매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Fortinet NSE 4 - FortiOS 7.6 Administrator 온라인 연습
최종 업데이트 시간: 2026년02월14일
당신은 온라인 연습 문제를 통해 Fortinet NSE4_FGT_AD-7.6 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 NSE4_FGT_AD-7.6 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 296개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
The exhibit shows the output of the following command:
diagnose test application ipsmonitor 1
pid = 2044, engine count = 0 (+1)
0 - pid:2074:2074 cfg:1 master:0 run:1
How to interpret this output (FortiOS 7.6 C IPS internals)
ipsmonitor displays the status of IPS engines running on the FortiGate.
engine count = 0 means:
No IPS scanning engines are currently active
IPS is not processing any traffic
In FortiOS, IPS engines are started on demand.
Critical documented behavior
IPS processes are only spawned when at least one firewall policy is configured with an IPS profile and traffic matches that policy.
If no firewall policy references an IPS profile, the IPS engine:
Does not start
Shows engine count = 0
Appears “not working,” even though the IPS profile exists
This is exactly what the diagnose output indicates.
Why option A is correct
A. There is no firewall policy configured with an IPS security profile.
Creating an IPS profile alone is not sufficient
IPS must be applied to an active firewall policy
Traffic must match that policy for the IPS engine to run
Otherwise, ipsmonitor will show engine count = 0
This matches FortiOS 7.6 IPS operational behavior.
Why the other options are incorrect
B. Administrator entered the command diagnose test application ipsmonitor 5.
Incorrect.
The exhibit clearly shows ipsmonitor 1
Using a different argument would not explain engine count = 0 C. FortiGate entered into IPS fail open state. Incorrect.
In fail-open, IPS engines may be bypassed, but they still initialize engine count = 0 specifically indicates IPS is not in use at all
D. Administrator entered the command diagnose test application ipsmonitor 99.
Incorrect.
The command argument affects debug level, not engine creation Again, the exhibit shows ipsmonitor 1
정답:
Explanation:
According to the FortiOS 7.6 Administration Guide and Fortinet hardware acceleration (NTurbo) documentation, the correct answer is A.
What NTurbo Is (FortiOS 7.6 C Verified)
NTurbo is a hardware-based acceleration feature available on specific FortiGate models. It is designed to improve antivirus and IPS performance when operating in flow-based inspection mode.
NTurbo works by creating a fast, optimized data path between:
FortiGate ingress interface
IPS/AV engine
FortiGate egress interface
This minimizes CPU involvement and reduces packet traversal overhead.
Why Option A Is Correct
A. For flow-based inspection, NTurbo establishes a dedicated data path to redirect traffic between the IPS engine and FortiGate ingress and egress interfaces.
This is exactly how NTurbo works, as documented:
NTurbo applies to flow-based inspection only
It accelerates IPS and antivirus scanning
It creates a dedicated fast path that bypasses unnecessary processing steps
This significantly improves throughput and lowers latency
This description matches Fortinet’s official explanation of NTurbo.
Why the Other Options Are Incorrect
B. NTurbo creates two inspection sessions
Incorrect. NTurbo does not duplicate sessions; it optimizes the packet path.
C. NTurbo offloads traffic to the content processor (proxy-based)
Incorrect. NTurbo does not apply to proxy-based inspection and does not offload to content processors.
D. NTurbo buffers the whole file and then sends it to the antivirus engine Incorrect. Buffering entire files is a proxy-based behavior, not NTurbo.
정답:
Explanation:
From the exhibits, there are three relevant firewall policies from LAN (port4) to WAN (port2), each using a different IP pool for source NAT:
TCP traffic
Service: ALL_TCP
Destination: BR1-FGT
IP Pool: SNAT-Pool → 100.65.0.49
PING traffic
Service: PING
Destination: all
IP Pool: SNAT-Remote1 → 100.65.0.99
IGMP traffic
Service: IGMP
Destination: all
IP Pool: SNAT-Remote → 100.65.0.149
The user on HQ-PC-1 (10.0.11.50) is pinging BR1-FGT (100.65.1.111). In FortiOS, policy matching is based on (among other fields) source, destination, and service, and the first matching policy in top-down order is applied.
Because the traffic is ICMP echo (ping), it matches the policy named PING traffic (service PING, destination all). That policy explicitly uses Use Dynamic IP Pool with SNAT-Remote1, which is configured with external IP 100.65.0.99.
Therefore, the source NAT IP used for this ping is 100.65.0.99.
정답:
Explanation:
Comprehensive and Detailed 150 to 200 words of Explanation From Exact Extract of FortiOS 7.6 documents:
According to the FortiOS 7.6 Administration Guide, the firewall policy ID is a unique numerical identifier assigned to each policy for internal database tracking and management purposes. It is important to distinguish the policy ID from the policy sequence. While the FortiGate processes traffic based on a top-down approach (the sequence), the policy ID itself does not determine the order of execution (Statement A is incorrect).
In FortiOS, once a policy is committed to the configuration, the policy ID cannot be modified (Statement B). If an administrator needs to change a policy ID, they must either delete and recreate the policy or use the clone command in the CLI to copy the settings to a new ID.
Furthermore, the CLI provides a specific shortcut for policy creation: you can create a policy with ID 0 (Statement C). When the command edit 0 is used within the config firewall policy context, the FortiOS kernel automatically assigns the next available integer as the policy ID. This is a standard practice for efficient configuration via the command line. Statement D is incorrect because, while every policy must have an ID, the GUI automatically generates this value without requiring the user to manually provide or even see it during the initial creation process.
정답:
Explanation:
Based on the exhibit and FortiOS 7.6 Active Authentication (captive portal) behavior, the most likely reason the user is not presented with a login prompt is that DNS is missing from the firewall policy.
What the exhibit shows
The firewall policy configured for active authentication includes:
Source: HQ_SUBNET and Remote-users
Destination: all
Services:
HTTP
HTTPS
ALL_ICMP
Security Profiles: Web filter and SSL inspection enabled
Authentication: Active (user group referenced)
DNS is not included as a service in the policy.
Why DNS is required for active authentication
In FortiOS 7.6, active authentication (captive portal) works as follows:
The user attempts to access a website using a URL (for example, www.example.com).
The client must first perform a DNS lookup to resolve the domain name.
FortiGate intercepts the initial HTTP/HTTPS request and redirects the user to the authentication portal.
If DNS traffic is blocked or not allowed:
The hostname cannot be resolved.
The HTTP/HTTPS request never properly occurs.
FortiGate has nothing to intercept, so the login prompt is never triggered.
This is explicitly documented in the FortiOS 7.6 Authentication and Captive Portal requirements, which state that DNS must be permitted for captive portalCbased authentication to function correctly.
Why the other options are incorrect
A. No matching user account exists for this user
Incorrect.
If the user account did not exist, the login page would still appear, but authentication would fail after credentials are entered.
B. The Remote-users group must be set up correctly in the FSSO configuration
Incorrect.
This policy is using active authentication, not FSSO.
FSSO configuration is irrelevant for active authentication login prompts.
C. The Remote-users group is not added to the Destination Incorrect.
User groups are applied in the Source field for authentication-based policies. Destination does not accept user groups.
정답:
Explanation:
From the current HA status, HQ-NGFW-1 is the primary and HQ-NGFW-2 is the secondary.
The administrator then changes these HA parameters:
HQ-NGFW-1: set override disable, set priority 90
HQ-NGFW-2: set override enable, set priority 110
In FGCP (A-P mode), the override (preemption) feature controls whether a higher-priority unit is allowed to take over the primary role.
When override is enabled, the cluster will prefer (and can re-elect) the unit with the highest device priority to become primary (preempting a lower-priority primary when conditions trigger re-election behavior as defined by FGCP).
Here, HQ-NGFW-2 has:
override enabled
higher priority (110) than HQ-NGFW-1 (90)
Therefore, the expected result is that HQ-NGFW-2 becomes the primary.
Why the other options are incorrect:
B is incorrect because it claims HQ-NGFW-2 has lower priority (it is higher: 110 > 90).
C is incorrect because a mismatch in the override setting is not what causes the “configuration out of sync” condition shown in get system ha status (that is about synchronized configuration databases, not a requirement that override values must match to remain in-sync).
D is incorrect because HA settings like override/priority are not synchronized in the way regular configuration objects are; they are device-level HA parameters.
정답:
정답:
Explanation:
From the exhibits:
The firewall policy has NAT enabled and is configured to Use Dynamic IP Pool.
The selected IP pool (Internet-pool) is configured as:
Type: One-to-One
External IP Range: 100.65.0.110C100.65.0.111 (only two public IPs)
PC1 and PC2 can access the internet because each one-to-one NAT mapping consumes one public IP from the pool. When PC3 is added, there is no third public IP available in the pool, so FortiGate cannot allocate a one-to-one mapping for PC3 and the session fails.
FortiOS behavior here is standard: with one-to-one IP pools, the available pool size limits how many distinct internal sources can be translated concurrently (depending on allocation and sessions), and a pool with only two IPs will not reliably support three separate hosts needing translations.
Therefore, the administrator can fix this in two valid ways:
B. In the IP pool configuration, set end ip to 100.65.0.112.
This expands the pool by adding an additional public IP address, making three public IPs available (.110, .111, .112), so PC3 can be assigned an address for one-to-one NAT.
D. In the IP pool configuration, set type to overload.
Changing the pool type to overload enables PAT (many-to-one), allowing multiple internal hosts (PC1, PC2, PC3) to share the pool address(es) using different source ports. This removes the “one public IP per internal host” limitation inherent to one-to-one pools.
Why the other options are not correct:
A. Multiple Interface Policies is unrelated to IP pool exhaustion and does not solve NAT allocation limits.
C. match-vip affects VIP matching behavior for destination NAT/virtual IP usage and does not address the source NAT pool shortage causing PC3 to fail.
정답:
Explanation:
In FortiOS 7.6, web filter profiles are inspection-mode dependent. Certain advanced web filtering features―such as daily category usage quota―are only supported when the firewall policy is operating in proxy-based inspection mode.
Why the profile is not visible
The profile restrict media-profile includes a daily category usage quota.
Daily quotas are a proxy-based web filtering feature.
If the firewall policy is configured with:
Inspection mode: Flow-based
Then FortiGate will not display proxy-only web filter profiles in the Web Filter drop-down list.
FortiGate automatically filters the available profiles based on feature compatibility with the policy’s inspection mode.
This behavior is explicitly documented in the FortiOS 7.6 Web Filtering and Inspection Mode Compatibility sections.
Why the other options are incorrect
A. Already referenced in another firewall policy Web filter profiles can be reused across multiple policies. This does not hide them.
B. Firewall policy is in no-inspection mode instead of deep-inspection SSL inspection depth affects HTTPS visibility, not whether a web filter profile appears in the drop-down list.
C. Naming convention restriction FortiOS does not restrict profile selection based on naming conventions.
정답:
Explanation:
Based on the FortiOS 7.6 Authentication and User Group documentation, the correct answer is A.
Meaning of “Include in every user group” (FortiOS 7.6)
When configuring a RADIUS server on FortiGate, enabling Include in every user group has a very specific and documented effect:
The configured RADIUS server object is automatically added to all FortiGate user groups.
As a result, any user who successfully authenticates against that RADIUS server becomes a valid member of every FortiGate user group, unless additional group filtering (such as RADIUS attributes) is applied.
This simplifies configuration when the same external authentication source must be accepted across multiple firewall policies that reference different user groups.
This behavior is explicitly described in the FortiOS 7.6 Administrator Guide under RADIUS authentication servers and user groups.
Why Option A is Correct
FortiGate user groups can include:
Local users
LDAP servers
RADIUS servers
Enabling Include in every user group causes FortiGate to:
Insert the RADIUS server into all existing and future FortiGate user groups
Therefore, all users authenticating via this RADIUS server are implicitly allowed in every FortiGate user group.
This is exactly what option A describes.
Why the Other Options Are Incorrect
B: FortiGate does not push users or groups into the RADIUS server. Authentication is always initiated by FortiGate toward RADIUS.
C: FortiGate does not manage or modify RADIUS-side group definitions.
D: LDAP and RADIUS user groups are separate authentication mechanisms; this setting does not merge or affect LDAP groups.
정답:
Explanation:
With a dialup IPsec VPN on FortiGate, when add-route is enabled, FortiGate will only install the corresponding route when it has enough negotiated information from the tunnel. In FortiOS 7.6, that means the route is tied to the Phase 2 (Quick Mode) selectors and is created dynamically when the IPsec SA is actually up.
B. The administrator must ensure phase 2 is successfully established
This is required. FortiGate does not install the add-route route just because Phase 1 exists or because the configuration is present. The route is added when the tunnel is effectively usable, which requires Phase 2 (IPsec SA) to be up. If Phase 2 is not established, there is no active SA and FortiGate will not inject the related route into the routing table.
So, if the static route is not showing, one correct explanation is that Phase 2 is not up. C. The administrator must define the remote network correctly in the phase 2 selectors
This is also required. For dialup tunnels, FortiGate derives what route to add from the remote subnet(s) defined in the Phase 2 selector (proxy ID). If the remote network in Phase 2 is missing, incorrect, or too broad/too narrow in a way that prevents negotiation, the tunnel either won’t come up (so no route), or the route that would be installed won’t match what the administrator expects.
So, another correct explanation is that the Phase 2 remote network is not correctly defined, preventing the correct route from being created.
Why the other options are incorrect
A. Policy route instead of a static route
Add-route does not require policy routes. It is specifically a feature that injects a route (route-table entry) associated with the IPsec tunnel/SA and the Phase 2 selector networks.
D. Enable a dynamic routing protocol
Dynamic routing protocols (OSPF/BGP/RIP) are not required for add-route. Add-route is independent of dynamic routing and works by installing routes locally based on the negotiated selectors.
정답:
정답:
Explanation:
From the exhibits:
The firewall policy has Application Control enabled and uses certificate-inspection for SSL inspection.
The application sensor has Application and Filter Overrides with the following order (priority):
Excessive-Bandwidth with action Block
Google (vendor filter) with action Monitor
In FortiOS, Application and Filter Overrides are evaluated by priority (top-down). The first matching override is applied. If traffic matches an earlier override with Block, it will be blocked even if a later override would Monitor/Allow it.
Why Google apps fail while www.fortinet.com works:
Many Google applications can be detected as (or can trigger) the Excessive-Bandwidth behavior/signature depending on the specific service and traffic pattern.
Because Excessive-Bandwidth (Block) is above Google (Monitor), Google-related traffic may match the first rule and be blocked before the Google override is evaluated.
Access to www.fortinet.com works because that traffic is not matching the Excessive-Bandwidth
override.
Therefore, to resolve:
B. Move up Google in the Application and Filter Overrides section to set its priority higher
This ensures Google matches the Google override before any broader blocking override is applied.
E. Set the action for Google in the Application and Filter Overrides section to Allow
This explicitly permits Google applications once the higher-priority match occurs (stronger than Monitor for troubleshooting and ensuring access).
Why the other options are not the best fit here:
A (deep-content inspection) can help identify more HTTPS applications, but the exhibit already shows a specific Google override configured; the immediate issue is the override evaluation order and action.
C relates to Web Filter URL categories, but the problem is occurring under Application Control behavior/vendor overrides.
D (flow-based) is not required to fix an override priority/action conflict.
정답:
Explanation:
Based on the exhibit and the FortiOS 7.6 SSL/SSH Inspection documentation, the correct answer is C.
Understanding the Exhibit Configuration
In the SSL/SSH Inspection Profile, the following settings are shown:
Inspection method: Full SSL Inspection
Server certificate SNI check: Strict
This setting directly controls how FortiGate validates the Server Name Indication (SNI) provided by the client during the TLS handshake.
FortiOS 7.6 Behavior of “Server certificate SNI check”
FortiOS supports three modes for Server certificate SNI check:
Disable
No validation between SNI and server certificate.
Enable
FortiGate checks SNI against the certificate.
If mismatch occurs, FortiGate may still allow the session with reduced validation.
Strict
FortiGate enforces a strict match.
The SNI must match either the CN (Common Name) or one of the SAN (Subject Alternative Name) entries in the server certificate.
If the SNI does not match either CN or SAN, the TLS session is immediately terminated.
The exhibit clearly shows Strict selected.
Why Option C is Correct
With Strict enabled, FortiGate rejects the TLS connection when:
The SNI does not match the CN, and
The SNI does not match any SAN entry
This results in the connection being closed, not allowed with warnings or fallback behavior.
Therefore:
C. FortiGate will close the connection if the SNI does not match the CN or SAN fields is exactly the documented behavior.
Why the Other Options Are Incorrect
A: FortiGate does not fall back to using the CN for URL filtering when Strict is enabled.
B: There is no “accept with warning” behavior in Strict mode.
D: Incorrect logical condition. FortiGate does not require mismatch with both CN and SAN simultaneously; a mismatch with either valid field set is sufficient to close the connection.
정답:
Explanation:
Phase 1 being up confirms the two FortiGate devices can authenticate and build the IKE SA. Phase 2 failing indicates the IPsec (Quick Mode) SA negotiation is failing due to mismatched Phase 2 parameters.
From the exhibit, the Phase 2 mismatches that would prevent SA establishment are:
1) Phase 2 selectors must mirror each other (Proxy IDs) HQ-NGFW Phase 2 selector shows:
Local: 10.0.11.0/24
Remote: 172.20.1.0/24
BR1-FGT Phase 2 selector shows: Local: 172.20.1.0/24 ⟵
Remote: 10.11.0.0/24 does not match HQ’s local subnet (10.0.11.0/24)
In FortiOS, Phase 2 comes up only when the peers’ selectors (proxy IDs) match as opposite pairs (local on one side = remote on the other).
✅ Fix:
A. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0.
2) Phase 2 proposal must match (encryption/authentication) HQ-NGFW shows encryption AES128 (with SHA1)
BR1-FGT shows encryption AES256 (with SHA1)
For Phase 2 to establish, both peers must have at least one common proposal (same encryption and authentication settings). With one side set to AES128 and the other to AES256, there is no match.
✅ Fix:
D. On HQ-NGFW, set Encryption to AES256.
Why the other options are not correct
B. Enable Diffie-Hellman Group 2: The exhibit’s mismatch is not resolved by adding DH group 2, and DH group must match when PFS is enabled. This option does not align the peers based on what’s shown.
C. Set Seconds to 43200: Phase 2 lifetime mismatches typically do not prevent Phase 2 from coming up (the negotiated lifetime can be adjusted by the peers). The hard blockers here are the selectors and proposal mismatch.