NSE4 · topic practice

Troubleshooting practice questions

Practise Fortinet NSE 4 Network Security Professional NSE4 Troubleshooting practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Troubleshooting

What the exam tests

What to know about Troubleshooting

Troubleshooting questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Troubleshooting exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Troubleshooting questions

20 questions · select your answer, then reveal the explanation

Refer to the exhibit. An administrator is troubleshooting why SSL inspection is not working for web traffic. The policy shown is the only policy matching the traffic. What is the most likely reason SSL inspection is failing?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "SSL-Inspection"
        set srcintf "wan1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set profile-protocol-options "default"
        set av-profile "default"
        set webfilter-profile "default"
    next
end
Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator is troubleshooting a problem where users cannot access the Internet. The FortiGate has a default route pointing to the ISP gateway. The administrator runs 'execute ping 8.8.8.8' from the FortiGate CLI and it succeeds. However, internal users behind NAT are unable to reach external servers. Which is the most likely cause?

A FortiGate administrator is troubleshooting a high CPU usage issue. The 'get system performance status' command shows that the CPU usage is consistently above 80% with no traffic. Which of the following is the most likely cause?

Match each FortiGate CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays current system resource usage

Tests network connectivity to a host

Traces packet flow through the firewall

Displays the entire running configuration

Resets the device to factory defaults

You are troubleshooting a FortiGate HA cluster (active-passive) and notice that after a failover, some existing TCP sessions are not being maintained. The hbdev heartbeat interfaces are configured correctly, and session synchronization is enabled. What is the MOST likely cause?

Question 6mediummulti select
Review the full subnetting walkthrough →

An administrator is troubleshooting why traffic from a specific subnet (192.168.10.0/24) to the internet is not being matched by the expected firewall policy. The policy list shows an allow policy for this traffic at ID 10, but there is a deny policy at ID 5 for any traffic from 192.168.0.0/16. Which TWO statements are correct?

A FortiGate admin is troubleshooting a policy that should allow VoIP traffic. The admin suspects that the SIP ALG is interfering. Which TWO actions should the admin take to verify or resolve the issue?

Which TWO statements about firewall policy order are true?

Question 9hardmulti select
Open the full VLAN trunking answer →

A FortiGate admin is troubleshooting an issue where traffic from VLAN 10 to the internet is not being NATed even though a policy-based NAT rule is configured. The admin verifies that the firewall policy uses the correct IP Pool. Which THREE steps should the admin take to diagnose the problem? (Choose three.)

Question 10mediummulti select
Read the full NAT/PAT explanation →

A FortiGate admin is troubleshooting an issue where traffic from a specific internal host (10.0.1.50) to the internet is not being NATed as expected. The firewall policy has NAT enabled with an IP pool of type Overload. Which TWO conditions could cause the traffic to bypass the IP pool?

Question 11mediummulti select
Review the full routing breakdown →

A FortiGate administrator is troubleshooting a connectivity issue where internal clients cannot reach a public web server. The administrator has confirmed that routing is correct and there are no security profiles blocking traffic. Which TWO debugging steps should the administrator take? (Choose two.)

A FortiGate administrator is troubleshooting why traffic from a specific internal host is not being allowed through a firewall policy. The policy appears correct and is enabled. Which TWO diagnostic commands could the administrator use to determine if the traffic is matching a different policy?

Question 13hardmulti select
Open the full VLAN trunking answer →

An admin is troubleshooting why traffic from VLAN 10 to the internet is not being translated by a Central SNAT rule. The Central SNAT rule is configured with source interface 'port2.10', destination interface 'wan1', source address '192.168.10.0/24', and IP pool 'pool1'. The firewall policy for internet access has NAT enabled but no IP pool attached. Which THREE steps should the admin take to resolve the issue? (Choose three.)

An admin is troubleshooting why traffic from a specific host (10.0.1.10) to a web server (203.0.113.50:80) is being denied. The FortiGate has several policies. Which TWO CLI commands should the admin use to identify which policy is matching the traffic? (Choose two.)

Question 15mediummulti select
Review the full subnetting walkthrough →

An administrator is troubleshooting a connectivity issue where users in the 10.0.0.0/24 subnet cannot access the internet. The FortiGate has the following policies (in order): 1: allow 10.0.0.0/24 -> any, service: HTTP, HTTPS 2: deny any -> any, service: all Users can browse HTTP but not HTTPS. Which TWO actions would resolve the issue?

Question 16hardmulti select
Open the full VLAN trunking answer →

An administrator is troubleshooting why traffic from a specific VLAN (192.168.10.0/24) to the internet is not being NATed correctly. The firewall policy allows the traffic with NAT enabled and uses an IP Pool (overload) for the source translation. The IP Pool is configured with the address 203.0.113.10. However, the traffic still shows the original source IP. Which THREE of the following could cause this issue? (Choose three.)

Question 17hardmulti select
Read the full VPN explanation →

A FortiGate administrator is troubleshooting an IPsec VPN between two FortiGates. The tunnel is established, but traffic is not passing. The administrator runs 'diagnose vpn ike log' and sees the following output: IKE: phase 2 negotiation completed IKE: IPsec SA up What THREE possible causes should the administrator investigate?

Question 18hardmulti select
Read the full VPN explanation →

A FortiGate administrator is troubleshooting an SSL VPN issue where users can authenticate but cannot access any internal resources. The SSL VPN status shows 'connected'. Which THREE commands or actions should be used to diagnose the problem?

Question 19mediummultiple choice
Read the full VPN explanation →

During an IPsec VPN troubleshooting, you run 'diagnose vpn ike config' and see the output includes 'peer-id: any'. What does this mean?

Question 20mediummultiple choice
Read the full VPN explanation →

A network administrator is troubleshooting an IPsec VPN tunnel between two FortiGates. Phase 1 is up, but Phase 2 fails to establish. The debug command 'diagnose vpn ike log' shows: 'no suitable proposal found'. What is the most likely cause?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Troubleshooting sessions

Start a Troubleshooting only practice session

Every question in these sessions is drawn from the Troubleshooting domain — nothing else.

Related practice questions

Related NSE4 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the NSE4 exam test about Troubleshooting?
Troubleshooting questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Troubleshooting questions in a focused session?
Yes — the session launcher on this page draws every question from the Troubleshooting domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other NSE4 topics?
Use the topic links above to move to related areas, or go back to the NSE4 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the NSE4 exam covers. They are not copied from any real exam or dump site.