Question 539 of 1,000
Firewall Policies and NAThardMultiple SelectObjective-mapped

Quick Answer

The answer is to confirm that the firewall policy has NAT enabled, ensure no IP pool is attached to that policy, and verify that the Central SNAT rule’s source and destination interfaces match the traffic flow. This is correct because Central SNAT rules operate as an override to the policy’s NAT settings, but they are only triggered when the firewall policy has NAT enabled and does not have its own IP pool attached; if an IP pool is present on the policy, the Central SNAT rule is bypassed entirely. On the Fortinet NSE 4 exam, this scenario tests your understanding of the interaction between firewall policies and Central NAT rules, a common trap being that candidates assume Central SNAT works independently of the policy’s NAT configuration. A reliable memory tip is “Policy NAT must be on, pool must be gone” — if the policy has an IP pool, Central SNAT is ignored, so always check both the NAT toggle and the pool attachment.

NSE4 Firewall Policies and NAT Practice Question

This NSE4 practice question tests your understanding of firewall policies and nat. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An admin is troubleshooting why traffic from VLAN 10 to the internet is not being translated by a Central SNAT rule. The Central SNAT rule is configured with source interface 'port2.10', destination interface 'wan1', source address '192.168.10.0/24', and IP pool 'pool1'. The firewall policy for internet access has NAT enabled but no IP pool attached. Which THREE steps should the admin take to resolve the issue? (Choose three.)

Question 1hardmulti select
Open the full VLAN trunking answer →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Verify that the firewall policy does not have an IP pool configured

Central SNAT rules require that the firewall policy has NAT enabled but no IP pool attached. If the policy has an IP pool, Central SNAT is bypassed. Also, the Central SNAT rule must match the traffic's source interface and destination interface. Common issues: policy has an IP pool attached, or the policy's NAT is disabled, or the Central SNAT rule's interface is wrong.

Key principle: A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Verify that the firewall policy does not have an IP pool configured

    Why this is correct

    If an IP pool is attached, it overrides Central SNAT.

    Related concept

    Access ports place end devices into a single VLAN.

  • Ensure the Central SNAT rule's IP pool is configured with overload enabled

    Why it's wrong here

    Overload is not required for Central SNAT to work; it's a setting within the pool.

  • Check that the Central SNAT rule's source interface matches the actual incoming interface (port2.10)

    Why this is correct

    Interface mismatch would cause no match.

    Related concept

    Access ports place end devices into a single VLAN.

  • Disable NAT on the firewall policy to force Central SNAT usage

    Why it's wrong here

    If NAT is disabled, Central SNAT will not be used because Central SNAT requires NAT enable.

  • Confirm that the firewall policy's 'NAT' option is enabled

    Why this is correct

    Central SNAT requires NAT to be enabled on the policy.

    Related concept

    Access ports place end devices into a single VLAN.

Common exam traps

Common exam trap: an active trunk can still block the VLAN you need

A trunk being up does not prove every VLAN is crossing it. Check allowed VLAN lists, native VLAN mismatch, VLAN existence and access-port assignment.

Detailed technical explanation

How to think about this question

VLAN questions usually combine access-port and trunking clues. The key is to identify whether the issue is local to one switchport, caused by the trunk, or caused by the VLAN not existing where it needs to exist.

KKey Concepts to Remember

  • Access ports place end devices into a single VLAN.
  • Trunk ports carry multiple VLANs between switches.
  • Allowed VLAN lists decide which VLANs can cross a trunk.
  • Native VLAN mismatch can create confusing symptoms.

TExam Day Tips

  • Use show vlan brief to verify access VLANs.
  • Use show interfaces trunk to verify trunk state and allowed VLANs.
  • Do not treat every same-VLAN issue as a routing problem.

Key takeaway

A trunk being up does not mean the VLAN is allowed across it. Always verify the allowed VLAN list and whether the VLAN exists on both switches.

Real-world example

How this comes up in practice

A help-desk technician troubleshoots why a newly connected PC cannot reach shared printers on the same floor. The cable is good, the switch port is active, but the PC is in VLAN 20 and the printers are in VLAN 10. The uplink trunk only allows VLAN 10. A trunk being up does not mean every VLAN crosses it.

What to study next

Got this wrong? Here's your next step.

Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related NSE4 questions on switching, trunking, and access-port configuration.

Related practice questions

Related NSE4 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free NSE4 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this NSE4 question test?

Firewall Policies and NAT — This question tests Firewall Policies and NAT — Access ports place end devices into a single VLAN..

What is the correct answer to this question?

The correct answer is: Verify that the firewall policy does not have an IP pool configured — Central SNAT rules require that the firewall policy has NAT enabled but no IP pool attached. If the policy has an IP pool, Central SNAT is bypassed. Also, the Central SNAT rule must match the traffic's source interface and destination interface. Common issues: policy has an IP pool attached, or the policy's NAT is disabled, or the Central SNAT rule's interface is wrong.

What should I do if I get this NSE4 question wrong?

Review VLAN allowed lists, native VLAN mismatch detection, and how to verify VLAN membership with show vlan brief and show interfaces trunk. Then practise related NSE4 questions on switching, trunking, and access-port configuration.

What is the key concept behind this question?

Access ports place end devices into a single VLAN.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on NSE4

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. An admin configures a Central SNAT rule to translate internal 192.168.1.0/24 to 203.0.113.10 when accessing the internet. However, traffic from 192.168.1.100 to 8.8.8.8 shows source IP 192.168.1.100 in logs. What is the MOST likely cause?

hard
  • A.The Central SNAT rule is disabled
  • B.The Central SNAT rule is applied to the wrong outgoing interface
  • C.The firewall policy has an IP pool configured, overriding Central SNAT
  • D.The destination address in the Central SNAT rule is incorrect

Why C: Central SNAT rules are only used when the firewall policy has NAT enabled but no specific IP pool configured. If the policy uses Policy-based NAT (i.e., an IP pool is attached), Central SNAT is bypassed. Also, Central SNAT can be overridden by policy-based NAT.

Variation 2. An admin configures a central SNAT rule to translate source IP 10.0.0.0/24 to IP pool 203.0.113.1-203.0.113.10 using overload (PAT). A policy-based NAT on a specific policy also translates the same source to the interface IP. Traffic from 10.0.0.0/24 to the internet shows source IP as the interface IP, not from the IP pool. What is the reason?

hard
  • A.The central SNAT rule is disabled
  • B.The policy is using fixed port range
  • C.Policy-based NAT overrides central SNAT rules
  • D.The IP pool is out of addresses

Why C: Policy-based NAT takes precedence over central SNAT. Since the policy has NAT enabled (policy-based), it overrides the central SNAT rule.

Last reviewed: Jun 21, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This NSE4 practice question is part of Courseiva's free Fortinet certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the NSE4 exam.