시험덤프
매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
  / NSE4_FGT_AD-7.6 덤프  / NSE4_FGT_AD-7.6 문제 연습

Fortinet NSE4_FGT_AD-7.6 시험

Fortinet NSE 4 - FortiOS 7.6 Administrator 온라인 연습

최종 업데이트 시간: 2026년06월29일

당신은 온라인 연습 문제를 통해 Fortinet NSE4_FGT_AD-7.6 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.

시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 NSE4_FGT_AD-7.6 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 296개의 시험 문제와 답을 포함하십시오.

 / 16

Question No : 1


Refer to the exhibits.



The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration. An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2. The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.
Which additional configuration can the administrator add to a deny firewall policy, beyond the default behavior, to block Remote-User2 from accessing the Webserver? (Choose one answer)

정답:
Explanation:
“The example on this slide shows how FortiGate handles two incoming connections to the same external address, but on different ports... Both connections match the firewall policy ID, which references two VIPs as destination.”
“In FortiOS, VIPs and firewall address objects are completely different. They are stored separately with no overlap. Starting in version 7.2.4, the parameter match-vip is enable by default and allows the firewall address objects to match VIPs.”
“In the example shown on this slide, the destination of the first firewall policy is set to all. This means all destination addresses (0.0.0.0/0), by default, including the external addresses defined on the VIPs.”
Technical Deep Dive:
The correct answer is C. Set the Destination address as Webserver in the Deny policy.
FortiGate allows VIP objects to be used as destination objects in firewall policies. The study guide explicitly shows incoming connections matching firewall policies that reference VIPs as the destination. That means if the administrator wants to deny only Remote-User2 → Webserver, the clean and specific way is to set the Destination in the Deny policy to the Webserver VIP.
Why this is the best Answer
With the default deny-policy behavior, destination But that is broader than necessary. If the intent is specifically to block access only to the published Webserver, then the deny rule should explicitly reference the Webserver VIP as the destination.
Why the other options are wrong:
A is incorrect because match-vip is relevant to deny policy behavior, and the study guide notes that match-vip is available only when the firewall policy action is set to DENY. An allow policy is not where this setting applies.
B is unrelated. IP pools are for SNAT behavior, not for selectively denying inbound access to a VIP.
D is incorrect because Deny_IP is the source object representing the remote user, not the destination web server.
So the proper additional configuration is to make the deny policy specific by setting:
Source Destination Action That blocks Remote-User2 from the VIP-published web server while still allowing Remote-User1 to reach it through the lower allow policy.

Question No : 2


You are encountering connectivity problems caused by intermediate devices blocking IPsec traffic. In which two ways can you effectively resolve the problem? (Choose two answers)

정답:
Explanation:
“IKE uses UDP port 500. If NAT-T is enabled in a NAT scenario, IKE uses UDP port 4500.”
“IKEv2 provides a simpler operation, which is the result of using a single exchange mode and requiring less messages to bring up the tunnel.”
For the specific workaround asked in this question, Fortinet’s official documentation states that for an IP-level VPN, SSL VPN tunnel mode is useful to avoid issues caused by intermediate devices such as “ESP packets being blocked,” “UDP ports 500 or 4500 being blocked,” and “fragments being dropped, causing IKE negotiation that uses large certificates to fail if the peer does not support IKE fragmentation.” (Fortinet Document Library)
Fortinet’s official documentation also states: “The ip-fragmentation command controls packet fragmentation before IPsec encapsulation, which can benefit packet loss in some environments.” (Fortinet Document Library)
Technical Deep Dive:
The correct answers are A and B.
A is correct because SSL VPN tunnel mode can bypass the classic IPsec transport problems caused by intermediate devices filtering ESP or blocking UDP 500/4500. Fortinet explicitly documents this as a practical workaround. (Fortinet Document Library)
B is correct because enabling fragmentation helps when IKE negotiation uses large certificates and fragments are being dropped in transit. Fortinet documents this exact failure scenario and the related fragmentation control. (Fortinet Document Library)
Why the others are not correct:
C is not the key fix. Hub-and-spoke is a topology choice, not the actual mechanism that solves blocked ESP or UDP 500/4500.
D is not sufficient for this problem. IKEv2 uses fewer messages, but it still relies on IPsec/IKE transport and does not itself solve intermediate devices blocking ESP or UDP 500/4500. The source PDF mentions simpler operation, not blocked-port avoidance.
So, the two effective fixes are:
Use SSL VPN tunnel mode
Enable fragmentation

Question No : 3


Which two statements about the Security Fabric rating are true? (Choose two answers)

정답:
Explanation:
“The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric.” (Fortinet Document Library)
“On the root FortiGate, go to Security Fabric > Security Rating.” (Fortinet Document Library)
“The Info and Compliance tab includes the security controls used for the test and links to specific FSBP, PCI, or CIS compliance policies.” (Fortinet Document Library)
“A new Security Rating Insights feature provides immediate access to crucial security information. Hover over any tested object to reveal a tooltip...” and “Objects, such as firewall policies, with security rating recommendations are highlighted... click Security Rating Insights to display relevant issues.” (Fortinet Document Library)
Technical Deep Dive:
The correct answers are B and C.
B is correct because Security Rating is viewed from the root FortiGate and its scorecards provide an executive summary for the Security Fabric, not just an isolated downstream unit. The root device is the point from which the Security Fabric summary is presented. (Fortinet Document Library)
C is correct because the Security Rating results include an Info and Compliance view with references to PCI compliance policies. That means PCI-related compliance results are part of the Security Rating reporting associated with the security categories, including Security Posture. (Fortinet Document Library)
Why the others are incorrect:
A is incorrect because Fortinet documents state there is a base set of free checks and a separate licensed set of checks. A license is not required just to obtain the executive summary view itself.
(Fortinet Document Library)
D is incorrect because Security Rating Insights are not limited to the Security Rating page. Fortinet documents show they also appear as tooltips and buttons on other GUI objects and pages. (Fortinet Document Library)

Question No : 4


Which two features of IPsec IKEv1 authentication are supported by FortiGate? (Choose two.)

정답:
Explanation:
“Authentication-wise, both versions support PSK and certificate signature. Although only IKEv1 supports XAuth...”
“Now, you will learn about the Authentication section in phase 1 configuration:
• Method: FortiGate supports two authentication methods: Pre-shared Key and Signature. When you select Pre-shared Key, you must configure both peers with the same pre-shared key. When you select Signature, phase 1 authentication is based on digital certificate signatures.”
“The purpose of phase 1 is to authenticate peers and set up a secure channel... To authenticate each other, the peers use two methods: pre-shared key or digital signature. You can also enable an additional authentication method, XAuth, to enhance authentication.”
“A common use of the IPsec wizard is for configuring a remote access VPN for FortiClient users. The wizard enables IKE mode config, XAuth, and other appropriate settings for FortiClient users.”
Technical Deep Dive:
The correct answers are C and D.
D is correct because FortiGate supports the two primary IKEv1 authentication methods: pre-shared key and certificate signature. That is explicitly stated in the study guide.
C is also correct because FortiGate supports XAuth with IKEv1 as an additional authentication mechanism. In practice, XAuth is used to request extra user credentials such as a username and password, especially in remote-access VPN deployments such as FortiClient.
Why the other options are incorrect:
A is incorrect because when using Signature, certificate-based authentication is in use. The study guide states that digital signature validation depends on the relevant certificates and CA trust chain being present. It is not a certificate-free method.
B is incorrect because “fewer packets are exchanged” is a characteristic of aggressive mode, not XAuth. XAuth enhances authentication; it is not the feature that makes IKE negotiation faster.
So the two supported IKEv1 authentication features are:
Extended authentication (XAuth) to request the remote peer to provide a username and password Pre-shared key and certificate signature as authentication methods

Question No : 5


A network administrator is configuring an IPsec VPN tunnel for a sales employee travelling abroad.
Which VPN Wizard template must the administrator apply?

정답:
Explanation:
Exact Extract:
“If you want the wizard to configure the VPN for you, then select the template type Site to Site, Hub-and-Spoke, or Remote Access that best matches your VPN.”
“Use remote access VPNs when remote internet users need to securely connect to the office to access corporate resources. The remote user connects to a VPN server located on the corporate premises, such as FortiGate, to establish a secure tunnel.”
“A common use of the IPsec wizard is for configuring a remote access VPN for FortiClient users.”
Technical Deep Dive:
The correct answer is A. Remote Access.
A sales employee travelling abroad is a remote user, not another branch office or headquarters firewall. That means the tunnel type is a remote access VPN, where the user connects from an internet location back to the corporate FortiGate. In this design, the remote client typically uses FortiClient, and FortiGate acts as the VPN server.
Why the other options are incorrect:
Hub-and-Spoke is for multi-site branch connectivity through a central hub.
Site-to-Site is for connecting two fixed networks, such as branch office to headquarters.
Dial-up User describes the remote-user behavior conceptually, but it is not the IPsec Wizard template choice shown in the study guide. The wizard template to select is Remote Access.
So for a travelling sales employee, the administrator must choose the Remote Access VPN Wizard template.

Question No : 6


Refer to the exhibit.



A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 failed to come up. The administrator has also re-entered the pre-shared key on both FortiGate devices to make sure they match.
Based on the phase 1 configuration and the diagram shown in the exhibit, which two configuration changes can the administrator make to bring phase 1 up? (Choose two.)

정답:
Explanation:
Exact Extract:
“In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: main, and aggressive mode. Settings on both ends must agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel.”
“When both peers know each other's IP address or FQDN, you may want to use main mode to take advantage of its more secure negotiation. In this case, FortiGate can identify the remote peer by its IP address and, as a result, associate it with the correct IPsec tunnel.”
“FortiGate supports three DPD modes... The default DPD mode is On Demand.”
“Diffie-Hellman (DH) ... is used during IKE SA negotiation. The use of DH in phase 1 is mandatory and can’t be disabled. You must select at least one DH group.”
Technical Deep Dive:
The correct answers are B and C.
B is correct because phase 1 fails when IKE mode settings do not match between peers. The study guide explicitly says phase 1 settings on both ends must agree. Since this is a static site-to-site tunnel and both peers know each other’s IP addresses, Main (ID protection) is the appropriate mode.
C is correct based on the exhibit: BR1-FGT appears bound to the wrong physical interface.
The screenshot shows Interface.
Why the others are not the fix:
A is not correct because DH is mandatory in phase 1. The issue is not “disable DH group 2” by itself; the real requirement is that the peers negotiate a compatible proposal. The option as written is not the proper corrective action from the guide.
D is not correct because DPD does not determine whether phase 1 can initially establish. It is a tunnel health/failure-detection feature after negotiation behavior, and On Demand is already the default mode.

Question No : 7


An administrator has configured the following settings.
config system settings
set ses-denied-traffic enable
end
config system global
set block-session-timer 30
end
What are the two results of this configuration? (Choose two.)

정답:
Explanation:
“To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets for that session are also denied. This ensures that FortiGate does not have to perform a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation.”
“The CLI command is ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-session-timer in the CLI. By default, it is set to 30 seconds.”
Technical Deep Dive:
The correct answers are A and B.
When set ses-denied-traffic enable is configured, FortiGate creates a session-table entry for denied traffic. That means once traffic is denied, subsequent packets that belong to the same denied flow do not need a full policy lookup again. FortiGate can drop them immediately based on the existing denied-session entry. That directly confirms B.
Because FortiGate no longer re-evaluates every repeated denied packet in the same way, the device generates fewer logs and uses less CPU for repeated denied traffic. That is exactly why A is also
correct.
Why the other two are wrong:
C is incorrect because block-session-timer 30 means 30 seconds, not 30 minutes. The denied session entry is kept in the session table for that duration.
D is incorrect because these settings do not disable session helpers. They only control how denied traffic is tracked in the session table.
In operational terms, this feature is useful when a host repeatedly retries traffic that FortiGate is already denying. Instead of doing a fresh lookup for every retry, FortiGate caches the denied decision temporarily and drops the repeated packets faster.

Question No : 8


Refer to the exhibit.



Why did the FortiGate device drop the packet?

정답:
Explanation:
“FortiGate looks for the matching firewall policy from top-to-bottom and, if a match is found, the traffic is processed based on the firewall policy. If no match is found, the traffic is dropped by the default implicit deny firewall policy.”
Technical Deep Dive:
The debug flow output clearly points to the implicit deny:
ret-no-match
policy-0 is matched, act-drop
Denied by forward policy check (policy 0)
On FortiGate, policy 0 is the internal representation of the default implicit deny firewall policy. That means the packet did not match any user-defined forward firewall policy, so FortiGate dropped it automatically.
Why the other options are wrong:
B is wrong because an RPF failure would show a reverse-path-related drop reason, not Denied by forward policy check (policy 0).
C is wrong because the trace does not show a matched explicit policy ID with deny action; it shows policy 0, which is the implicit rule.
D is wrong because the trace actually shows a route lookup result: find a route: ... gw-0.0.0.0 via port2. So this is not a next-hop reachability failure.
In packet-flow troubleshooting, this pattern is one of the most important to recognize.
If you see policy 0 in FortiGate debug flow, the first things to verify are:
diagnose debug flow filter addr <src_or_dst_ip>
diagnose debug flow show function-name enable
diagnose debug enable
Then review whether a firewall policy exists with the correct incoming interface, outgoing interface, source, destination, schedule, and service. If any one of those does not match, FortiGate falls through to policy 0 and drops the session.

Question No : 9


Refer to the exhibit.



What can you conclude from the log shown in the exhibit?

정답:
Explanation:
“You can configure the fail-open setting under config ips global to control how the IPS engine behaves when the IPS socket buffer is full.”
“If the IPS engine does not have enough memory to build more sessions, the fail-open setting determines whether the FortiGate should drop the sessions or bypass the sessions without inspection.”
“It is important to understand that the IPS fail-open setting is not just for conserve mode―it kicks in whenever IPS fails. Most failures are due to a high CPU issue or a high memory (conserve mode) issue.”
Technical Deep Dive:
The correct answer is A.
The log text says:
logdesc="IPS session scan paused"
action="drop"
msg="IPS session scan, enter fail open mode"
That combination indicates an IPS failure condition, specifically the condition described in the guide where the IPS socket buffer is full and the IPS engine lacks enough memory/resources to build additional sessions. In that state, FortiGate applies the configured IPS fail-open behavior. Since the log shows action="drop", the device is not bypassing those new sessions; it is dropping them.
Why the other choices are wrong:
B is wrong because the guide ties fail-open to socket buffer/resource exhaustion, not packet decode failure.
C is wrong because this is not evidence of a manual diagnostic pause.
D is wrong because the study guide does not associate this log with dirty-flag packet reevaluation.
Operationally, this usually points to high memory, high CPU, or conserve-mode pressure affecting the
IPS engine. Useful checks are:
get system performance status
diagnose hardware sysinfo conserve
diagnose sys top
Those help confirm whether the IPS issue is being driven by memory pressure or CPU exhaustion.

Question No : 10


Refer to the exhibits.



The exhibits show the system performance output and default configuration of high memory usage thresholds on a FortiGate device.
Based on the system performance output, what are the two possible outcomes? (Choose two.)

정답:
Explanation:
“Three different configurable thresholds define when FortiGate enters and exits conserve mode. If memory usage goes above the percentage of total RAM defined as the red threshold, FortiGate enters conserve mode.”
“If memory usage keeps increasing, it might exceed the extreme threshold. While memory usage is above this highest threshold, all new sessions are dropped.”
“What actions does FortiGate take to preserve memory while in conserve mode?
• FortiGate does not accept configuration changes, because they might increase memory usage.”
“However, if the memory usage exceeds the extreme threshold, new sessions are always dropped, regardless of the FortiGate configuration.”
Technical Deep Dive:
The system performance output shows Memory: 2042076k total, 1837868k used (90%). The configured thresholds shown are:
green = 82
red = 88
extreme = 89
Because memory usage is 90%, it is:
Above the red threshold (88%) → so FortiGate has entered conserve mode
Above the extreme threshold (89%) → so all new sessions are dropped
That makes A and D correct.
Why the others are wrong:
B is not stated anywhere in the study guide as an automatic outcome of conserve mode.
C is the opposite of what the guide says. In conserve mode, FortiGate does not accept configuration changes.
A useful verification command is:
diagnose hardware sysinfo conserve
Operationally, once a FortiGate crosses the red threshold, it starts protecting itself by limiting behavior that could increase memory usage. Once it crosses the extreme threshold, it becomes more severe and drops new sessions to keep the system from becoming unstable.

Question No : 11


Refer to the exhibit.



FortiGate has two separate firewall policies for Sales and Engineering to access the same web server with the same security profiles.
Which action must the administrator perform to consolidate the two policies into one?

정답:
Explanation:
“By default, you can select only a single interface as the incoming interface and a single interface as
the outgoing interface. This is because the option to select multiple interfaces, or any interface in a firewall policy, is disabled on the GUI. However, you can enable the Multiple Interface Policies option on the Feature Visibility page to disable the single interface restriction.”
“You can also specify multiple interfaces, or use the any option, if you configure a firewall policy on the CLI, regardless of the default GUI setting.”
Technical Deep Dive:
The correct answer is D.
The policies are identical except for the incoming interface: one is for Sales and one is for Engineering. FortiGate GUI policy creation normally restricts you to one incoming interface per policy. To consolidate both into a single GUI policy, the administrator must enable Multiple Interface Policies so both port1 and port2 can be selected in the same rule.
Why the others are wrong:
A is not enough, because policy matching also includes the incoming interface, not just the source subnets.
B changes the network design and is unnecessary.
C would work too broadly by matching traffic from any interface, which is not the intended controlled consolidation.
A matching CLI-style concept would be: config firewall policy
edit <id>
set srcintf "port1" "port2"
set dstintf "<server-interface>"
set srcaddr "Sales_Subnet" "Engineering_Subnet" set dstaddr "<web-server>"
set service "HTTP" "HTTPS" set action accept
next end
That preserves a single policy while still being specific about which interfaces are allowed.

Question No : 12


You have configured an application control profile, set peer-o-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, you peer-to-peer traffic on known ports is passing through the FortiGate without being blocked.
What FortiGate settings should you check to resolve this issue?

정답:
Explanation:
“After the IPS engine examines the traffic stream for a signature match, FortiGate scans packets for matches, in this order, for the application control profile:

Question No : 13


Refer to the exhibit.



An intrusion prevention system (IPS) profile signature setting is shown.
What can you conclude about the signature when adding the FTP.Login.Failed signature to the IPS Sensor profile?

정답:
Explanation:
“When you create a new entry to add signatures or filters, you can select the action by clicking Action.”
“When you enable Packet logging, FortiGate stores a local copy of the packet that matches the signature. This enhances the view of erroneous or suspicious packets.”
“You can configure IP exemptions on individual signatures only.”
Technical Deep Dive:
The correct answer is C.
The exhibit shows an IPS entry being added with:
Type = Signature
Action = Block
Packet logging = Enable
Rate-based settings = Default
The most certain conclusion from that configuration is that packet logging is enabled, and the study guide explicitly states that this causes FortiGate to store a local copy of the matching packet.
Why the others are wrong:
A is wrong because the exhibit shows Rate-based settings = Default, not a custom threshold.
B is wrong because the configured action is Block, not allow/monitor.
D is wrong because the entry type is Signature, meaning an individual signature is being added, not a signature group.
A useful operational note: packet logging is powerful for IPS investigation and false-positive analysis, but it consumes more storage and processing resources. It should be enabled selectively on signatures where deeper forensic visibility is needed.

Question No : 14


An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings.
What is true about the DNS connection to a FortiGuard server?

정답:
Explanation:
“When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.”
Technical Deep Dive:
The correct answer is
C. It uses DNS over TLS.
This is a direct default-behavior question. If you configure FortiGuard servers as DNS servers and do not change anything else, FortiGate uses DoT rather than plain DNS. That means the DNS session is encrypted, which protects DNS queries from simple interception or tampering on the path.
Why the other options are wrong:
A is standard clear-text DNS behavior, not the FortiGuard DNS default stated in the guide.
B is incorrect because the guide specifically says DNS over TLS, not DNS over HTTPS.
D is incorrect; the guide does not describe UDP 8888 as the default transport for this DNS use case.
Operationally, this matters because FortiGate relies on DNS not only for client-facing services, but also for resolving objects and securely reaching cloud-based services. Using DoT improves confidentiality for those DNS lookups.

Question No : 15


Refer to the exhibit.



An administrator has created a new firewall address to use as the destination for a static route.
Why is the administrator not able to select the new address in the Destination field of the new static route? (Choose one answer)

정답:
Explanation:
“If you create a firewall address object with the type Subnet or FQDN, you can use that firewall address as the destination of one or more static routes. First, enable Routing configuration in the firewall address configuration. After you enable it, the firewall address object becomes available for use in the Destination drop-down list for static routes with named addresses.”
Technical Deep Dive:
The correct answer is
D. The exhibit shows an FQDN address object (www.fortinet.com), but Routing configuration is disabled. FortiGate does not make that object available as a selectable destination for named static routes until this option is enabled.
Why the others are wrong:
A is incomplete. Even if the static route uses Named Address, the object still will not appear unless Routing configuration is enabled on the address object.
B is not the first requirement from the study guide. DNS resolution matters operationally for FQDN objects, but the documented reason it does not appear in the drop-down is the missing Routing configuration setting.
C is unrelated. The interface does not have to be set to port2 first just to make the address object selectable.
In practice, the fix is:
config firewall address
edit "Fortinet"
set type fqdn
set fqdn "www.fortinet.com"
set allow-routing enable
next
end
After that, the object becomes available in the static route Destination field when using a named address.

 / 16
Fortinet