Text preview & study summary

Fortinet NSE4 - FortiGate Security Network Security Professional - Policies NAT VPN UTM HA SD-WAN

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

A FortiGate administrator needs to implement Source NAT (IP masquerading) so that all traffic from the 10.0.0.0/8 internal network appears to originate from the WAN interface IP address when accessing the internet. How is this configured in FortiOS?

Answer choices

  • A. Create a VIP (Virtual IP) with NAT type "Overload"

  • B. Enable "NAT" in the outbound firewall policy (From Internal to WAN), which automatically uses the egress interface IP for source address translation (Correct)

  • C. Create a separate NAT policy rule under Policy > NAT

  • D. Configure IP Pool with type "No-NAT" and reference it in the firewall policy

Explanation

FortiOS integrates Source NAT directly into firewall policies. In an outbound firewall policy (from internal interface to WAN interface), enabling the "NAT" checkbox within the policy enables Source NAT (PAT/masquerade). By default, with "NAT" enabled and "Use Outgoing Interface Address" selected, all traffic from the internal network uses the WAN interface IP as the source address. Optionally, an IP Pool (with type "Overload" for PAT, or "One-to-One" for 1:1 mapping, or "Fixed Port Range") can be referenced instead of the interface IP. VIPs (Virtual IPs) are used for Destination NAT (port forwarding), not Source NAT. FortiOS doesn't have a separate NAT policy table — NAT is integrated into firewall policies.

Question 2

A FortiGate administrator is troubleshooting a connectivity issue. A user reports they cannot access a specific website. The administrator wants to trace the packet through the FortiGate to see what policy matches and what action is taken. Which FortiOS diagnostic command is most useful?

Answer choices

  • A. `show firewall policy all` to list all policies

  • B. `diagnose debug flow filter addr <client_ip>` followed by `diagnose debug flow show console enable` and `diagnose debug enable` — the packet flow debugging trace (Correct)

  • C. `get system session list` to see active sessions

  • D. `show security policy lookup` to check policy match

Explanation

FortiOS Packet Flow Debugging provides real-time tracing of how specific packets are processed through the firewall engine. The commands: (1) `diagnose debug reset` (reset debug settings), (2) `diagnose debug flow filter addr <source_ip>` (filter to specific source IP), (3) `diagnose debug flow show iprope enable` (show policy lookup details), (4) `diagnose debug flow show console enable` (output to console), (5) `diagnose debug flow trace start 100` (capture 100 packets), (6) `diagnose debug enable` (start debugging). Output shows: packet reception, policy lookup result (which policy matched), NAT translation, and forwarding or drop decision. This is the FortiGate equivalent of PAN-OS Policy Test and provides definitive answers to policy matching questions. Always disable debug after troubleshooting with `diagnose debug disable`.

Question 3

A FortiGate administrator needs to configure two-factor authentication (2FA) for SSL VPN users. The organization already has a FortiToken Cloud subscription. How is this configured?

Answer choices

  • A. Configure RADIUS to point to FortiToken Cloud's RADIUS endpoint

  • B. Register FortiTokens to user accounts in User & Authentication > User Definition, enable Two-factor Authentication for each user, and configure FortiToken Cloud as the 2FA method (Correct)

  • C. Install FortiToken Mobile app on users' devices and configure PIN authentication

  • D. Configure SAML authentication with FortiToken as the SAML IdP

Explanation

FortiOS supports FortiToken (hardware tokens) and FortiToken Mobile (software tokens) for 2FA natively. Configuration with FortiToken Cloud: (1) Activate FortiToken Cloud licenses in FortiGate (ensures FortiGate communicates with FortiToken Cloud service), (2) Create or edit user accounts in User & Authentication > User Definition, (3) Enable "Two-factor Authentication" for each user requiring 2FA, select FortiToken Cloud as the token type, (4) Configure the SSL VPN portal to use the user group requiring 2FA. When SSL VPN users log in, they enter their password and then receive a FortiToken push notification or OTP. FortiGate handles the 2FA validation natively without RADIUS proxy. For non-FortiToken 2FA (like Google Authenticator), RADIUS with 2FA PAP or EAP is used.

Question 4

An administrator configures FortiGate in an Active-Active HA cluster. How does traffic load balancing work in Active-Active HA, and what is required for this configuration?

Answer choices

  • A. Active-Active HA distributes sessions across all cluster members using a load balancing algorithm; the primary unit coordinates session distribution and both units process traffic simultaneously (Correct)

  • B. Active-Active HA is identical to Active-Passive; both units process traffic only when the primary fails

  • C. Active-Active HA requires an external load balancer to distribute traffic to each FortiGate

  • D. Active-Active HA is only supported on FortiGate 1000-series and above

Explanation

FortiGate Active-Active HA distributes traffic across all cluster members for increased throughput. Operation: (1) The primary unit receives incoming traffic and uses the HA load balancing algorithm to decide whether to process sessions locally or forward them to secondary units. (2) Secondary units process their assigned sessions and return traffic through the primary (or directly, depending on configuration). (3) Session synchronization keeps all cluster members aware of active sessions for failover. Configuration requirements: same model FortiGates, matching firmware, HA heartbeat interfaces connected. Active-Active provides both redundancy AND increased aggregate throughput (vs. Active-Passive which only provides redundancy). The load balancing algorithm can be configured for different distribution methods (round-robin, weighted, etc.).

Question 5

A security operations team wants FortiGate to automatically block IP addresses that are identified as malicious by FortiGuard threat intelligence. Which FortiGate feature provides automated threat intelligence-based IP blocking?

Answer choices

  • A. Configure a manual block list under Firewall > Address and update it weekly

  • B. Enable FortiGuard IP Reputation / Threat Intelligence in the Security Fabric with automatic blocking of known malicious IPs via the Threat Feed integration (Correct)

  • C. Configure IPS signatures to detect and block known malicious IP communications

  • D. Use a Web Filter category for "Malicious Websites" in the firewall policy

Explanation

FortiGuard provides multiple threat intelligence services: (1) FortiGuard IP Reputation — a continuously updated database of malicious IPs (botnet command and control, known attack sources, spam sources, etc.). Enable in the Security Fabric: Security Fabric > Fabric Connectors > Threat Feeds. Configure Threat Intelligence to automatically update and can be referenced in firewall policies, (2) Threat Intelligence integration — FortiGate can consume external threat feeds (STIX/TAXII, text files of IPs) via Fabric Connectors and automatically create dynamic address groups from them. Traffic from/to these IPs can then be blocked automatically by firewall policies referencing these dynamic address groups. IPS (Option C) detects attack patterns, not proactively blocks known-bad IPs. Web Filter (Option D) covers URLs, not IP-based threat intelligence. Manual lists (Option A) are not "automated."