Text preview & study summary
Fortinet NSE4 - FortiGate Security Network Security Professional - Policies NAT VPN UTM HA SD-WAN
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
A FortiGate administrator needs to implement Source NAT (IP masquerading) so that all traffic from the 10.0.0.0/8 internal network appears to originate from the WAN interface IP address when accessing the internet. How is this configured in FortiOS?
Explanation
FortiOS integrates Source NAT directly into firewall policies. In an outbound firewall policy (from internal interface to WAN interface), enabling the "NAT" checkbox within the policy enables Source NAT (PAT/masquerade). By default, with "NAT" enabled and "Use Outgoing Interface Address" selected, all traffic from the internal network uses the WAN interface IP as the source address. Optionally, an IP Pool (with type "Overload" for PAT, or "One-to-One" for 1:1 mapping, or "Fixed Port Range") can be referenced instead of the interface IP. VIPs (Virtual IPs) are used for Destination NAT (port forwarding), not Source NAT. FortiOS doesn't have a separate NAT policy table — NAT is integrated into firewall policies.
Question 2
A FortiGate administrator is troubleshooting a connectivity issue. A user reports they cannot access a specific website. The administrator wants to trace the packet through the FortiGate to see what policy matches and what action is taken. Which FortiOS diagnostic command is most useful?
Explanation
FortiOS Packet Flow Debugging provides real-time tracing of how specific packets are processed through the firewall engine. The commands: (1) `diagnose debug reset` (reset debug settings), (2) `diagnose debug flow filter addr <source_ip>` (filter to specific source IP), (3) `diagnose debug flow show iprope enable` (show policy lookup details), (4) `diagnose debug flow show console enable` (output to console), (5) `diagnose debug flow trace start 100` (capture 100 packets), (6) `diagnose debug enable` (start debugging). Output shows: packet reception, policy lookup result (which policy matched), NAT translation, and forwarding or drop decision. This is the FortiGate equivalent of PAN-OS Policy Test and provides definitive answers to policy matching questions. Always disable debug after troubleshooting with `diagnose debug disable`.
Question 3
A FortiGate administrator needs to configure two-factor authentication (2FA) for SSL VPN users. The organization already has a FortiToken Cloud subscription. How is this configured?
Explanation
FortiOS supports FortiToken (hardware tokens) and FortiToken Mobile (software tokens) for 2FA natively. Configuration with FortiToken Cloud: (1) Activate FortiToken Cloud licenses in FortiGate (ensures FortiGate communicates with FortiToken Cloud service), (2) Create or edit user accounts in User & Authentication > User Definition, (3) Enable "Two-factor Authentication" for each user requiring 2FA, select FortiToken Cloud as the token type, (4) Configure the SSL VPN portal to use the user group requiring 2FA. When SSL VPN users log in, they enter their password and then receive a FortiToken push notification or OTP. FortiGate handles the 2FA validation natively without RADIUS proxy. For non-FortiToken 2FA (like Google Authenticator), RADIUS with 2FA PAP or EAP is used.
Question 4
An administrator configures FortiGate in an Active-Active HA cluster. How does traffic load balancing work in Active-Active HA, and what is required for this configuration?
Explanation
FortiGate Active-Active HA distributes traffic across all cluster members for increased throughput. Operation: (1) The primary unit receives incoming traffic and uses the HA load balancing algorithm to decide whether to process sessions locally or forward them to secondary units. (2) Secondary units process their assigned sessions and return traffic through the primary (or directly, depending on configuration). (3) Session synchronization keeps all cluster members aware of active sessions for failover. Configuration requirements: same model FortiGates, matching firmware, HA heartbeat interfaces connected. Active-Active provides both redundancy AND increased aggregate throughput (vs. Active-Passive which only provides redundancy). The load balancing algorithm can be configured for different distribution methods (round-robin, weighted, etc.).
Question 5
A security operations team wants FortiGate to automatically block IP addresses that are identified as malicious by FortiGuard threat intelligence. Which FortiGate feature provides automated threat intelligence-based IP blocking?
Explanation
FortiGuard provides multiple threat intelligence services: (1) FortiGuard IP Reputation — a continuously updated database of malicious IPs (botnet command and control, known attack sources, spam sources, etc.). Enable in the Security Fabric: Security Fabric > Fabric Connectors > Threat Feeds. Configure Threat Intelligence to automatically update and can be referenced in firewall policies, (2) Threat Intelligence integration — FortiGate can consume external threat feeds (STIX/TAXII, text files of IPs) via Fabric Connectors and automatically create dynamic address groups from them. Traffic from/to these IPs can then be blocked automatically by firewall policies referencing these dynamic address groups. IPS (Option C) detects attack patterns, not proactively blocks known-bad IPs. Web Filter (Option D) covers URLs, not IP-based threat intelligence. Manual lists (Option A) are not "automated."
