NSE4 · topic practice

Security Profiles practice questions

Practise Fortinet NSE 4 Network Security Professional NSE4 Security Profiles practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Profiles

What the exam tests

What to know about Security Profiles

Security Profiles questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Profiles exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Profiles questions

20 questions · select your answer, then reveal the explanation

A network administrator notices that users cannot access HTTPS websites after enabling SSL inspection. The firewall policy allows the traffic, and the certificate is trusted on the clients. What is the most likely cause?

Which FortiGate feature allows you to block access to specific URL categories such as 'Social Media' or 'Gambling'?

An administrator configured SSL inspection with 'deep-inspection' profile. Users report that some websites fail to load with certificate errors. The firewall policy is correct. What is the most likely reason?

When configuring SSL inspection, which type of inspection decrypts and inspects all HTTPS traffic including applications using non-standard ports?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to block downloads of executable files via HTTP and HTTPS while allowing other content. Which combination of security profiles should be applied to the firewall policy?

After enabling SSL inspection, a user receives a warning 'The certificate is not trusted' in the browser. The administrator has installed the CA certificate on the client. What else could be the cause?

An administrator wants to inspect SSL traffic to a specific finance application that uses a custom port (9443) and a self-signed certificate. Which configuration is required?

Which of the following is a prerequisite for SSL deep inspection to work correctly on FortiGate?

A user reports that a legitimate website is being blocked by FortiGate web filtering. The administrator checks and finds that the URL category is 'Unrated'. What is the most likely cause?

Which TWO actions can cause SSL inspection to fail with certificate errors on client browsers? (Choose two.)

Which THREE steps are necessary when configuring SSL deep inspection on FortiGate? (Choose three.)

Which TWO web filtering features can be used to block access to malicious websites? (Choose two.)

Question 13mediummultiple choice
Read the full Security Profiles explanation →

Refer to the exhibit. The policy applies deep inspection, but users cannot access any HTTPS websites. The FortiGate CA certificate is installed on clients. What is the most likely cause?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "Web Access"
        set srcintf "internal"
        set dstintf "wan"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set ssl-ssh-profile "deep-inspection"
        set utm-status enable
        set av-profile "default"
        set webfilter-profile "strict"
    next
end
Question 14hardmultiple choice
Read the full VPN explanation →

Refer to the exhibit. A FortiGate SSL VPN user is unable to connect. The debug output shows the above error. What is the most likely cause?

Exhibit

Refer to the exhibit.

diagnose debug application sslvpn -1
debug sslvpn error: SSL_accept failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
debug sslvpn error: SSL_accept failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

A company with 500 employees uses FortiGate as their internet gateway. They recently enabled SSL deep inspection using the built-in CA certificate. After deployment, many users report that they cannot access their online banking websites. The error message in the browser says 'The certificate is not trusted'. The administrator has already pushed the FortiGate CA certificate to all domain-joined computers via Group Policy. However, the problem persists for banking sites. The administrator also notices that banking sites load fine on mobile devices that do not have the CA certificate installed. What is the most likely cause and solution?

Question 16mediummultiple choice
Review the full subnetting walkthrough →

A school uses FortiGate for web filtering. They want to block social media sites for students during class hours (8 AM to 3 PM) but allow access for teachers at all times. The network has a single internet connection and all users are in the same subnet. The administrator created a firewall policy for students (source IP range 192.168.1.100-200) and another for teachers (source IP range 192.168.1.10-50). The student policy has a web filter profile that blocks social media. However, teachers are also being blocked from social media during class hours. What is the most likely cause?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A network administrator notices that an IPS sensor is generating excessive false positives for a specific signature. The administrator wants to exclude traffic from a trusted internal server (IP 10.1.1.100) from inspection for that signature only, while keeping other signatures active. Which configuration change should the administrator apply?

A security engineer is designing an application control policy for a corporate network. The goal is to allow Microsoft Teams for business use but block personal use of other collaboration apps like Zoom and Slack. The engineer configures an application control profile with a rule to 'monitor' Microsoft Teams and 'block' Zoom and Slack. However, users report that Zoom is still working. What is the most likely reason?

A company wants to block all peer-to-peer file sharing applications on the network. Which FortiGate feature should be used to achieve this goal?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

During a security audit, an administrator finds that an IPS sensor configured with a 'block' action for a critical vulnerability signature is not blocking the associated traffic. The traffic matches the signature, but the action appears as 'pass' in the logs. The IPS sensor is applied to a firewall policy that also has application control enabled. What is the most likely cause?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Profiles sessions

Start a Security Profiles only practice session

Every question in these sessions is drawn from the Security Profiles domain — nothing else.

Related practice questions

Related NSE4 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the NSE4 exam test about Security Profiles?
Security Profiles questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Profiles questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Profiles domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other NSE4 topics?
Use the topic links above to move to related areas, or go back to the NSE4 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the NSE4 exam covers. They are not copied from any real exam or dump site.