Is the NSE4-FGT-AD-7-6 practice exam free?

Yes. ExamCademy offers all 84 NSE4-FGT-AD-7-6 practice questions for free with a registered account. No payment needed. Optional supporter features add AI explanations and spaced repetition study tools.

How accurate are the NSE4-FGT-AD-7-6 practice questions?

All NSE4-FGT-AD-7-6 questions are community-created and reviewed by moderators to align with Fortinet's published exam objectives. The community continuously reports and fixes issues to keep content accurate and up to date.

How should I study for the NSE4-FGT-AD-7-6 exam?

Start by browsing practice questions to identify weak areas. Use spaced repetition (Learn Mode) to focus study time on topics you struggle with. Combine practice questions with official Fortinet documentation and hands-on experience for best results.

NSE4-FGT-AD-7-6 Practice Exam — Free 84+ Questions

84Practice Questions

3Study Modes

FreeTo Get Started

Topic:Sort:

Question 1

Web Filtering

Question 2

Firewall Authentication

Question 3

Fortinet Single Sign-On (FSSO)

Question 4

FortiSASE

Question 5

Intrusion Prevention and Application Control

Question 6

High Availability

Question 7

Diagnostics and Troubleshooting

Question 8

Diagnostics and Troubleshooting

Question 9

IPsec VPN

Question 10

Antivirus

Question 11

Intrusion Prevention and Application Control

Question 12

Firewall Policies and NAT

Question 13

Web Filtering

Question 14

Routing

Question 15

System and Network Settings

Question 16

Firewall Policies and NAT

Question 17

Routing

Question 18

Intrusion Prevention and Application Control

Question 19

Logging and Monitoring

Question 20

SD-WAN Configuration and Monitoring

Question 21

IPsec VPN

Question 22

Certificate Operations

Question 23

Firewall Policies and NAT

Question 24

Intrusion Prevention and Application Control

Question 25

IPsec VPN

Page 1 of 4 • Questions 1-25 of 84

1 2 3 4

→

Know a question that should be here? Contribute to this exam

You have created a web filter profile named restrict_media-profile with a daily category usage quota.
When you are adding the profile to the firewall policy, the restrict_media-profile is not listed in the available web profile drop down.
What could be the reason?

A The inspection mode in the firewall policy is not matching with web filter profile feature set.
B The web filter profile is already referenced in another firewall policy.
C The naming convention used in the web filter profile is restricting it in the firewall policy.
D The firewall policy is in no-inspection mode instead of deep-inspection.

Refer to the exhibit, which shows a firewall policy to enable active authentication.

Question Image

When attempting to access an external website using an active authentication method, the user is not presented with a login prompt.
What is the most likely reason for this situation?

A The Service DNS is required in the firewall policy.
B The Remote-users group is not added to the Destination.
C The Remote-users group must be set up correctly in the FSSO configuration.
D No matching user account exists for this user.

What are two features of FortiGate FSSO agentless polling mode? (Choose two.)

A FortiGate does not support workstation check.
B FortiGate directs the collector agent to use a remote LDAP server.
C FortiGate uses the AD server as the collector agent.
D FortiGate uses the SMB protocol to read the event viewer logs from the DCs.

Which two components are part of the secure internet access (SIA) agent-based mode on FortiSASE? (Choose two.)

A FortiExtender
B VPN policies
C The proxy auto-configuration (PAC) file
D FortiSASE Firewall-as-a-Service (FWaaS)

Refer to the exhibits.

Question Image

You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits.
You cannot access any of the Google applications, but you are able to access www.fortinet.com
Which two actions would you take to resolve the issue? (Choose two.)

A Change the Inspection mode to Flow-based.
B Set the action for Google in the Application and Filter Overrides section to Allow.
C Add “Google”.com to the URL category in the security profile.
D Set SSL inspection to deep-content inspection.
E Move up Google in the Application and Filter Overrides section to set its priority to 1.

Refer to the exhibits.

Question Image

An administrator has observed the performance status outputs on an HA cluster for 55 seconds.
Which FortiGate is the primary?

A HQ-NGFW-2 with the parameter memory-failover-threshold setting
B HQ-NGFW-1 with the parameter override setting
C HQ-NGFW-2 with the parameter priority setting
D HQ-NGFW-1 with the parameter memory-failover-flip-timeout setting

Refer to the exhibit.

Question Image

Which two statements about the FortiGuard connection are true? (Choose two.)

A The weight increases as the number of failed packets rises.
B FortiGate is using the default port for FortiGuard communication.
C FortiGate identified the FortiGuard Server using DNS lookup.
D You can configure unreliable protocols to communicate with FortiGuard Server.

Which two statements are correct when the FortiGate device enters conserve mode? (Choose two.)

A FortiGate refuses to accept configuration changes.
B FortiGate continues to run critical security actions, such as quarantine.
C FortiGate halts complete system operation and requires a reboot to regain available resources.
D FortiGate continues to transmit packets without IPS inspection when the fail -open global setting in IPS is enabled.

Refer to the exhibit.

Question Image

A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, which two configuration changes will bring phase 2 up? (Choose two.)

A On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0
B On BR1-FGT, set Seconds to 43200.
C On HQ-NGFW, set Encryption to AES256.
D On HQ-NGFW, enable Diffie-Hellman Group 2.

Refer to the exhibit.

Question Image

Why is the Antivirus scan switch grayed out when you are creating a new antivirus profile for FTP?

A The Feature Set for the profile is Flow-based but it must be Proxy-based.
B FortiGate, with less than 2 GB RAM, does not support the Antivirus scan feature.
C Antivirus scan is disabled under System-> Feature visibility.
D None of the inspected protocols are active in this profile.

Refer to the exhibit.

Question Image

An administrator has configured an Application Overrides for the ABC.Com application signature and set the Action to Allow. This application control profile is then applied to a firewall policy that is scanning all outbound traffic. Logging is enabled in the firewall policy. To test the configuration, the administrator accessed the ABC.Com web site several times.
Why are there no logs generated under security logs for ABC.Com?

A The ABC.Com is hitting the category Excessive-Bandwidth.
B The ABC.Com is configured under application profile, which must be configured as a web filter profile.
C The ABC.Com Type is set as Application instead of Filter.
D The ABC.Com Action is set to Allow.

Refer to the exhibits.

Question Image

The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.
The WAN (port2) interface has the IP address 100.65.0.101/24. The LAN (port4) interface has the IP address 10.0.11.254/24.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on HQ-PC-1 (10.0.11.50) pings the IP address of BR-FGT (100.65.1.111)

A 100.65.0.99
B 100.65.0.101
C 100.65.0.149
D 100.65.0.49

Refer to the exhibits.

Question Image

A web filter profile configuration and firewall policy configuration are shown. You are trying to access www.facebook.com , but you are redirected to a FortiGuard web filtering block page.
Based on the exhibits, what is the possible cause of the issue?

A The web rating override configuration is incorrect.
B The firewall policy inspection mode is incorrect.
C For www.facebook.com, the URL filter action is incorrect.
D The web filter profile feature set is configured incorrectly.

Refer to the exhibit, which shows a routing table.

Question Image

An administrator wants to create a new static route so the traffic to the subnet 172.20.1.0/24 is routed through port2 only.
What are the two criteria that the administrator can use to achieve this objective? (Choose two.)

A The new static route must have the priority set to 3.
B The existing static route through port 3 must have the distance set to 11.
C The new static route must have the distance set to 9.
D The new static route must have the metric set to1.

Refer to the exhibit.

Question Image

The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity.
What must the administrator configure to answer this specific request from the NOC team?

A Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.
B Ensure that all NOC_Access users are assigned the super_admin role to guarantee access.
C Move NOC_Access to the top of the list to ensure all profile settings take effect.
D Increase the admintimeout value under config system accprofile NOC_Access.

FortiGate is operating in NAT mode and has two physical interfaces connected to the LAN and DMZ networks respectively.
Which two statements about the requirements of connected physical interfaces on FortiGate are true? (Choose two.)

A Both interfaces must have directly connected routes on the routing table.
B Both interfaces must have IP addresses assigned.
C Both interfaces must have DHCP enabled and interfaces set to LAN and DMZ roles assigned.
D Both interfaces must have the interface role assigned.

Refer to the exhibit.

Question Image

Based on the routing table shown in the exhibit, which two statements are true? (Choose two.)

A A packet with the source IP address 10.0.13.10 arriving on port2 is allowed if strict RPF is disabled.
B A packet with the source IP address 10.100.110.10 arriving on port3 is allowed if strict RPF is disabled.
C A packet with the source IP address 10.10.10.10 arriving on port2 is allowed if strict RPF is enabled.
D A packet with the source IP address 10.100.110.10 arriving on port2 is allowed if strict RPF is enabled.

Refer to the exhibit.

Question Image

Based on this configuration, what are the two possible outcomes when FortiGate enters conserve mode? (Choose two.)

A FortiGate drops new sessions requiring inspection.
B Administrators must restart FortiGate to allow new sessions.
C FortiGate skips quarantine actions.
D Administrators cannot change the configuration.

The FortiGate device HQ-NGFW-1 with the IP address 10.0.13.254 sends logs to the FortiAnalyzer device with the IP address 10.0.13.125. The administrator wants to verify that reliable logging is enabled on HQ-NGFW-1.
Which exhibit helps with the verification?

A
B
C
D

Which three statements about SD-WAN performance SLAs are true? (Choose three.)

A They can be measured actively or passively.
B They are applied in a SD-WAN rule lowest cost strategy.
C They monitor the state of the FortiGate device.
D All the SLA targets can be configured.
E They rely on session loss and jitter.

An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is no inbound traffic.
Which DPD mode on FortiGate meets this requirement?

A On Demand
B Enabled
C On Idle
D Disabled

A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?

A The matching firewall policy is set to proxy inspection mode.
B The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile.
C The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
D The browser does not trust the certificate used by FortiGate for SSL inspection.

A network administrator is reviewing firewall policies in both Interface Pair View and By Sequence View. The policies appear in a different order in each view.
Why is the policy order different in these two views?

A Interface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules.
B By Sequence View groups policies based on rule priority, while Interface Pair View always follows the order of traffic logs.
C The firewall dynamically reorders policies in Interface Pair View based on recent traffic patterns, but By Sequence View remains static.
D Policies in Interface Pair View are prioritized by security levels, while By Sequence View strictly follows the administrator’s manual ordering.

Refer to the exhibits.

Question Image

You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits.
Which two factors can you observe from these configurations? (Choose two.)

A YouTube search is allowed based on the Google Application and Filter override settings.
B Facebook access is blocked based on the category filter settings.
C Facebook access is allowed but you cannot play Facebook videos based on Video/Audio category filter settings.
D YouTube access is blocked based on Excessive-Bandwidth Application and Filter override settings.

An administrator has configured a dialup IPsec VPN on FortiGate with add-route enabled. However, the static route is not showing in the routing table.
Which two statements about this scenario are correct? (Choose two.)

A The administrator must ensure phase 2 is successfully established.
B The administrator must enable a dynamic routing protocol on the dialup interface.
C The administrator must define the remote network correctly in the phase 2 selectors.
D The administrator must use a policy route instead of a static route for add-route to work properly.

NSE4-FGT-AD-7-6Preview

About the NSE4-FGT-AD-7-6 Exam

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

NSE4-FGT-AD-7-6Preview

About the NSE4-FGT-AD-7-6 Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25