as remote gateway
D.The Phase 2 proposal (encryption, authentication, etc.)
E.NAT enabled on the spoke tunnel interface
AnswersB, C, D

Authentication credential is required to establish Phase 1.

Why this answer

For a dial-up IPsec VPN, each spoke needs the hub's public IP or FQDN as the remote gateway. Authentication can be via pre-shared key or certificate. The spoke must also have a Phase 2 proposal that matches the hub's configuration.

909
Multi-Selectmedium

Which TWO statements about firewall policy authentication are correct?

Select 2 answers
A.Authentication cannot be used with FSSO
B.Authentication is only supported for inbound traffic
C.Authentication can be configured on a per-policy basis
D.Authentication can be based on local, LDAP, or RADIUS databases
E.Authentication is performed after the traffic is allowed by the policy
AnswersC, D

Authentication is a policy setting.

Why this answer

Option C is correct because FortiGate firewall policies allow authentication to be enabled on a per-policy basis using the 'set auth-on-demand' or 'set auth-cert' options, which enforce user authentication before traffic is processed. This granular control enables administrators to apply authentication only to specific policies, such as those controlling access to sensitive resources, without affecting other traffic flows.

Exam trap

The trap here is that candidates often assume authentication is only for inbound traffic or that it happens after policy allowance, but FortiGate enforces authentication as a prerequisite to policy matching, not as a post-allowance step.

910
MCQhard

An administrator notices that traffic to a specific HTTPS website is being blocked. The FortiGate has SSL inspection enabled, and the web filter profile is set to monitor all categories. The URL is not in any blocked category. What should the administrator check next?

A.Check if the SSL inspection policy is using certificate inspection instead of full SSL inspection.
B.Review the SSL/SSH inspection profile's certificate revocation check settings.
C.Ensure that the FortiGate has the latest web filter database.
D.Verify that the web filter has the correct rating for the URL.
AnswerB

If the certificate is revoked, the FortiGate may block the connection.

Why this answer

When SSL inspection is enabled and a specific HTTPS site is blocked despite not being in a blocked category, the issue often lies in the SSL/SSH inspection profile's certificate revocation check. If the FortiGate cannot verify the server's certificate revocation status (e.g., via OCSP or CRL), it may block the connection as a security precaution, even if the web filter category allows the URL. Option B directly addresses this by suggesting a review of the revocation check settings.

Exam trap

The trap here is that candidates often assume HTTPS blocking is always due to web filter categories or inspection depth, overlooking that certificate revocation checks in the SSL inspection profile can independently block traffic even when the URL is allowed by the web filter.

How to eliminate wrong answers

Option A is wrong because certificate inspection only examines the SNI and certificate metadata, not the full payload, but the question states SSL inspection is enabled and the web filter is set to monitor all categories; the blocking is likely due to certificate validation failure, not inspection depth. Option C is wrong because the web filter database being outdated would affect URL categorization, but the URL is not in any blocked category, so the database is likely current; the issue is with SSL certificate validation, not URL ratings. Option D is wrong because the administrator already knows the URL is not in a blocked category, so re-verifying the rating would not resolve a block caused by certificate revocation check failure.

911
MCQeasy

Which log severity level indicates that the system is unusable?

A.Error
B.Critical
C.Alert
D.Emergency
AnswerD

Emergency severity indicates the system is unusable.

Why this answer

FortiGate log severities follow standard syslog: Emergency (0) is the highest severity, indicating system is unusable.

912
MCQmedium

A FortiGate administrator needs to ensure that all DNS queries from internal clients are forwarded to a specific DNS server for security filtering. Which configuration should be applied?

A.Use policy routing to redirect DNS traffic to the server
B.Create a firewall policy to allow DNS traffic to the external server only
C.Enable DNS forwarding under Network > DNS and set the system DNS to the desired server
D.Configure a DNS database on the FortiGate
AnswerC

DNS forwarding makes the FortiGate resolve queries using the specified DNS servers.

Why this answer

Option C is correct because DNS forwarding on FortiGate allows the device to act as a DNS relay, intercepting DNS queries from internal clients and forwarding them to a specified DNS server for security filtering. This is configured under Network > DNS by setting the system DNS to the desired server, which ensures all DNS traffic is redirected without requiring policy routing or firewall rule changes.

Exam trap

The trap here is that candidates often confuse DNS forwarding with policy routing or firewall policies, assuming traffic redirection requires explicit routing or allow rules, rather than understanding that DNS forwarding is a dedicated application-layer relay feature.

How to eliminate wrong answers

Option A is wrong because policy routing is used to steer traffic based on routing criteria (e.g., source/destination IP), not to transparently forward DNS queries; it would require complex rules and does not inherently provide DNS-specific relay functionality. Option B is wrong because creating a firewall policy to allow DNS traffic to an external server only permits traffic but does not force all internal DNS queries to that server; clients could still use other DNS servers if configured. Option D is wrong because a DNS database on FortiGate is used for hosting local DNS records (e.g., for internal resolution or split DNS), not for forwarding queries to an external security filtering server.

913
MCQeasy

A FortiGate administrator needs to create a firewall policy that allows outbound traffic to the internet but denies access to a specific list of malicious IP addresses. The malicious IP list is updated frequently. Which address object type should be used for the destination addresses to block?

A.IP Range address object
B.FQDN address object
C.Geography address object
D.Subnet address object
AnswerB

FQDN objects can be updated via DNS or external dynamic lists.

Why this answer

FQDN address objects can resolve to a list of IP addresses that change dynamically, making them suitable for frequently updated IP lists. Subnet objects are static.

914
Multi-Selectmedium

A network admin is configuring a security policy for outbound HTTP traffic. The requirements are: (1) block access to known malicious websites, (2) prevent users from downloading executable files, (3) detect and block C2 traffic. Which THREE security profiles should be applied to the policy?

Select 3 answers
A.Antivirus
B.Web Filtering
C.Application Control
D.IPS
E.DNS Filter
AnswersA, B, D

Antivirus can block executable file downloads based on file type or virus signatures.

Why this answer

Options A, B, and C are correct. Web filtering blocks malicious websites; antivirus blocks executable file downloads; IPS detects and blocks C2 traffic.

915
MCQhard

In an active-active HA cluster, session synchronization is configured. A new session is created on the primary unit. When does the secondary unit learn about this session?

A.During the next heartbeat interval
B.After the session is closed
C.Within a few milliseconds to seconds after creation
D.Immediately upon session creation
AnswerC

Session synchronization occurs periodically, typically every 200ms, so the secondary learns about the session shortly after creation.

Why this answer

In active-active HA with session sync, sessions are synchronized periodically (every few seconds) or immediately depending on configuration. By default, sessions are synced every 200ms or when the session changes state.

916
MCQmedium

An administrator wants to use FortiToken two-factor authentication for SSL VPN users. In addition to configuring the user's FortiToken, which setting must be enabled on the firewall policy to force two-factor authentication?

A.Set the 'auth type' to 'token' on the SSL VPN portal
B.Enable 'Two-factor authentication' on the firewall policy
C.Enable 'Two-factor authentication' on the user group that the policy references
D.Configure a FortiToken server object
AnswerC

The user group must have two-factor authentication enabled.

Why this answer

Two-factor authentication is enabled by setting the authentication method to require both password and FortiToken. The 'Two-factor authentication' option must be enabled on the user group or user, not the policy itself.

917
MCQeasy

Which statement about the implicit deny policy at the bottom of the firewall policy list is true?

A.It only applies to traffic from the internet
B.It can be edited to change the action to accept
C.It is optional and can be removed
D.It drops all traffic that does not match any explicit policy
AnswerD

Why this answer

The implicit deny policy is a built-in, unchangeable rule at the bottom of the FortiGate firewall policy list that drops all traffic not matching any explicit policy. It ensures that only explicitly permitted traffic is allowed, enforcing a default-deny security posture. This policy cannot be edited, removed, or reordered, and it applies to all traffic regardless of source.

Exam trap

The trap here is that candidates often think the implicit deny policy can be edited or removed because they confuse it with an explicit deny policy that they can create and modify, but the implicit deny is a fixed, unchangeable rule at the bottom of the list.

How to eliminate wrong answers

Option A is wrong because the implicit deny policy applies to all traffic, not just traffic from the internet; it covers internal, DMZ, and any other interface traffic as well. Option B is wrong because the implicit deny policy is hardcoded and cannot be edited; its action is permanently set to deny and cannot be changed to accept. Option C is wrong because the implicit deny policy is mandatory and cannot be removed; it is always present at the bottom of the policy list and is not optional.

918
MCQhard

A FortiGate administrator is troubleshooting a dial-up IPsec VPN where remote users can connect but traffic does not pass. The Phase 1 and Phase 2 status show 'up'. The administrator runs 'diagnose vpn tunnel list' and sees the tunnel is up. However, 'diagnose sys session list' shows no sessions for the remote user's IP. What is the MOST likely cause?

A.The Phase 2 proposal uses AES256 but the remote client only supports AES128
B.The FortiGate's routing table does not have a route to the remote user's subnet
C.There is no firewall policy permitting traffic from the dial-up interface to the destination network
D.The remote user's FortiClient is blocking split tunneling
AnswerC

A common issue after VPN establishment is missing firewall policies. Even with the tunnel up, traffic is dropped unless a policy allows it.

Why this answer

Option D is correct. Even though the VPN tunnel is up, if there is no firewall policy allowing traffic from the dial-up interface to the internal network, the traffic will be dropped silently.

919
MCQeasy

A FortiGate administrator needs to allow remote management of a FortiGate from the internet. Which administrative access protocols should be enabled on the WAN interface? (Choose the best single answer.)

A.Ping and SNMP
B.HTTP and Telnet
C.FTP and TFTP
D.HTTPS and SSH
AnswerD

HTTPS and SSH provide encrypted access for web and CLI management.

Why this answer

HTTPS (port 443) and SSH (port 22) are the only secure administrative access protocols that provide encrypted communication for remote management over the internet. HTTP and Telnet transmit credentials and data in plaintext, making them unsuitable for WAN-facing interfaces. FortiGate best practices mandate disabling all insecure protocols on external interfaces and enabling only HTTPS and SSH for administrative access.

Exam trap

The trap here is that candidates often confuse 'administrative access' with 'monitoring or file transfer protocols' (e.g., SNMP, FTP) or fail to recognize that HTTP and Telnet are insecure for internet-facing interfaces, leading them to choose options that include unencrypted protocols.

How to eliminate wrong answers

Option A is wrong because Ping (ICMP) is not an administrative access protocol—it is used for connectivity testing, and SNMP is a monitoring protocol, not a management interface for CLI/GUI access. Option B is wrong because HTTP and Telnet both transmit data in plaintext, exposing credentials and configuration to interception, and are strongly discouraged on any internet-facing interface. Option C is wrong because FTP and TFTP are file transfer protocols, not administrative access protocols; they do not provide a command-line or web-based management interface for the FortiGate itself.

920
MCQmedium

In an active-active HA cluster, the administrator notices that traffic is not being load-balanced evenly across both units. What is the most likely cause?

A.The load balance method is set to 'none'
B.The heartbeat interface speed is mismatched
C.The load balance method is set to 'source-ip' which naturally causes imbalance
D.The cluster is using active-passive mode
AnswerA

If load-balance method is 'none', one unit handles all traffic; this is common misconfiguration.

Why this answer

In active-active HA, load balancing requires a load-balance method (like source IP hash or round-robin). Without a proper method, traffic may not distribute evenly.

921
MCQhard

An administrator configures a firewall policy with a schedule object that is set to 'Available: Mon-Fri 09:00-17:00'. At 10:00 AM on Saturday, users report they cannot access the resource. The administrator checks the policy list and sees the policy is enabled. What is the MOST likely reason?

A.The FortiGate's system time is incorrect
B.A deny policy with higher priority is blocking the traffic
C.The schedule object is not correctly applied to the policy
D.The schedule object only allows traffic on weekdays, and Saturday is not included
AnswerD

The schedule 'Mon-Fri 09:00-17:00' does not include Saturday, so the policy is inactive on Saturday. Traffic then hits the implicit deny.

Why this answer

The schedule object is configured to allow traffic only from Monday to Friday, 09:00-17:00. Since Saturday is outside this range, the firewall policy will deny or not match the traffic, even though the policy is enabled. This is the most direct and likely reason for the access failure.

Exam trap

The trap here is that candidates may overlook the schedule's day-of-week restriction and assume the policy is simply 'enabled' means it should work, failing to recognize that a schedule object can limit traffic to specific days and times, making the policy inactive outside those windows.

How to eliminate wrong answers

Option A is wrong because an incorrect system time would affect all schedule-based policies, but the issue is specifically tied to the day of the week (Saturday), not a time drift; moreover, the administrator would likely notice other time-related anomalies. Option B is wrong because a deny policy with higher priority would block traffic regardless of the schedule, but the question states the policy is enabled and the schedule is the only configured restriction; there is no indication of a conflicting deny rule. Option C is wrong because the schedule object is correctly applied to the policy (the administrator sees the policy in the list with the schedule), and the issue is that the schedule itself does not include Saturday, not that it is misapplied.

922
Multi-Selecthard

Which THREE statements about FortiGate's 'config system global' settings are true? (Choose three.)

Select 3 answers
A.The 'trusthost' setting restricts administrative access to specific source IPs.
B.The 'admin-login-retry-limit' setting limits the number of failed login attempts before lockout.
C.The 'hostname' setting sets the device name displayed in the GUI.
D.The 'allowaccess' setting controls which protocols are allowed on an interface.
E.The 'timezone' setting sets the FortiGate's local time zone.
AnswersB, C, E

This is a global security setting.

Why this answer

Option B is correct because the 'admin-login-retry-lockout' setting (often referred to as 'admin-login-retry-limit' in older firmware) defines the number of consecutive failed administrative login attempts before the administrator account is locked out for a specified duration. This is a security feature to prevent brute-force attacks against the management interface.

Exam trap

The trap here is confusing global system settings with interface-specific or admin-specific settings, leading candidates to select 'trusthost' or 'allowaccess' which are configured in different contexts (admin and interface respectively).

923
Multi-Selecteasy

Which TWO types of inspection can be used for HTTPS traffic in a FortiGate security policy?

Select 2 answers
A.Deep inspection
B.Certificate inspection
C.Full inspection
D.Flow-based inspection
E.Proxy-based inspection
AnswersA, B

Why this answer

FortiGate offers two modes for inspecting HTTPS: certificate inspection (which checks certificate validity but does not decrypt content) and deep inspection (which decrypts and inspects the content). Flow-based and proxy-based refer to the inspection mode for other security profiles, not specifically for HTTPS inspection type.

924
MCQmedium

A FortiGate administrator is configuring IPsec VPN between two sites. The Phase 1 negotiation fails with the error 'no proposal chosen'. Which two settings must match on both VPN peers?

A.Pre-shared key and local ID
B.Dead peer detection interval and retry count
C.Remote gateway IP and Phase 2 selectors
D.Encryption algorithm and authentication algorithm
AnswerD

Correct. The proposal includes encryption, authentication, and DH group. Mismatch causes 'no proposal chosen'.

Why this answer

The proposal (encryption and authentication algorithms) and the Diffie-Hellman group must match between peers for Phase 1 to succeed. These are the key parameters negotiated during Phase 1.

925
Multi-Selecthard

A FortiGate is configured in active-active HA mode. An administrator notices that session failover is not working properly during a failover event. Which THREE configurations should be checked?

Select 3 answers
A.Ensure the load-balance method is set to 'load-balance' or 'weighted-load-balance'.
B.Enable session synchronization under HA settings.
C.Increase the session TTL.
D.Set the HA mode to 'active-passive'.
E.Verify that all interfaces are included in the HA configuration.
AnswersA, B, E

Why this answer

Option A is correct because in active-active HA mode, the load-balance method must be set to 'load-balance' or 'weighted-load-balance' to ensure that session ownership is properly distributed and that session failover can occur. If the method is set to 'hub' or 'spoke', session synchronization and failover may not function as expected, as these modes are designed for different topologies.

Exam trap

The trap here is that candidates may assume session failover is solely dependent on enabling session synchronization, overlooking the critical requirement that the load-balance method must be correctly set for active-active mode to distribute and synchronize sessions properly.

926
MCQmedium

A company wants to provide remote access to internal resources for employees using laptops that may connect from untrusted networks. The security team requires that all traffic between the remote users and the corporate network be encrypted, and that users must authenticate using a username/password plus a one-time passcode from a hardware token. Which FortiGate VPN solution best meets these requirements?

A.IPsec VPN with certificate-based authentication
B.SSL VPN with local password authentication
C.SSL VPN with FortiToken two-factor authentication
D.L2TP/IPsec VPN with a pre-shared key and user password
AnswerC

SSL VPN encrypts traffic, FortiToken provides required two-factor.

Why this answer

Option C is correct because SSL VPN with FortiToken two-factor authentication meets the requirement for encrypted remote access with username/password plus a one-time passcode from a hardware token. SSL VPN provides encrypted tunnels over HTTPS, and FortiToken adds the required second factor, ensuring strong authentication even from untrusted networks.

Exam trap

The trap here is that candidates may assume any VPN with encryption (like IPsec or L2TP/IPsec) automatically supports two-factor authentication, but FortiGate requires explicit configuration of a second factor like FortiToken, and SSL VPN is the typical solution for this requirement in the NSE4 exam context.

How to eliminate wrong answers

Option A is wrong because IPsec VPN with certificate-based authentication provides encryption but does not inherently support a one-time passcode from a hardware token; it relies on certificates, not two-factor authentication. Option B is wrong because SSL VPN with local password authentication provides encryption but only uses a single factor (password), failing the requirement for a one-time passcode. Option D is wrong because L2TP/IPsec VPN with a pre-shared key and user password provides encryption but uses only a pre-shared key and password, lacking the required two-factor authentication with a hardware token.

927
MCQmedium

An administrator needs to translate a single internal server (192.168.1.10:8080) to a public IP (203.0.113.10:80) so that external users can access it via HTTP. Which type of VIP should be configured?

A.Server Load Balancing VIP
B.Virtual IP (VIP) with no port forwarding
C.Static NAT (one-to-one VIP)
D.Port Forwarding VIP
AnswerD

Why this answer

Port Forwarding VIP (also called DNAT or destination NAT) is the correct choice because it translates a single internal server's IP and port (192.168.1.10:8080) to a specific public IP and port (203.0.113.10:80), allowing external HTTP users to reach the internal server. This is a one-to-one mapping of a public IP:port to a private IP:port, which is the exact definition of port forwarding in FortiGate.

Exam trap

The trap here is that candidates often confuse Static NAT (one-to-one IP mapping) with Port Forwarding VIP, forgetting that Static NAT translates all ports and does not allow port remapping, while Port Forwarding VIP specifically handles port translation.

How to eliminate wrong answers

Option A is wrong because Server Load Balancing VIP distributes traffic across multiple backend servers using a virtual server IP, not a single internal server mapping. Option B is wrong because a Virtual IP (VIP) with no port forwarding would map the entire public IP to the private IP without changing the port, so external users on port 80 would not reach port 8080. Option C is wrong because Static NAT (one-to-one VIP) maps an entire public IP to an entire private IP (all ports), not a specific port translation like 8080 to 80.

928
MCQeasy

A network administrator needs to allow only HTTPS traffic from the internal network (10.0.0.0/8) to the public DNS server (8.8.8.8). Which firewall policy configuration BEST enforces this restriction?

A.Source: ALL, Destination: 8.8.8.8, Service: HTTPS, Action: Accept
B.Source: 10.0.0.0/8, Destination: 8.8.8.8, Service: ALL, Action: Accept
C.Source: 10.0.0.0/8, Destination: 8.8.8.8, Service: HTTPS, Action: Accept
D.Source: 10.0.0.0/8, Destination: ALL, Service: HTTPS, Action: Accept
AnswerC

Why this answer

Option C is correct because it specifies the internal network (10.0.0.0/8) as the source, the public DNS server (8.8.8.8) as the destination, and HTTPS (TCP/443) as the service, with an Accept action. This precisely matches the requirement to allow only HTTPS traffic from the internal network to that specific destination, blocking all other traffic by default via the implicit deny rule.

Exam trap

The trap here is that candidates may confuse 'service' with 'destination port' and overlook that specifying 'ALL' for service or destination will permit unintended traffic, failing the precise restriction required.

How to eliminate wrong answers

Option A is wrong because it allows traffic from ALL sources, not just the internal network (10.0.0.0/8), which violates the restriction. Option B is wrong because it allows ALL services (any protocol/port) from the internal network to 8.8.8.8, not just HTTPS, which fails to restrict traffic to HTTPS only. Option D is wrong because it allows HTTPS traffic from the internal network to ALL destinations, not just 8.8.8.8, which does not enforce the destination restriction.

929
MCQmedium

A FortiGate is configured for SSL deep inspection using a CA certificate. Users report that some websites show certificate errors. The administrator wants to allow these sites without inspection. Which setting should be used?

A.Disable certificate validation in the SSL inspection profile
B.Create a separate firewall policy without SSL inspection
C.Set the action for invalid certificates to 'allow'
D.Add the websites to the SSL/SSH exemption list
AnswerD

Exemption list tells FortiGate to skip deep inspection for those destinations.

Why this answer

Option D is correct: SSL/SSH exemption list allows specific destinations to bypass deep inspection, while still applying other security profiles.

930
MCQmedium

In a hub-and-spoke IPsec VPN topology with FortiGate, the spoke sites cannot communicate directly with each other. What configuration change allows direct spoke-to-spoke communication?

A.Set the 'add-route' option to 'enable' on the spoke Phase 1 settings
B.Configure dynamic routing (BGP) on all sites and enable route exchange
C.Add static routes on the hub pointing to each spoke's subnet via the respective tunnels
D.Create a separate IPsec VPN between each spoke pair
AnswerB

Dynamic routing (BGP/OSPF) can advertise spoke subnets to each other, allowing direct tunnels to be established if using ADVPN or additional Phase 2 selectors.

Why this answer

By default, hub-and-spoke only allows communication between spokes via the hub. To enable direct spoke-to-spoke, you need to add Phase 2 selectors with each other's subnets on the hub or configure dynamic routing (BGP/OSPF) to advertise routes between spokes. Another method is to use ADVPN (Auto Discovery VPN).

931
MCQhard

A FortiGate has policy-based NAT enabled. The admin wants to translate the source IP of internal users to the interface IP for internet traffic. The firewall policy has NAT enabled. However, traffic from the internal network to the internet shows the original source IP instead of the interface IP. What is the MOST likely reason?

A.Central NAT is enabled and overrides the per-policy NAT setting
B.The destination is a VIP that disables NAT
C.The NGFW mode is set to profile-based
D.The policy is configured in proxy inspection mode
AnswerA

With central NAT enabled, the policy's NAT flag is ignored; central NAT rules are used instead.

Why this answer

Central NAT must be disabled for policy-based NAT to work. When central NAT is enabled, it overrides the per-policy NAT settings.

932
MCQeasy

An administrator needs to block all traffic from a specific geographic region. Which object type should be used as the source in the firewall policy?

A.FQDN address
B.IP range address
C.Wildcard FQDN address
D.Geography address
AnswerD

Geography objects allow matching based on the source IP's country, enabling region-based blocking.

Why this answer

A geography address object (also known as a geolocation object) allows the firewall to match traffic based on the source IP's registered country or region using GeoIP databases. This is the correct object type when the requirement is to block all traffic from a specific geographic region, as it evaluates the source IP against the FortiGate's built-in geolocation mapping.

Exam trap

The trap here is that candidates often confuse geography objects with IP range or FQDN objects, mistakenly thinking they can manually compile IP ranges for a region or use domain-based filtering to block geographic traffic, which is inefficient and inaccurate.

How to eliminate wrong answers

Option A (FQDN address) is wrong because it resolves a fully qualified domain name to IP addresses, which does not provide geographic region filtering. Option B (IP range address) is wrong because it defines a contiguous block of IP addresses, not a geographic region, and would require manual maintenance of all IPs in that region. Option C (Wildcard FQDN address) is wrong because it matches domain names using wildcards (e.g., *.example.com), which is unrelated to geographic location and cannot filter by region.

933
MCQmedium

An administrator configures a firewall policy with a schedule that allows traffic only during business hours (Monday to Friday, 09:00-18:00). At 17:55 on a Friday, a user establishes an SSH session that is still active at 18:05. What happens to the session when the schedule ends?

A.The session is immediately terminated at 18:00
B.The session continues until it ends naturally
C.The session is allowed but new sessions are blocked
D.The session is terminated after a 60-second grace period
AnswerB

FortiGate does not interrupt established sessions when a schedule ends; the session remains active until it closes.

Why this answer

FortiGate firewall policies control the establishment of new sessions based on the schedule. Once a session is established, it is tracked in the session table and continues to be forwarded even if the schedule ends, until the session naturally terminates or times out. This behavior ensures that ongoing traffic is not abruptly disrupted when a schedule expires.

Exam trap

The trap here is that candidates assume schedules enforce a hard cutoff on all traffic, but FortiGate only applies schedules to new session initiation, not to already established sessions.

How to eliminate wrong answers

Option A is wrong because FortiGate does not immediately terminate active sessions when a schedule ends; it only blocks new session establishments. Option C is wrong because it describes the actual behavior (new sessions blocked, existing sessions continue), but the question asks what happens to the already active session, which continues until it ends naturally, not just 'allowed'—the session is not simply allowed; it continues without interruption. Option D is wrong because there is no 60-second grace period for session termination after a schedule ends; sessions persist based on their own idle timeout or until they finish naturally.

934
MCQmedium

An administrator configures SNMP on a FortiGate to monitor CPU and memory usage. After applying the configuration, the NMS cannot reach the FortiGate via SNMP. The FortiGate's interface has SNMP access enabled. What is the most likely missing configuration?

A.A firewall policy is missing to permit SNMP traffic from the NMS.
B.The SNMP community string is not configured.
C.NTP is not configured, causing time mismatch.
D.The FortiGate is not configured to send SNMP traps.
AnswerA

A policy must allow UDP 161 from the NMS to the FortiGate interface.

Why this answer

The most likely missing configuration is a firewall policy to permit SNMP traffic from the NMS. Even though SNMP access is enabled on the interface, FortiGate uses firewall policies to control all traffic traversing between zones, including management traffic from an NMS. Without an explicit policy allowing UDP ports 161 (SNMP queries) and 162 (traps) from the NMS source to the FortiGate interface, the SNMP requests are dropped by the firewall.

Exam trap

The trap here is that candidates assume enabling SNMP on the interface is sufficient, overlooking that FortiGate requires a dedicated firewall policy to allow management traffic from external sources to the device itself.

How to eliminate wrong answers

Option B is wrong because the SNMP community string is a required authentication parameter, but its absence would cause an authentication failure (e.g., 'noSuchName' error) rather than a complete unreachability; the NMS would still receive a response. Option C is wrong because NTP synchronization affects log timestamps and certificate validation, not SNMP reachability; SNMP operates independently of system time. Option D is wrong because SNMP traps are unsolicited notifications sent from the FortiGate to the NMS, but the question states the NMS cannot reach the FortiGate, which implies a failure of SNMP queries (polling), not traps; traps are not required for basic SNMP polling.

935
Multi-Selecthard

A FortiGate is configured with an IPS profile to detect and block anomalous network behavior. Which THREE types of detection does IPS anomaly detection include? (Choose three.)

Select 3 answers
A.Protocol decoding
B.Port scan detection
C.SYN flood detection
D.Signature-based detection
E.UDP flood detection
AnswersB, C, E

Port scanning is a common anomaly that IPS can detect.

Why this answer

Port scan detection is a type of anomaly detection in FortiGate's IPS profile that identifies reconnaissance attempts by monitoring for multiple connection attempts to different ports from a single source. This behavior deviates from normal traffic patterns and is flagged as anomalous, allowing the IPS to block potential scanning activity before an attack progresses.

Exam trap

The trap here is that candidates often confuse signature-based detection (Option D) with anomaly detection, but FortiGate explicitly separates these into distinct IPS detection methods, and the question asks specifically for anomaly detection types.

936
MCQhard

An administrator runs 'diagnose ips anomaly list' and sees many 'tcp_syn_flood' entries. The IPS profile has anomaly detection enabled with action 'pass'. The administrator wants to block such attacks. What change is required?

A.Increase the threshold for the anomaly
B.Enable flow-based inspection on the policy
C.Add a DoS policy from the same source
D.Change the action for the anomaly from 'pass' to 'block'
AnswerD

Block action will drop offending packets.

Why this answer

Option B is correct because anomaly detection in IPS profiles uses a threshold-based mechanism; to block, the action must be set to 'block' (or 'reset' for TCP). Setting the action to 'pass' allows the traffic.

937
Multi-Selecthard

An administrator needs to configure outbound NAT for 200 internal users using a single public IP (203.0.113.1). The public IP provides 2000 ports. Some applications require a deterministic source port range for logging. Which TWO NAT settings should be used?

Select 2 answers
A.IP Pool type: One-to-One
B.Configure a VIP for the public IP
C.Enable session helper for application
D.IP Pool type: Overload
E.Set 'Fixed Port Range' on the IP Pool
AnswersD, E

Why this answer

Option D (IP Pool type: Overload) is correct because it enables Port Address Translation (PAT), allowing 200 internal users to share a single public IP (203.0.113.1) by multiplexing sessions across the 2000 available ports. Option E (Set 'Fixed Port Range' on the IP Pool) is correct because it assigns a deterministic source port range to each user, which is required for logging and auditing applications that expect consistent port mappings.

Exam trap

The trap here is that candidates often confuse 'Fixed Port Range' with static NAT or assume that session helpers (Option C) are needed for port allocation, when in fact session helpers are for application-layer gateway functions, not for deterministic port assignment.

938
MCQmedium

An administrator configures an IPS profile to block SQL injection attacks. However, SQL injection traffic is still passing through the FortiGate. The administrator confirms the IPS profile is applied to the correct policy. What is the most likely reason?

A.The firewall policy is in proxy-based mode
B.The IPS profile is configured for anomaly detection only
C.IPS signatures for SQL injection are disabled in the profile
D.Deep inspection is required for IPS to work
AnswerC

If the specific signatures are not enabled or set to 'pass', the attack will not be blocked.

Why this answer

Option A is correct. The administrator must verify that the relevant IPS signatures are enabled and set to an action like 'block' or 'reset'.

939
MCQmedium

A network engineer is configuring an SD-WAN rule to steer voice traffic to the MPLS link with the lowest latency. The SLA target is set to latency < 50 ms and jitter < 10 ms. However, the MPLS link occasionally exceeds the latency threshold. What should the engineer do to ensure voice traffic uses the best available link without manual intervention?

A.Remove the latency performance SLA and rely only on jitter.
B.Configure the SD-WAN rule with a secondary strategy to use the broadband link when SLA is not met.
C.Increase the jitter threshold to 15 ms to avoid SLA violations.
D.Disable SLA enforcement on the SD-WAN rule so voice traffic always uses the MPLS link.
AnswerB

Correct; this allows automatic failover to the broadband link when MPLS fails SLA.

Why this answer

Option B is correct because configuring a secondary strategy (e.g., fallback to broadband) allows the SD-WAN rule to automatically steer voice traffic to the best available link when the primary MPLS link fails the SLA (latency > 50 ms). This ensures continuous SLA compliance without manual intervention, leveraging Fortinet's SD-WAN dynamic path selection based on real-time performance metrics.

Exam trap

The trap here is that candidates often think increasing SLA thresholds or disabling SLA enforcement solves the problem, but the correct approach is to implement a fallback strategy to maintain SLA compliance automatically.

How to eliminate wrong answers

Option A is wrong because removing the latency SLA eliminates the ability to detect high-latency conditions, which could lead to poor voice quality on the MPLS link; jitter alone does not guarantee acceptable one-way delay. Option C is wrong because increasing the jitter threshold to 15 ms does not address the latency violation (which is the actual SLA failure), and it may allow unacceptable jitter levels that degrade voice quality. Option D is wrong because disabling SLA enforcement forces all voice traffic to the MPLS link regardless of its performance, defeating the purpose of SD-WAN intelligent steering and risking poor user experience when latency spikes.

940
MCQmedium

A FortiGate administrator wants to integrate with FortiSandbox to analyze suspicious files detected by antivirus. The administrator configures the FortiSandbox settings under Security Fabric. However, files are not being sent to FortiSandbox. The antivirus profile is set to 'flow-based' inspection. What could be the reason?

A.The antivirus profile is set to 'Monitor' instead of 'Block'.
B.The firewall policy is using NAT, which interferes with FortiSandbox connectivity.
C.The FortiGate does not have a valid FortiSandbox license.
D.Flow-based inspection does not support FortiSandbox integration; proxy-based inspection is required.
AnswerD

FortiSandbox integration for file submission requires proxy-based inspection mode. Flow mode can use FortiSandbox for outbreak prevention but not for file submission.

941
MCQmedium

A FortiGate admin wants to send logs to both a local disk and a remote FortiAnalyzer. Which log configuration must be set?

A.Use the 'diagnose debug application log' command
B.Select 'Mirror local logs to FortiAnalyzer'
C.Enable local logging and configure FortiAnalyzer as a remote server
D.Set the log severity to 'Information' on both
AnswerC

Both logging methods can be enabled independently.

Why this answer

FortiGate can log to multiple destinations simultaneously by configuring both local and remote logging.

942
MCQhard

An administrator is troubleshooting an IPsec VPN that fails to establish. The 'diagnose vpn ike log' shows 'initial contact received'. What does this message indicate?

A.The pre-shared key is incorrect
B.The Phase 1 proposal is mismatched
C.The remote peer has restarted and cleared its security associations
D.A network address translation device is altering the IKE packets
AnswerC

'Initial contact' notifies the local peer to delete old SAs and re-establish the tunnel.

Why this answer

'Initial contact' is a notification sent when a peer clears its Phase 1 and Phase 2 SAs. It typically indicates that the remote peer has restarted or its configuration has been reloaded. It is not an error but an informational message.

943
Multi-Selectmedium

A FortiGate administrator is troubleshooting a connectivity issue where internal clients cannot reach a public web server. The administrator has confirmed that routing is correct and there are no security profiles blocking traffic. Which TWO debugging steps should the administrator take? (Choose two.)

Select 2 answers
A.Reboot the FortiGate
B.Run a packet capture on the internal interface
C.Change the NAT mode to Central SNAT
D.Disable the antivirus profile
E.Check the firewall policy list for matching policies
AnswersB, E

Verify traffic reaches the FortiGate.

Why this answer

Checking the firewall policy list helps identify if an allow policy exists and its order. Running a packet capture helps see if traffic reaches the FortiGate and is being matched. Option A and D are correct.

944
Multi-Selectmedium

Which TWO statements about FortiGate HA heartbeat interfaces are correct?

Select 2 answers
A.Heartbeat interfaces must be in the same VDOM.
B.Heartbeat interfaces must be dedicated management ports.
C.Heartbeat interfaces must be on the same subnet.
D.Heartbeat traffic is not encrypted by default.
E.Only two heartbeat interfaces can be configured.
AnswersC, D

Correct; heartbeat requires L2 connectivity.

Why this answer

Option C is correct because FortiGate HA heartbeat interfaces must be on the same subnet to allow the heartbeat packets (typically UDP port 496) to be exchanged directly between the primary and secondary units. This ensures Layer 2 adjacency is maintained for reliable failure detection and synchronization.

Exam trap

The trap here is that candidates often assume heartbeat interfaces must be in the same VDOM (Option A) because they think VDOM boundaries restrict HA communication, but FortiGate HA operates at the system level and can use interfaces from different VDOMs as long as they share a subnet.

945
Multi-Selectmedium

Which TWO configuration changes can reduce the risk of unauthorized administrative access to a FortiGate?

Select 2 answers
A.Use the default 'admin' account for all administrators
B.Restrict administrative access to trusted hosts
C.Change the default administrative port
D.Set a simple password for ease of use
E.Disable both HTTPS and HTTP administrative access
AnswersB, C

Limits source IPs that can initiate admin sessions.

Why this answer

Restricting administrative access to trusted hosts (Option B) is a fundamental security best practice that limits the source IP addresses allowed to connect to the FortiGate management interface. By configuring a trusted host list, the FortiGate will only accept administrative sessions (e.g., HTTPS, SSH, or Telnet) from specified IP addresses or subnets, effectively blocking all unauthorized sources. This reduces the attack surface and prevents brute-force or credential-stuffing attacks from untrusted networks.

Exam trap

The trap here is that candidates often think disabling HTTPS entirely is a valid security measure, but the NSE4 exam expects you to recognize that HTTPS must remain enabled for secure remote GUI access, and that disabling both HTTP and HTTPS would render the web interface inaccessible, which is not a recommended security practice.

946
MCQeasy

An administrator wants to create a firewall policy that blocks all traffic from a specific IP address (10.0.0.99) to the internet, but allows all other traffic. Which policy configuration is correct?

A.Create a deny policy for source 10.0.0.99 to destination 'all' on the WAN interface, then an allow policy for all other traffic
B.Create an allow policy for source 'all' and then a deny policy for 10.0.0.99
C.Use a local-in policy to block the IP
D.Create a policy that denies all traffic from 10.0.0.99 to any destination
AnswerA

The deny policy should be placed above the allow policy.

Why this answer

Option A is correct because FortiGate firewall policies are evaluated sequentially from top to bottom, and the first matching policy is applied. By placing a deny policy for source 10.0.0.99 to destination 'all' on the WAN interface first, traffic from that IP is blocked. Then a subsequent allow policy for all other traffic (source 'all') permits everything else, ensuring the specific IP is blocked while all other traffic is allowed.

Exam trap

The trap here is that candidates often think a deny policy alone is sufficient, forgetting that FortiGate requires an explicit allow policy for other traffic to pass, or they misorder policies, placing the allow before the deny, which causes the deny to be ineffective due to first-match logic.

How to eliminate wrong answers

Option B is wrong because if an allow policy for source 'all' is placed before the deny policy for 10.0.0.99, traffic from 10.0.0.99 will match the allow policy first and be permitted, defeating the block requirement. Option C is wrong because local-in policies are used to control traffic destined to the FortiGate itself (management traffic), not traffic transiting through the FortiGate to the internet. Option D is wrong because while it denies traffic from 10.0.0.99 to any destination, it does not include an allow policy for other traffic, which would result in all other traffic being implicitly denied by default unless a separate allow policy is added.

947
MCQeasy

Which firewall policy matching parameter is evaluated FIRST when a packet arrives at a FortiGate interface?

A.Source address
B.Service
C.Schedule
D.Incoming interface
AnswerD

The first match criterion is the incoming interface (and outgoing interface for some policies).

Why this answer

When a packet arrives at a FortiGate interface, the firewall policy lookup begins by matching the incoming interface. This is because the interface is the first parameter evaluated in the policy-matching sequence, as defined by FortiGate's session-based architecture. Only after the interface match is successful does the FortiGate proceed to evaluate source address, destination address, service, and schedule.

Exam trap

The trap here is that candidates often assume source or destination address is checked first, confusing the FortiGate's policy evaluation order with that of other firewalls (e.g., Cisco ASA) where interface is not always the primary match key.

How to eliminate wrong answers

Option A is wrong because source address is evaluated after the incoming interface in the policy-matching order; the FortiGate must first determine which interface the packet arrived on before checking source addresses. Option B is wrong because service (protocol/port) is evaluated later in the sequence, typically after source and destination addresses have been matched. Option C is wrong because schedule (time-based availability) is the last parameter checked in the policy lookup, after all other conditions (interface, source, destination, service) have been satisfied.

948
MCQmedium

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is blocked by a firewall policy
B.The session is a UDP connection to port 443
C.The session is experiencing high latency
D.The session is a TCP connection to port 443 that has been active for 1 hour
AnswerD

Duration 3600 seconds = 1 hour. Proto=6 is TCP.

Why this answer

Option D is correct because the output shows `proto=6`, which is the protocol number for TCP, and `dport=443` indicates the destination port is HTTPS. The `duration=3600` field means the session has been active for 3600 seconds (1 hour), and `expire=3599` shows the remaining lifetime in seconds. This confirms an active TCP session to port 443 that has been established for one hour.

Exam trap

The trap here is that candidates often confuse `proto=6` with UDP or misinterpret `duration` as a latency value, leading them to select the high-latency or UDP options instead of recognizing the TCP protocol number and session age.

How to eliminate wrong answers

Option A is wrong because the output does not show any deny or drop flags; `proto_state=01` indicates a normal established TCP session (state 01 is typically ESTABLISHED in Fortinet's session table), not a blocked session. Option B is wrong because `proto=6` is TCP, not UDP (UDP is protocol 17); port 443 is commonly used for HTTPS over TCP, not UDP. Option C is wrong because the output provides no latency or RTT metrics; `duration` and `expire` are time-based counters, not indicators of network performance.

949
MCQeasy

What is the function of an IPS 'protocol decoder'?

A.Encode traffic to prevent attacks
B.Parse and normalize protocol traffic to improve detection accuracy
C.Rate-limit traffic based on protocol
D.Decrypt SSL traffic for inspection
AnswerB

Decoders help identify protocol-specific attacks.

Why this answer

Option D is correct: Protocol decoders parse application layer protocols to normalize traffic before signature matching, enabling detection of evasion techniques.

950
Multi-Selectmedium

An administrator needs to allow internal users to access a public web server using the server's private IP address, while external users access it via a public IP. Which TWO components are required?

Select 2 answers
A.Central SNAT policy
B.An IP pool for source NAT
C.A static route on the FortiGate for the public IP
D.A VIP (Virtual IP) mapping the public IP to the private IP
E.A firewall policy allowing traffic from internal to the server's private IP
AnswersD, E

Needed for external access.

Why this answer

To allow internal users to access the server via private IP, a firewall policy must allow the traffic. To allow external users, a VIP is used to map the public IP to the private IP, and a corresponding policy is needed.

951
Multi-Selectmedium

An administrator is troubleshooting a connectivity issue where users in the 10.0.0.0/24 subnet cannot access the internet. The FortiGate has the following policies (in order): 1: allow 10.0.0.0/24 -> any, service: HTTP, HTTPS 2: deny any -> any, service: all Users can browse HTTP but not HTTPS. Which TWO actions would resolve the issue?

Select 2 answers
A.Verify that the HTTPS service object is correctly defined and not misspelled
B.Create a new policy above policy 1 allowing all traffic from 10.0.0.0/24
C.Add HTTPS to the allowed services in policy 1
D.Move policy 2 above policy 1
E.Check if the HTTPS service object includes both TCP/443 and TCP/8443
AnswersA, C

A typo in service name could cause the policy to not match.

Why this answer

Policy 1 only allows HTTP and HTTPS. If HTTPS is not working, check if HTTPS is correctly defined. Also, policy 2 denies all other traffic.

The solution is to ensure HTTPS is allowed in policy 1 and that it is correctly defined.

952
Multi-Selecthard

An organization requires that outbound HTTP and HTTPS traffic from the internal network be translated to a single public IP address (203.0.113.1) using overload NAT (PAT). Which TWO configurations are necessary?

Select 2 answers
A.Disable 'Allow Traffic' on the implicit deny policy
B.Configure a one-to-one NAT IP pool
C.Create an IP pool with type 'Overload' and specify the public IP address
D.Configure a VIP for the public IP
E.Enable 'NAT' on the firewall policy and select the IP pool
AnswersC, E

An IP pool with overload type enables PAT using that public IP.

Why this answer

Overload NAT (PAT) allows multiple internal hosts to share a single public IP by translating source ports. To achieve this, you must create an IP pool with type 'Overload' that specifies the public IP address (203.0.113.1) and then enable NAT on the firewall policy, selecting that IP pool. This configuration ensures outbound HTTP/HTTPS traffic is translated to the single public IP with unique source ports.

Exam trap

The trap here is that candidates often confuse one-to-one NAT (Option B) with overload NAT, or think a VIP (Option D) is needed for outbound traffic, when in fact VIPs are strictly for inbound destination NAT.

953
MCQmedium

A FortiGate administrator is troubleshooting an SSL VPN connection issue. Users can connect but cannot access internal resources. The administrator checks the SSL VPN policy and confirms it allows access to the internal subnet. What should the administrator check next?

A.Verify that the firewall policy between the SSL VPN interface and the internal network allows the traffic
B.Check the routing table on the FortiGate for the internal subnet
C.Ensure the users have the correct client software installed
D.Check the FortiGate's DNS settings
AnswerA

Correct. The firewall policy must explicitly permit traffic from the SSL VPN zone to the internal zone.

Why this answer

Even if the SSL VPN policy is correct, the traffic must also be permitted by the firewall policies between the SSL VPN interface and the internal network. A common mistake is not having a firewall policy that allows traffic from the SSL VPN interface (e.g., ssl.root) to the internal network.

954
MCQeasy

Which of the following is the default action of a FortiGate firewall policy if no policy matches the traffic?

A.Log and drop
B.Redirect to authentication
C.Accept
D.Deny
AnswerD

Traffic that does not match any policy is implicitly denied.

Why this answer

FortiGate firewall policies operate on a 'first-match' basis, and if no policy matches the traffic, the default action is to deny the traffic. This is a fundamental security principle to ensure that only explicitly permitted traffic is allowed through the firewall. The implicit deny rule is automatically applied at the end of the policy list and cannot be removed or modified.

Exam trap

The trap here is that candidates may confuse the default action of a firewall with the default action of a router (which forwards traffic) or assume that FortiGate logs all denied traffic by default, but neither is true; the implicit deny is silent unless explicitly configured to log.

How to eliminate wrong answers

Option A is wrong because 'Log and drop' is not a default action; logging is only performed if a policy explicitly enables logging, and the implicit deny does not generate logs by default. Option B is wrong because 'Redirect to authentication' is a feature of authentication policies or captive portal configurations, not the default action for unmatched traffic. Option C is wrong because 'Accept' would violate the security model of a firewall, which must block all traffic unless explicitly allowed; accepting unmatched traffic would create a security vulnerability.

955
Multi-Selecteasy

An administrator needs to configure ZTNA (Zero Trust Network Access) on a FortiGate to provide secure remote access to an internal application. Which components are required for a basic ZTNA configuration? (Choose three.)

Select 3 answers
A.IPsec VPN tunnel
B.ZTNA proxy (application gateway)
C.Captive portal
D.ZTNA rule (policy) on the FortiGate
E.Access proxy (or application) configuration
AnswersB, D, E

The proxy acts as a reverse proxy for the application.

Why this answer

ZTNA requires a ZTNA proxy to protect the application, a ZTNA rule (policy) to define access criteria, and an access proxy (or application) that listens for incoming connections. Option A, C, and D are correct.

956
MCQmedium

An administrator has configured an SSL VPN. Remote users can connect and authenticate but cannot access internal resources. The SSL VPN policy allows all traffic from the SSL VPN interface to internal servers. What is the MOST likely missing configuration?

A.The remote user's client does not support split tunneling
B.The firewall policy allowing traffic from SSL VPN interface to internal network is missing
C.The authentication timeout is too short
D.The SSL VPN portal does not have the correct bookmark configured
AnswerB

Even with SSL VPN configured, traffic must be allowed by a firewall policy from the SSL VPN interface to the destination.

Why this answer

For SSL VPN tunnel mode, split-tunneling settings determine which traffic goes through the tunnel. If split-tunneling is not configured, the remote user's traffic may not be routed to the FortiGate properly. However, more commonly, the firewall policy between the SSL VPN interface and the internal network is missing or incorrect.

957
MCQmedium

A network administrator notices that after configuring a new static route on a FortiGate, traffic to a remote subnet is still being forwarded via the default route. The administrator confirms the static route is present in the routing table with a lower distance than the default route. What is the MOST likely cause?

A.The static route is disabled by a firewall policy.
B.The static route is configured with a higher priority than the default route.
C.The static route's destination subnet overlaps with a directly connected subnet.
D.The static route's gateway is not reachable via any interface.
AnswerD

If the next-hop gateway is unreachable (no ARP entry or interface down), the route will not be installed in the routing table, and traffic will use the default route.

958
MCQmedium

An admin needs to allow inbound SMTP traffic from the internet to a mail server in the DMZ. The public IP is 203.0.113.10, and the mail server's private IP is 10.0.0.5. Which VIP configuration is correct?

A.VIP: external IP 203.0.113.10 port 25 -> internal IP 10.0.0.5 port 25
B.VIP: external IP 203.0.113.10 port 25 -> internal IP 10.0.0.5 port 80
C.VIP: external IP 203.0.113.10 all ports -> internal IP 10.0.0.5 all ports
D.VIP: external IP 203.0.113.10 port 80 -> internal IP 10.0.0.5 port 80
AnswerA

This correctly maps SMTP traffic to the mail server.

Why this answer

Option A is correct because it configures a Virtual IP (VIP) that maps the public IP 203.0.113.10 on TCP port 25 (SMTP) to the internal mail server IP 10.0.0.5 on port 25. This allows inbound SMTP traffic from the internet to reach the mail server in the DMZ, performing both destination NAT (DNAT) and port forwarding for the specific SMTP service.

Exam trap

The trap here is that candidates may confuse port numbers or assume that any port mapping will work, but the NSE4 exam specifically tests that the VIP must match the service port (SMTP = 25) and that only the correct port mapping enables the intended application traffic.

How to eliminate wrong answers

Option B is wrong because it maps port 25 on the external IP to port 80 on the internal IP, which would send SMTP traffic to the mail server's HTTP port instead of the SMTP port, breaking email delivery. Option C is wrong because it maps all ports from the external IP to all ports on the internal IP, which is overly permissive and violates the principle of least privilege, exposing unnecessary services. Option D is wrong because it maps port 80 (HTTP) on the external IP to port 80 on the internal IP, which does not allow SMTP traffic on port 25, so inbound email would be blocked.

959
Multi-Selecthard

An admin troubleshoots an issue where internal users cannot access an internal server using its public IP address. The server is published via a VIP. The admin has already verified that the firewall policy allows traffic from internal to the VIP. Which THREE checks should the admin perform to resolve the issue? (Choose three.)

Select 3 answers
A.Enable NAT reflection on the VIP
B.Check if there is a firewall policy allowing traffic from internal to the VIP's mapped IP (private IP)
C.Configure the internal users to use the private IP directly
D.Verify that the server is listening on the internal interface
E.Change the VIP to use port forwarding
AnswersA, B, D

Allows internal users to access the VIP from inside.

Why this answer

Common causes for hairpin NAT issues: NAT reflection not enabled, policy for internal to VIP missing (but already verified), or the VIP is not configured to allow internal traffic (i.e., not on the correct interface). Additionally, DNS resolution might point to the public IP, but internal DNS might need to return private IP. Also, the server might not be listening on the internal interface.

The three most relevant: enable NAT reflection, ensure policy allows traffic, and check that the server is reachable via internal IP.

960
MCQhard

An administrator configures Central SNAT with a dynamic IP pool for internet-bound traffic. Some users report that certain applications fail when they should be translated to a specific public IP. The administrator checks the policy-based NAT rules and finds none. What is the most likely reason for the failure?

A.A higher priority Central SNAT rule matches the traffic first
B.The traffic is being dropped by a security profile
C.The firewall policy has NAT disabled
D.The IP pool is configured on the wrong interface
AnswerA

Why this answer

Central SNAT rules are evaluated in order of priority, and the first matching rule is applied. If a higher-priority Central SNAT rule matches the traffic before the intended rule with the specific public IP, the traffic will be translated to the IP defined in that higher-priority rule, causing the applications to fail. Since no policy-based NAT rules exist, the issue lies in the Central SNAT rule priority order.

Exam trap

The trap here is that candidates often assume the issue is with the firewall policy's NAT setting or interface binding, when in fact Central SNAT rules have their own independent priority-based evaluation that can preempt the intended translation.

How to eliminate wrong answers

Option B is wrong because security profiles (e.g., antivirus, web filter) inspect traffic after NAT is applied; they would not prevent NAT from occurring, only block the session after translation. Option C is wrong because Central SNAT operates independently of the firewall policy's NAT setting; even if the firewall policy has NAT disabled, Central SNAT rules can still perform source NAT. Option D is wrong because the IP pool is bound to the Central SNAT rule, not directly to an interface; the rule's configuration determines the egress interface, and a misconfigured interface would not cause a specific public IP translation failure—it would affect all traffic using that rule.

961
Drag & Dropmedium

Drag and drop the steps to configure HA (High Availability) on a FortiGate pair into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

HA configuration requires physical connection, mode selection, priority, and interface monitoring before reboot.

962
MCQeasy

Which CLI command is used on a FortiGate to perform a real-time packet capture on an interface?

A.diagnose sniffer packet
B.execute packet-capture
C.diagnose debug flow
D.diagnose sys session list
AnswerA

Correct command for packet capture.

Why this answer

The 'diagnose sniffer packet' command captures packets in real-time on a specified interface.

963
MCQmedium

An administrator configures a web filter profile to block the 'Phishing' category. Users still report receiving phishing emails with links that bypass the filter. What is the most likely reason?

A.The users are accessing the phishing sites via IP address, not URL.
B.The email traffic is not subject to SSL inspection, so URLs in encrypted emails are not filtered.
C.The web filter profile is not applied to the firewall policy governing email traffic.
D.The FortiGate's URL database is outdated.
AnswerB

Without SSL inspection, the FortiGate cannot see the URLs in the encrypted email.

Why this answer

Option B is correct because web filtering operates at the application layer and inspects HTTP/HTTPS URLs. If SSL inspection is not enabled, the FortiGate cannot decrypt the encrypted SMTP or IMAP/POP3 traffic to extract URLs from the body of emails. Without decryption, the web filter profile cannot see the phishing links inside encrypted email messages, so they bypass the filter regardless of the category being blocked.

Exam trap

The trap here is that candidates assume web filtering applies to all traffic equally, forgetting that encrypted email traffic requires SSL inspection to extract URLs from the message body, whereas web filtering for HTTP traffic works without decryption.

How to eliminate wrong answers

Option A is wrong because even if users access phishing sites via IP address, the FortiGate's web filter can still block the connection if the IP is categorized in the 'Phishing' category or if the web filter profile is configured to block by IP reputation. Option C is wrong because the question states the web filter profile is configured, and the issue is that phishing links in emails bypass the filter; if the profile were not applied to the firewall policy, no web filtering would occur at all, but the scenario implies other web traffic might be filtered, so the most specific reason is the lack of SSL inspection for email traffic. Option D is wrong because an outdated URL database would cause false negatives for known phishing URLs, but the core issue here is that the URLs are hidden inside encrypted email content, which the FortiGate cannot inspect without SSL decryption.

964
Multi-Selectmedium

An administrator is configuring SNMP on a FortiGate for monitoring. Which THREE items are required for SNMPv3 configuration?

Select 3 answers
A.Security level (authPriv or authNoPriv)
B.Authentication protocol (e.g., SHA) and privacy protocol (e.g., AES)
C.SNMP view definition for the user
D.SNMP community string (read-only or read-write)
E.SNMP user with username and authentication password
AnswersA, B, E

Security level defines whether authentication and privacy are used.

Why this answer

SNMPv3 requires a security level to define whether authentication and encryption are used. The security level (authPriv or authNoPriv) determines the operational mode for the user, making it a mandatory configuration element. Without specifying the security level, the FortiGate cannot enforce the appropriate authentication and privacy policies for SNMPv3 communications.

Exam trap

The trap here is that candidates often confuse SNMPv3 with SNMPv2c and incorrectly select the community string option, forgetting that SNMPv3 eliminates community strings in favor of user-based authentication and encryption.

965
MCQhard

A FortiGate administrator configures policy-based routing (PBR) to direct traffic from subnet 192.168.1.0/24 to the internet via ISP1. However, traffic from that subnet is still using the default route via ISP2. What is the most likely cause?

A.The PBR rule's source address does not match the traffic correctly.
B.The default route has a lower administrative distance than the PBR rule.
C.PBR is not supported on FortiGate.
D.The PBR rule has a higher priority than the default route.
AnswerA

Why this answer

Policy-based routing (PBR) on FortiGate overrides the routing table only when the traffic matches all configured criteria, including the source address. If the source address in the PBR rule does not match 192.168.1.0/24 exactly (e.g., a typo, wrong subnet mask, or missing entry), the traffic falls through to the default route via ISP2. This is the most likely cause because PBR rules are evaluated before the routing table, but only for matching traffic.

Exam trap

The trap here is that candidates often confuse PBR with static routing and assume the default route's administrative distance or priority can override PBR, but PBR is evaluated before the routing table and is not subject to route metrics.

How to eliminate wrong answers

Option B is wrong because administrative distance is a property of routes in the routing table, not of PBR rules; PBR operates before the routing table lookup and is not compared to administrative distance. Option C is wrong because PBR is fully supported on FortiGate, including in NSE4 scope, and is commonly used for multi-WAN setups. Option D is wrong because a higher priority in PBR would make the rule more likely to match, not less; the issue is that the rule is not matching at all, not that it is being overridden by the default route.

966
MCQeasy

Which FortiGate feature allows users to access internal applications without a VPN client?

A.IPsec VPN
B.SSL VPN
C.ZTNA
D.FortiGuard
AnswerC

ZTNA provides agentless access to applications using identity-based policies.

Why this answer

ZTNA (Zero Trust Network Access) enables agentless access to applications based on identity and context.

967
Multi-Selectmedium

An organization wants to implement least privilege for firewall policies. Which THREE best practices should be followed? (Choose three.)

Select 3 answers
A.Use a single schedule covering all days
B.Specify the exact services required (e.g., TCP/443, TCP/22)
C.Apply security profiles (e.g., antivirus, IPS) to inspect allowed traffic
D.Use any any for source and destination to simplify management
E.Use specific source and destination addresses
AnswersB, C, E

Restricts allowed protocols and ports.

Why this answer

Option B is correct because specifying exact services (e.g., TCP/443, TCP/22) enforces least privilege by allowing only the necessary protocols and ports, reducing the attack surface. In FortiGate firewall policies, this is configured under the 'Service' field, where you can select predefined services or create custom ones to match specific TCP/UDP port numbers. This prevents overly permissive rules that could expose services like SMB (TCP/445) or RDP (TCP/3389) unintentionally.

Exam trap

The trap here is that candidates often choose 'Use any any for source and destination to simplify management' (Option D) thinking it reduces administrative overhead, but this directly contradicts the principle of least privilege and is a common misconfiguration in FortiGate environments.

968
MCQeasy

What is the purpose of the 'implicit deny' policy on a FortiGate?

A.It allows traffic from trusted internal networks
B.It denies all traffic that does not match any explicit policy
C.It logs all traffic that is denied
D.It allows all traffic that matches no other policy
AnswerB

The implicit deny acts as a catch-all deny rule.

Why this answer

The 'implicit deny' policy on a FortiGate is a default, last-resort rule that denies all traffic not matching any explicit firewall policy. It ensures that any packet that does not meet the source, destination, service, or schedule criteria of a configured policy is dropped, enforcing a default-deny security posture. This behavior is fundamental to stateful firewall operation and prevents unauthorized traffic from traversing the device.

Exam trap

The trap here is that candidates often confuse the implicit deny with a logging or allow action, or assume it behaves like a default permit, when in fact it silently drops all unmatched traffic without logging unless explicitly configured.

How to eliminate wrong answers

Option A is wrong because the implicit deny does not allow traffic from trusted internal networks; it denies all unmatched traffic regardless of source, and allowing trusted traffic requires explicit permit policies. Option C is wrong because the implicit deny does not inherently log all denied traffic; logging must be explicitly enabled on a deny policy or via global logging settings, and the implicit deny itself generates no log entry by default. Option D is wrong because the implicit deny does not allow traffic; it denies any traffic that does not match an explicit policy, and allowing unmatched traffic would require an explicit permit-all policy at the end of the policy list.

969
MCQhard

An administrator runs 'diagnose debug flow' for a specific source IP and sees the output includes 'no matching policy'. The FortiGate has a firewall policy that should match the traffic. What is the most likely reason for this message?

A.The FortiGate's routing table does not have a route for the destination
B.The firewall policy is disabled or the source/destination interfaces do not match the traffic's ingress/egress interfaces
C.The security profiles applied to the policy are blocking the traffic
D.The session table is full and cannot accept new sessions
AnswerB

If the policy is disabled or the interface mismatch exists, the traffic will not match any policy.

Why this answer

'no matching policy' in debug flow indicates that the traffic did not match any firewall policy. Even if a policy exists, it may not match due to incorrect source/destination interfaces, addresses, or other criteria. A common cause is that the traffic is coming from an interface that is not covered by the policy or the policy is disabled.

970
MCQmedium

A network administrator creates a firewall policy allowing HTTP traffic from the internal network to a web server in the DMZ. Users report that they cannot access the web server. The administrator runs 'diagnose firewall iprope list' and sees the policy is present. What is the MOST likely cause of the issue?

A.A deny policy with a lower policy ID is matching the traffic before the allow policy
B.The firewall policy has an incorrect source interface
C.The policy is disabled
D.The web server is not responding to HTTP requests
AnswerA

FortiGate evaluates policies sequentially from top to bottom. If a deny policy appears earlier in the list, it will match and block the traffic before reaching the allow policy.

Why this answer

The 'diagnose firewall iprope list' command confirms the allow policy exists in the FortiGate's kernel policy list, meaning it is present and enabled. However, FortiGate evaluates policies in sequential order based on policy ID (lowest first), so a deny policy with a lower ID that matches the same traffic (e.g., from internal to DMZ) will be hit first, blocking the HTTP request before the allow policy can be evaluated. This is the most likely cause because the policy is present but not being matched due to ordering.

Exam trap

The trap here is that candidates assume 'policy is present' means it is working, but FortiGate's policy order (lowest ID first) means a lower-ID deny policy can override a higher-ID allow policy even if both match the same traffic.

How to eliminate wrong answers

Option B is wrong because an incorrect source interface would cause the policy not to match at all, but the 'diagnose firewall iprope list' output would not show the policy as present for that traffic flow; the administrator would see no matching entry. Option C is wrong because a disabled policy would not appear in the 'diagnose firewall iprope list' output at all, yet the administrator sees it present. Option D is wrong because the web server not responding would result in a timeout or connection reset, but the firewall would still allow the traffic (the policy would match), and the issue would be reported differently; the 'diagnose firewall iprope list' check would not be the first troubleshooting step for a server-side problem.

971
MCQeasy

A network administrator runs the following CLI command on a FortiGate to capture traffic for troubleshooting: 'diagnose sniffer packet any "host 10.0.1.100" 4'. What does the '4' at the end of the command specify?

A.The filter verbosity level
B.The maximum number of packets to capture
C.The time duration in seconds
D.The interface index
AnswerB

The last parameter is count, which limits the number of packets captured.

Why this answer

The fourth parameter in the diagnose sniffer packet command specifies the number of packets to capture.

972
MCQmedium

A network administrator notices that HTTP traffic to a specific website is being blocked by the web filter profile, but the website is categorized as 'General – Personal' in FortiGuard, which is allowed. What could cause this block?

A.The web filter profile has an incorrect FortiGuard category override
B.The antivirus profile is blocking the website
C.A URL filter entry is blocking the specific website
D.DNS filter is blocking the domain
AnswerC

URL filter entries take precedence over FortiGuard categories. A block entry for that domain would cause the block.

Why this answer

The URL filter is applied before FortiGuard categories and can override the category rating. A static URL filter entry blocking the specific website would cause the block even if the category is allowed.

973
MCQmedium

An admin wants to block traffic from a specific geographic region (e.g., North Korea) from reaching the FortiGate's external interface. Which address object type should be used in the firewall policy?

A.Subnet address object
B.Geography address object
C.FQDN address object
D.Wildcard FQDN address object
AnswerB

Geography objects allow matching by country or region.

Why this answer

FortiGate supports geography-based address objects that use IP geolocation databases to match traffic by country.

974
MCQeasy

What is the primary difference between flow-based and proxy-based Antivirus inspection on a FortiGate?

A.Flow-based inspection is only available on hardware models with CP8
B.Proxy-based inspection reassembles the file before scanning, while flow-based scans as the file passes through
C.Proxy-based inspection uses fewer resources than flow-based
D.Flow-based inspection supports virus outbreak detection, but proxy-based does not
AnswerB

This is the key architectural difference: proxy mode buffers the whole object, flow mode streams.

Why this answer

Flow-based inspection uses the FortiASIC for accelerated scanning and has lower latency, while proxy-based inspection reassembles the entire content before scanning, allowing for more thorough detection but with higher resource usage.

975
MCQmedium

A network administrator is configuring a new FortiGate and needs to ensure that all traffic from the internal network to the internet is source NATed to the public IP address on port1. The default route points to port1. Which configuration step is required to achieve this?

A.Configure a static route to the internet with NAT enabled
B.Enable NAT on the firewall policy from internal to internet
C.Set the interface port1 to NAT mode in its settings
D.Create an IP pool with the public IP and reference it in the policy
AnswerB

In a firewall policy, enabling NAT performs source NAT (masquerade) using the egress interface IP.

Why this answer

Option B is correct because source NAT (SNAT) on a FortiGate is configured at the firewall policy level, not on the interface or via a static route. By enabling NAT on the firewall policy from the internal network to the internet, the FortiGate automatically translates the source IP of traffic egressing port1 to the interface's primary IP address (the public IP). This is the standard method for implementing source NAT in FortiOS, as defined in the FortiGate Administration Guide.

Exam trap

The trap here is that candidates often confuse NAT configuration with interface settings or static routes, mistakenly thinking NAT must be enabled on the egress interface or as part of the route, whereas FortiOS applies NAT exclusively at the firewall policy level.

How to eliminate wrong answers

Option A is wrong because static routes in FortiOS do not have a NAT toggle; NAT is not a property of a route but of a firewall policy. Option C is wrong because interfaces in FortiOS do not have a 'NAT mode' setting; NAT is applied per policy, not per interface. Option D is wrong because an IP pool is only required when you need to translate to a specific IP address that is not the interface IP (e.g., for load balancing or PAT with a pool), but the question states the public IP is on port1, so the default interface NAT (enabled in the policy) suffices without an IP pool.

Page 12

Page 13 of 14

Page 14