매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Fortinet NSE 4 - FortiOS 7.6 Administrator 온라인 연습
최종 업데이트 시간: 2026년04월21일
당신은 온라인 연습 문제를 통해 Fortinet NSE4_FGT_AD-7.6 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 NSE4_FGT_AD-7.6 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 296개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
From the exhibits:
System performance output
Memory used: 90%
Free memory: ~5%
Default memory thresholds (FortiOS 7.6)
memory-use-threshold-green 82%
memory-use-threshold-red 88%
memory-use-threshold-extreme 89%
Because memory usage (90%) exceeds the extreme threshold (89%), the FortiGate enters conserve mode.
Effects of conserve mode (FortiOS 7.6 C verified)
B. FortiGate has entered conserve mode.
Correct
When memory usage exceeds the red/extreme threshold, FortiGate automatically enters conserve mode.
This is exactly the condition shown in the system performance output.
D. Administrators can change the configuration.
Correct
Even in conserve mode:
Administrators can still log in (GUI, SSH, console)
Configuration changes are allowed
FortiGate does not lock configuration access during conserve mode.
This behavior is explicitly documented in the FortiOS 7.6 Conserve Mode section.
Why the other options are incorrect
A. Administrators can access FortiGate only through the console port.
Incorrect
Network access (GUI/SSH) is still available in conserve mode unless otherwise restricted.
Console-only access is not a conserve-mode requirement.
C. FortiGate drops new sessions.
Incorrect (as a general statement)
FortiGate may drop or bypass new inspection-required sessions depending on fail-open/fail-close settings.
It does not universally drop all new sessions, so this statement is not always true.
정답:
Explanation:
In FortiOS 7.6 Application Control, security logs are generated primarily for actions such as Block or Monitor, not for Allow actions.
What is happening in the exhibit
An Application Override is configured for ABC.Com
Type: Application
Action: Allow
The application control profile is applied to a firewall policy
Logging is enabled on the firewall policy
Traffic to ABC.Com is successfully allowed
However, no security logs appear for ABC.Com.
Why no logs are generated
In FortiOS 7.6:
Application Control logs are written to Security Logs when:
An application is Blocked
An application is Monitored
When an application action is set to Allow:
The traffic is permitted silently
No application control security log is generated
Even if policy logging is enabled
This is expected and documented behavior.
To generate logs for allowed applications, the action must be set to Monitor, not Allow.
Why the other options are incorrect
A. ABC.Com is hitting the category Excessive-BandwidthIncorrect. ABC.Com has a higher-priority explicit override (priority 1), so it is not evaluated against the Excessive-Bandwidth filter.
B. The ABC.Com Type is set as Application instead of FilterIncorrect. Application-type overrides are valid and commonly used; this does not suppress logging.
C. The ABC.Com must be configured as a web filter profileIncorrect. This traffic is being evaluated by Application Control, not Web Filter.
정답:
Explanation:
In the FortiGate Cloud-Native Firewall (CNF) for AWS architecture, traffic from workloads (such as an EC2 instance) in the customer VPC is redirected to the security service (FortiGate CNF) using AWS Gateway Load Balancer (GWLB) technology.
The key AWS component that must exist inside the customer VPC to steer workload traffic to the
GWLB is the:
Gateway Load Balancer Endpoint (GWLBe)
This endpoint is what the customer VPC routes point to (for example, default route or subnet route entries), enabling transparent insertion of the FortiGate CNF inspection path for EC2 traffic.
Why the other options are not correct:
A: CNF does not “create the customer VPC” (that is customer-owned), and “GWLBe” is the only relevant created item here, not the whole VPC.
C: Customer VPC is not created by CNF, and GWLB is typically part of the CNF service side; the question specifically asks what must be created to handle traffic from the EC2 instance (that requires GWLBe in the customer VPC).
D: CNF does not create the Internet Gateway (IGW) in the customer VPC, and IGW is not the required CNF-created component for steering traffic to FortiGate CNF.
정답:
Explanation:
From the HA configuration shown for HQ-NGFW-1:
set memory-based-failover enable
set memory-failover-threshold 70
set memory-failover-monitor-period 50
set memory-failover-sample-rate 10
set memory-failover-flip-timeout 60
set override disable
set priority 200
From the performance status outputs:
HQ-NGFW-1 memory used is 90% (well above the configured threshold of 70%)
HQ-NGFW-2 memory used is about 48.7% (well below the threshold)
What happens in FortiOS 7.6 with memory-based failover
When memory-based failover is enabled, FortiGate monitors memory utilization. If the unit’s memory usage stays above the configured memory-failover-threshold for the configured memory-failover-monitor-period, the cluster triggers a failover away from the unit under memory pressure.
Threshold = 70%
HQ-NGFW-1 is at 90%, so it violates the threshold.
Monitor period = 50 seconds.
The administrator observed for 55 seconds, which is longer than 50 seconds, so the condition is met for long enough to trigger failover.
The memory-failover-flip-timeout 60 is used to prevent rapid back-and-forth role changes (flapping) after a failover decision; it does not prevent the initial failover from occurring once the threshold breach persists for the monitor period.
정답:
Explanation:
NetAPI: Polls temporary sessions created on the DC when a user logs on or logs off and calls the NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods; however, it can miss some logon events if a DC is under heavy system load. This is because sessions can be quickly created and purged form RAM, before the agent has a chance to poll and notify FG.
정답:
정답:
Explanation:
In FortiOS 7.6, firewall policies can be displayed in multiple views to help administrators understand and manage rules more effectively. The difference in ordering between Interface Pair View and By Sequence View is intentional and documented.
Why the policy order is different
Interface Pair View
Groups firewall policies based on the incoming (From) and outgoing (To) interfaces.
Policies are organized under interface pairs such as:
LAN → WAN
WAN → LAN
Within each interface pair, policies may appear reordered compared to the global list.
This view is designed for readability and troubleshooting, not to show execution order.
By Sequence View
Displays firewall policies in their actual evaluation (processing) order.
This is the top-down order FortiGate uses when matching traffic.
It reflects the real rule sequence that determines which policy is hit first.
Why option C is correct
C. Interface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules.
This statement exactly matches FortiOS behavior as documented in the FortiOS 7.6 Firewall Policy Views section of the Administrator Guide.
Why the other options are incorrect
A: Interface Pair View does not follow traffic logs, and By Sequence View is not based on “rule priority” grouping.
B: FortiGate does not dynamically reorder policies based on traffic patterns.
D: Security levels do not affect policy ordering in Interface Pair View.
정답:
Explanation:
From the exhibits:
A VIP named VIP-WEB-SERVER is configured on WAN (port2) with: External IP: 100.65.0.200
Mapped (internal) IP: 10.0.11.50 Port forwarding enabled (TCP) External service port: 443 Map to IPv4 port: 4443
The inbound firewall policy Web_Server_Access is: From WAN (port2) to LAN (port4)
Destination: VIP-WEB-SERVER
Service: HTTPS
NAT: Disabled (meaning no source NAT is applied)
What happens to the packet
A host 100.65.1.111 sends TCP SYN dst-port 443 to 100.65.0.200.
When FortiGate matches the VIP and forwards traffic to the internal server, FortiGate performs destination NAT (DNAT) based on the VIP:
Source IP is unchanged because policy NAT is disabled:
Source remains 100.65.1.111
Destination IP is translated by the VIP:
Destination becomes 10.0.11.50
Destination port is translated by the VIP port-forward:
Destination port becomes 4443
Therefore, at the time FortiGate forwards the packet to the destination (internal server), it will be:
Source address: 100.65.1.111
Destination address: 10.0.11.50
Destination port: 4443
정답:
Explanation:
In FortiOS 7.6, SD-WAN steering decisions are recorded in traffic logs only when traffic matches an explicit SD-WAN rule (SD-WAN service rule). When no configured SD-WAN rule matches a session, FortiGate uses the implicit (default) SD-WAN rule/behavior to select a member (often resulting in load-balancing or default selection based on the configured SD-WAN algorithm).
In the exhibit, traffic is permitted by firewall policy ID 1, and the Destination Interface alternates between port1 and port2, but SD-WAN Rule Name remains empty. This is consistent with the sessions being forwarded by the implicit SD-WAN rule, which does not populate a named rule in the log columns.
Why the other options are not correct:
A: SD-WAN rule name logging is not a “delayed display” behavior requiring refresh; it is populated per-session when an explicit rule matches.
B: Application Control is not required for SD-WAN rule name to appear. Rule name logging depends on SD-WAN rule match, not on whether Application Control is enabled.
C: Feature visibility affects GUI display options, but the exhibit already shows the SD-WAN columns enabled; the issue is that no explicit SD-WAN rule is being hit.
정답:
Explanation:
The exhibit shows a FortiGate UTM application control log with fields such as:
type="utm"
subtype="app-ctrl"
action="block"
policyid=1
appid=30220
appcat="Video/Audio"
service="HTTP"
apprisk="elevated"
This is a forward traffic security log, generated by Application Control applied to a firewall policy.
Why the correct answers are C and D
C. By filtering by policy universally unique identifier (UUID) and application name in the log entry Correct.
FortiOS logs can be viewed and filtered in:
Log & Report → Forward Traffic
Administrators can filter logs using fields such as:
Policy ID / Policy UUID
Application name (app)
Application ID (appid)
The log entry clearly includes application-related fields, making filtering by policy and application a valid and documented way to view these logs.
D. In the Forward Traffic section
Correct.
The log is a UTM Application Control log for traffic passing through a firewall policy.
Such logs are displayed under:
Log & Report → Forward Traffic
This is the standard and correct location to view application control, web filter, IPS, and other security profile logs related to user traffic.
Why the other options are incorrect
A. By right clicking the implicit deny policy
Incorrect.
Implicit deny policies do not generate UTM forward traffic logs like the one shown.
Application control logs are generated only by explicit firewall policies with security profiles enabled.
B. Using the FortiGate CLI command diagnose log test
Incorrect.
diagnose log test is used to test log connectivity and log settings, not to view historical log entries.
It does not display traffic or UTM logs.
정답:
Explanation:
The exhibit shows the output of the following command:
diagnose test application ipsmonitor 1
pid = 2044, engine count = 0 (+1)
0 - pid:2074:2074 cfg:1 master:0 run:1
How to interpret this output (FortiOS 7.6 C IPS internals)
ipsmonitor displays the status of IPS engines running on the FortiGate.
engine count = 0 means:
No IPS scanning engines are currently active
IPS is not processing any traffic
In FortiOS, IPS engines are started on demand.
Critical documented behavior
IPS processes are only spawned when at least one firewall policy is configured with an IPS profile and traffic matches that policy.
If no firewall policy references an IPS profile, the IPS engine:
Does not start
Shows engine count = 0
Appears “not working,” even though the IPS profile exists
This is exactly what the diagnose output indicates.
Why option A is correct
A. There is no firewall policy configured with an IPS security profile.
Creating an IPS profile alone is not sufficient
IPS must be applied to an active firewall policy
Traffic must match that policy for the IPS engine to run
Otherwise, ipsmonitor will show engine count = 0
This matches FortiOS 7.6 IPS operational behavior.
Why the other options are incorrect
B. Administrator entered the command diagnose test application ipsmonitor 5.
Incorrect.
The exhibit clearly shows ipsmonitor 1
Using a different argument would not explain engine count = 0 C. FortiGate entered into IPS fail open state. Incorrect.
In fail-open, IPS engines may be bypassed, but they still initialize engine count = 0 specifically indicates IPS is not in use at all
D. Administrator entered the command diagnose test application ipsmonitor 99.
Incorrect.
The command argument affects debug level, not engine creation Again, the exhibit shows ipsmonitor 1
정답:
Explanation:
According to the FortiOS 7.6 Administration Guide and Fortinet hardware acceleration (NTurbo) documentation, the correct answer is A.
What NTurbo Is (FortiOS 7.6 C Verified)
NTurbo is a hardware-based acceleration feature available on specific FortiGate models. It is designed to improve antivirus and IPS performance when operating in flow-based inspection mode.
NTurbo works by creating a fast, optimized data path between:
FortiGate ingress interface
IPS/AV engine
FortiGate egress interface
This minimizes CPU involvement and reduces packet traversal overhead.
Why Option A Is Correct
A. For flow-based inspection, NTurbo establishes a dedicated data path to redirect traffic between the IPS engine and FortiGate ingress and egress interfaces.
This is exactly how NTurbo works, as documented:
NTurbo applies to flow-based inspection only
It accelerates IPS and antivirus scanning
It creates a dedicated fast path that bypasses unnecessary processing steps
This significantly improves throughput and lowers latency
This description matches Fortinet’s official explanation of NTurbo.
Why the Other Options Are Incorrect
B. NTurbo creates two inspection sessions
Incorrect. NTurbo does not duplicate sessions; it optimizes the packet path.
C. NTurbo offloads traffic to the content processor (proxy-based)
Incorrect. NTurbo does not apply to proxy-based inspection and does not offload to content processors.
D. NTurbo buffers the whole file and then sends it to the antivirus engine Incorrect. Buffering entire files is a proxy-based behavior, not NTurbo.
정답:
Explanation:
From the exhibits, there are three relevant firewall policies from LAN (port4) to WAN (port2), each using a different IP pool for source NAT:
TCP traffic
Service: ALL_TCP
Destination: BR1-FGT
IP Pool: SNAT-Pool → 100.65.0.49
PING traffic
Service: PING
Destination: all
IP Pool: SNAT-Remote1 → 100.65.0.99
IGMP traffic
Service: IGMP
Destination: all
IP Pool: SNAT-Remote → 100.65.0.149
The user on HQ-PC-1 (10.0.11.50) is pinging BR1-FGT (100.65.1.111). In FortiOS, policy matching is based on (among other fields) source, destination, and service, and the first matching policy in top-down order is applied.
Because the traffic is ICMP echo (ping), it matches the policy named PING traffic (service PING, destination all). That policy explicitly uses Use Dynamic IP Pool with SNAT-Remote1, which is configured with external IP 100.65.0.99.
Therefore, the source NAT IP used for this ping is 100.65.0.99.
정답:
Explanation:
According to the FortiOS 7.6 Administration Guide, the firewall policy ID is a unique numerical identifier assigned to each policy for internal database tracking and management purposes. It is important to distinguish the policy ID from the policy sequence. While the FortiGate processes traffic based on a top-down approach (the sequence), the policy ID itself does not determine the order of execution (Statement A is incorrect).
In FortiOS, once a policy is committed to the configuration, the policy ID cannot be modified (Statement B). If an administrator needs to change a policy ID, they must either delete and recreate the policy or use the clone command in the CLI to copy the settings to a new ID.
Furthermore, the CLI provides a specific shortcut for policy creation: you can create a policy with ID 0 (Statement C). When the command edit 0 is used within the config firewall policy context, the FortiOS kernel automatically assigns the next available integer as the policy ID. This is a standard practice for efficient configuration via the command line. Statement D is incorrect because, while every policy must have an ID, the GUI automatically generates this value without requiring the user to manually provide or even see it during the initial creation process.
정답:
Explanation:
Based on the exhibit and FortiOS 7.6 Active Authentication (captive portal) behavior, the most likely reason the user is not presented with a login prompt is that DNS is missing from the firewall policy.
What the exhibit shows
The firewall policy configured for active authentication includes:
Source: HQ_SUBNET and Remote-users
Destination: all
Services:
HTTP
HTTPS
ALL_ICMP
Security Profiles: Web filter and SSL inspection enabled
Authentication: Active (user group referenced)
DNS is not included as a service in the policy.
Why DNS is required for active authentication
In FortiOS 7.6, active authentication (captive portal) works as follows:
The user attempts to access a website using a URL (for example, www.example.com).
The client must first perform a DNS lookup to resolve the domain name.
FortiGate intercepts the initial HTTP/HTTPS request and redirects the user to the authentication portal.
If DNS traffic is blocked or not allowed:
The hostname cannot be resolved.
The HTTP/HTTPS request never properly occurs.
FortiGate has nothing to intercept, so the login prompt is never triggered.
This is explicitly documented in the FortiOS 7.6 Authentication and Captive Portal requirements, which state that DNS must be permitted for captive portalCbased authentication to function correctly.
Why the other options are incorrect
A. No matching user account exists for this user
Incorrect.
If the user account did not exist, the login page would still appear, but authentication would fail after credentials are entered.
B. The Remote-users group must be set up correctly in the FSSO configuration
Incorrect.
This policy is using active authentication, not FSSO.
FSSO configuration is irrelevant for active authentication login prompts.
C. The Remote-users group is not added to the Destination Incorrect.
User groups are applied in the Source field for authentication-based policies. Destination does not accept user groups.