NSE4 · topic practice

Firewall Policies and NAT practice questions

Practise NSE4 NAT and PAT questions covering address translation types, inside/outside interface roles, static vs dynamic vs PAT, and troubleshooting missing or incorrect translations.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Firewall Policies and NAT

What the exam tests

What to know about Firewall Policies and NAT

NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.

Static NAT, dynamic NAT and PAT behaviour.

Inside local, inside global, outside local and outside global address meanings.

How NAT affects connectivity between private networks and public destinations.

How to troubleshoot NAT rules, ACL matches and interface direction.

Why learners struggle

Why Firewall Policies and NAT questions are commonly missed

NAT questions are missed when learners confuse the four address types (inside local, inside global, outside local, outside global) or misapply the interface direction. A translation rule can look correct but still fail if the ACL, interface, or direction is wrong.

  • ·Inside local vs inside global — inside local is the private source, inside global is the translated public address
  • ·PAT overloads — many sources share one public IP using unique port numbers
  • ·Interface direction — ip nat inside and ip nat outside must be on the correct interfaces
  • ·Static NAT vs dynamic NAT vs PAT — each serves a different use case
  • ·The NAT ACL identifies traffic to translate, not traffic to permit or deny
  • ·A missing translation can look like a routing problem if the interfaces are misconfigured

Watch out for

Common Firewall Policies and NAT exam traps

  • PAT allows many inside hosts to share one public address by using port numbers.
  • NAT rules depend on correct inside and outside interface configuration.
  • The ACL used for NAT identifies traffic to translate; it is not always a security filtering ACL.
  • Static NAT maps one private address to one public address, while PAT overloads translations.

Practice set

Firewall Policies and NAT questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator configures a firewall policy to allow HTTP traffic from the internal network (10.0.0.0/8) to a web server (172.16.1.10). Users on the 10.0.0.0/8 network cannot access the web server, but other internal users can. The administrator checks the policy list and sees the policy is enabled and in the correct position. What is the most likely cause?

Question 2hardmultiple choice
Read the full VPN explanation →

An organization wants to authenticate VPN users using an LDAP server. They configure an LDAP server object and a user group. However, users are unable to authenticate. The administrator checks the logs and sees 'authentication failed' errors. What is the most common misconfiguration?

Question 3easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator needs to allow SMTP traffic from the internal network to an external mail server. The internal network uses source NAT to the external interface IP. Which firewall policy configuration is correct?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A FortiGate has this policy configured. Traffic from 10.0.1.0/24 to 192.168.1.10 on HTTP is being logged as allowed. However, users report that they cannot access the web server. What is the most likely issue?

Exhibit

config firewall policy
    edit 1
        set name "Allow-HTTP"
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "10.0.1.0/24"
        set dstaddr "192.168.1.10"
        set action accept
        set schedule "always"
        set service "HTTP"
        set logtraffic all
    next
end
Question 5hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An administrator runs 'diagnose firewall auth list' and sees two authenticated users. The firewall policy requires authentication for HTTP traffic from 10.0.0.0/24 to 192.168.1.10. User 'jsmith' has been idle for 20 minutes, but the authentication session is still active. The idle timeout is set to 30 minutes. What will happen after 30 minutes of inactivity?

Exhibit

FGT # diagnose firewall auth list
1: authid=1 type=ldap user=jsmith src=10.0.0.5 dst=192.168.1.10 proto=6 port=80 duration=1200 timeout=3600
2: authid=2 type=ldap user=ajones src=10.0.0.6 dst=192.168.1.10 proto=6 port=80 duration=600 timeout=3600
Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A company uses FSSO (Fortinet Single Sign-On) with a domain controller. Users authenticate to the domain, and the FortiGate retrieves the login events. The firewall policy uses the FSSO group. Some users report that after logging in, they cannot access resources that require authentication. The administrator checks the FSSO status and sees that the FortiGate is receiving login events. What is the most likely cause?

Question 7easymultiple choice
Read the full NAT/PAT explanation →

An administrator wants to create a firewall policy that blocks all traffic from a specific IP address (10.0.0.99) to the internet, but allows all other traffic. Which policy configuration is correct?

Question 8mediummulti select
Read the full NAT/PAT explanation →

Which TWO statements about firewall policy authentication are correct?

Question 9hardmulti select
Read the full NAT/PAT explanation →

Which THREE conditions must be met for a firewall policy with FSSO authentication to work correctly?

Question 10hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An administrator configures the policies as shown. Traffic from 10.0.0.0/8 to the internet on HTTP is denied. What is the most likely reason?

Exhibit

config firewall policy
    edit 0
        set name "Deny-All"
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
    edit 1
        set name "Allow-HTTP"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "10.0.0.0/8"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "HTTP"
        set logtraffic all
    next
end
Question 11easymultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator wants to restrict access to a sensitive server (10.0.0.100) such that only users who authenticate via LDAP can access it. Which firewall policy configuration is required?

Question 12hardmultiple choice
Study the full SD-WAN breakdown →

A company has a FortiGate 100F with two ISPs (ISP1 and ISP2) for load balancing. They use SD-WAN to direct traffic. The firewall has a policy that allows HTTP and HTTPS traffic from internal users (10.0.0.0/8) to the internet. The policy uses FSSO authentication with an Active Directory domain controller. Recently, users on the 10.0.1.0/24 subnet report that they are prompted for authentication repeatedly, even though they are domain-joined and logged in. Users on other subnets do not have this issue. The administrator checks the FSSO configuration and sees that the collector agent is running and the FortiGate is receiving login events. The FortiGate's policy is configured with source address 10.0.0.0/8 and FSSO group 'Domain Users'. The administrator also notices that the FortiGate's SD-WAN rules are configured to use ISP1 for traffic from 10.0.0.0/8 except for traffic from 10.0.1.0/24, which uses ISP2. The FortiGate's FSSO collector agent is configured to listen on the IP address 192.168.1.1, which is the IP of the interface connected to ISP1. What is the most likely cause of the authentication issue?

Question 13hardmultiple choice
Open the full VLAN trunking answer →

A company uses FortiGate with firewall policies to control access between internal VLANs. Users in VLAN 10 report they can access internet but cannot reach a server in VLAN 20 on port 443. The server is reachable from other VLANs. The administrator checks the firewall policy configuration: there is a policy from VLAN10 to VLAN20 allowing HTTPS, with NAT disabled and logging enabled. The policy has a schedule set to 'Always'. The administrator also checks that there are no overlapping policies. What is the most likely cause?

Question 14mediummultiple choice
Read the full NAT/PAT explanation →

Given the exhibit, a user in the internal network tries to SSH to a public server (203.0.113.10). What will happen and why?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "Allow-Internet"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set logtraffic all
    next
    edit 2
        set name "Block-SSH"
        set srcintf "internal"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action deny
        set schedule "always"
        set service "SSH"
        set logtraffic all
    next
end
Question 15easymultiple choice
Study the full SD-WAN breakdown →

A company has a FortiGate with two ISPs: wan1 (primary) and wan2 (backup). They want all outbound traffic from internal users to use wan1, and if wan1 fails, traffic should automatically fail over to wan2. The administrator configures static routes: default route via wan1 gateway with distance 10 and default route via wan2 gateway with distance 20. They also configure an SD-WAN zone with both interfaces and set a strategy of 'Manual' with 'Best Quality' for wan1. After testing, failover does not occur when wan1 goes down. What is the most likely reason?

Question 16mediumdrag order
Read the full NAT/PAT explanation →

Drag and drop the steps to create a firewall policy allowing HTTP traffic from internal to DMZ into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 17mediumdrag order
Read the full VPN explanation →

Drag and drop the steps to configure SSL VPN on FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 18mediummatching
Read the full NAT/PAT explanation →

Match each Fortinet product to its primary role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Next-generation firewall

Security information and event management

Centralized logging and analytics

Centralized management and policy orchestration

Advanced threat detection and analysis

Question 19mediummatching
Read the full NAT/PAT explanation →

Match each FortiGate logging destination to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stored on the FortiGate's internal memory or disk

Centralized log collector and analyzer

Standard protocol to send logs to external servers

Cloud-based log storage and management

Used for monitoring device status and performance

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

A network admin has configured a firewall policy allowing HTTPS traffic from the internal network to a DMZ web server. Users report that the web pages load slowly. The admin checks the policy and notices traffic shaping is not applied. What is the BEST action to ensure fair bandwidth distribution for HTTPS traffic?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Firewall Policies and NAT sessions

Start a Firewall Policies and NAT only practice session

Every question in these sessions is drawn from the Firewall Policies and NAT domain — nothing else.

Related practice questions

Related NSE4 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the NSE4 exam test about Firewall Policies and NAT?
NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Firewall Policies and NAT questions in a focused session?
Yes — the session launcher on this page draws every question from the Firewall Policies and NAT domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other NSE4 topics?
Use the topic links above to move to related areas, or go back to the NSE4 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the NSE4 exam covers. They are not copied from any real exam or dump site.