Back to Fortinet NSE 4 Network Security Professional NSE4 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Fortinet NSE 4 Network Security Professional NSE4 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

13
scenario questions
NSE4
exam code
Fortinet
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related NSE4 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Read the full VPN explanation →

Refer to the exhibit. A network administrator configured an IPsec VPN between the main office and a branch office. Remote users at the branch office report that they cannot access resources in the main office. The tunnel status shows up on both sides. What is the most likely cause of the connectivity issue?

Exhibit

Refer to the exhibit.
config vpn ipsec phase1-interface
    edit "to_Branch"
        set interface "wan1"
        set ike-version 2
        set keylife 86400
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set dhgroup 14
        set remote-gw 203.0.113.5
        set psksecret ENC ...
    next
end
config vpn ipsec phase2-interface
    edit "to_Branch_p2"
        set phase1name "to_Branch"
        set proposal aes256-sha256
        set pfs enable
        set dhgrp 14
        set auto-negotiate enable
        set keylifeseconds 3600
    next
end
Question 2mediummultiple choice
Full question →

Given the exhibit, a user in the internal network tries to SSH to a public server (203.0.113.10). What will happen and why?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "Allow-Internet"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set logtraffic all
    next
    edit 2
        set name "Block-SSH"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "SSH"
        set logtraffic all
    next
end
Question 3easymultiple choice
Full question →

Refer to the exhibit. An administrator is troubleshooting why SSL inspection is not working for web traffic. The policy shown is the only policy matching the traffic. What is the most likely reason SSL inspection is failing?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "SSL-Inspection"
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set profile-protocol-options "default"
        set av-profile "default"
        set webfilter-profile "default"
    next
end
Question 4easymultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An administrator has created an IPS sensor with two entries. The first entry sets severity 'medium' and action 'block'. The second entry sets severity 'critical' and action 'block'. What will happen when a packet triggers an IPS signature with severity 'low'?

Exhibit

Refer to the exhibit.

config ips sensor
    edit "sensor1"
        config entries
            edit 1
                set severity medium
                set action block
            next
            edit 2
                set severity critical
                set action block
            next
        end
    next
end
Question 5hardmultiple choice
Review the full routing breakdown →

Refer to the exhibit. The FortiGate has two default routes. The administrator attempts to ping 8.8.8.8 from the CLI and receives no response. What is the most likely reason?

Exhibit

Refer to the exhibit.
config router static
    edit 1
        set device port1
        set gateway 203.0.113.1
        set dst 0.0.0.0 0.0.0.0
        set distance 10
    next
    edit 2
        set device port2
        set gateway 10.0.0.1
        set dst 0.0.0.0 0.0.0.0
        set distance 20
    next
end
Question 6hardmultiple choice
Full question →

Refer to the exhibit. An administrator runs 'diagnose firewall auth list' and sees two authenticated users. The firewall policy requires authentication for HTTP traffic from 10.0.0.0/24 to 192.168.1.10. User 'jsmith' has been idle for 20 minutes, but the authentication session is still active. The idle timeout is set to 30 minutes. What will happen after 30 minutes of inactivity?

Exhibit

FGT # diagnose firewall auth list
1: authid=1 type=ldap user=jsmith src=10.0.0.5 dst=192.168.1.10 proto=6 port=80 duration=1200 timeout=3600
2: authid=2 type=ldap user=ajones src=10.0.0.6 dst=192.168.1.10 proto=6 port=80 duration=600 timeout=3600
Question 7mediummultiple choice
Read the full NAT/PAT explanation →

An administrator has configured the policy shown in the exhibit. Traffic to the web server at 10.0.1.10 over HTTPS is allowed, but users complain that they cannot access the web server's login page. The IPS sensor 'High_Security_Sensor' has a signature that blocks SQL injection attempts. The application list 'Block_Social_Media' blocks Facebook and Twitter. What is the most likely cause of the issue?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "Web-Server"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "10.0.1.10"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable
        set ips-sensor "High_Security_Sensor"
        set application-list "Block_Social_Media"
    next
end
Question 8mediummulti select
Read the full VPN explanation →

An administrator needs to configure a hub-and-spoke IPsec VPN topology. Which TWO settings must be configured on the hub FortiGate to allow spokes to communicate with each other through the hub?

Question 9mediummulti select
Read the full VPN explanation →

A network admin is configuring a hub-and-spoke VPN with three spokes. Which TWO statements are correct about route-based VPN in this topology?

Question 10hardmultiple choice
Read the full VPN explanation →

A FortiGate in a hub-and-spoke VPN topology has multiple spoke sites connecting via IPsec. The hub administrator wants to enable direct spoke-to-spoke communication without routing traffic through the hub. What technology should be used?

Question 11hardmulti select
Read the full VPN explanation →

A company has multiple branch offices connected via IPsec VPN in a hub-and-spoke topology. They want to enable direct communication between branch offices without routing traffic through the hub. Which THREE configurations are required on the hub FortiGate? (Choose three.)

Question 12mediummultiple choice
Read the full VPN explanation →

In a hub-and-spoke IPsec VPN topology with FortiGate, the spoke sites cannot communicate directly with each other. What configuration change allows direct spoke-to-spoke communication?

Question 13hardmultiple choice
Read the full VPN explanation →

A FortiGate in a hub-and-spoke VPN topology is configured with a single IPsec tunnel to each spoke. The hub has a route-based VPN with a tunnel interface for each spoke. After a reboot, traffic between spoke A and spoke B fails, although each spoke can reach the hub. What is the likely cause?

These NSE4 practice questions are part of Courseiva's free Fortinet certification practice question bank. Courseiva provides original exam-style NSE4 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.