Pass the Fortinet Fortinet Network Security Expert NSE4_FGT_AD-7.6 Questions and answers with CertsForce

In FortiOS 7.6, firewall policies can be displayed in multiple views to help administrators understand and manage rules more effectively. The difference in ordering between Interface Pair View and By Sequence View is intentional and documented.

Why the policy order is different

Interface Pair View

Groups firewall policies based on the incoming (From) and outgoing (To) interfaces.

Policies are organized under interface pairs such as:

LAN → WAN

WAN → LAN

Within each interface pair, policies may appear reordered compared to the global list.

This view is designed for readability and troubleshooting, not to show execution order.

By Sequence View

Displays firewall policies in their actual evaluation (processing) order.

This is the top-down order FortiGate uses when matching traffic.

It reflects the real rule sequence that determines which policy is hit first.

Why option C is correct

C. Interface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules.

This statement exactly matches FortiOS behavior as documented in the FortiOS 7.6 Firewall Policy Views section of the Administrator Guide.

Why the other options are incorrect

A: Interface Pair View does not follow traffic logs, and By Sequence View is not based on “rule priority” grouping.

B: FortiGate does not dynamically reorder policies based on traffic patterns.

D: Security levels do not affect policy ordering in Interface Pair View.

Based on the exhibit and the FortiOS 7.6 SSL/SSH Inspection documentation, the correct answer is C.

Understanding the Exhibit Configuration

In the SSL/SSH Inspection Profile, the following settings are shown:

Inspection method: Full SSL Inspection

Server certificate SNI check: Strict

This setting directly controls how FortiGate validates the Server Name Indication (SNI) provided by the client during the TLS handshake.

FortiOS 7.6 Behavior of “Server certificate SNI check”

FortiOS supports three modes for Server certificate SNI check:

Disable

No validation between SNI and server certificate.

Enable

FortiGate checks SNI against the certificate.

If mismatch occurs, FortiGate may still allow the session with reduced validation.

Strict

FortiGate enforces a strict match.

The SNI must match either the CN (Common Name) or one of the SAN (Subject Alternative Name) entries in the server certificate.

If the SNI does not match either CN or SAN, the TLS session is immediately terminated.

The exhibit clearly shows Strict selected.

Why Option C is Correct

With Strict enabled, FortiGate rejects the TLS connection when:

The SNI does not match the CN, and

The SNI does not match any SAN entry

This results in the connection being closed, not allowed with warnings or fallback behavior.

Therefore:

C. FortiGate will close the connection if the SNI does not match the CN or SAN fields is exactly the documented behavior.

Why the Other Options Are Incorrect

A: FortiGate does not fall back to using the CN for URL filtering when Strict is enabled.

B: There is no “accept with warning” behavior in Strict mode.

D: Incorrect logical condition. FortiGate does not require mismatch with both CN and SAN simultaneously; a mismatch with either valid field set is sufficient to close the connection.

From the exhibits:

The Application Control sensor has these key settings:

Application and Filter Overrides

Priority 1: Excessive-Bandwidth (Type: Filter) with Action Block

Priority 2: Google (Type: Filter) with Action Monitor

Category actions shown include Social Media set to Block (this category includes Facebook).

The firewall policy is using:

Flow-based inspection

Application control enabled (profile: default)

Deep inspection enabled (helps identify applications inside HTTPS)

Logging enabled

FortiOS applies Application Control as follows (top-down within the Application Control profile):

Overrides are evaluated by priority (highest priority first).

The first matching override determines the action (block/monitor/allow) for that traffic.

Category-based actions apply to applications that fall into those categories unless an override matches first.

Why A is correct

A. YouTube access is blocked based on Excessive-Bandwidth Application and Filter override settings.

The profile explicitly blocks the Excessive-Bandwidth behavior filter at the highest override priority.

When YouTube traffic is detected as matching the Excessive-Bandwidth behavior, FortiGate will apply the Block action due to the override.

Because this is a priority override, it is enforced before lower-priority entries.

Why B is correct

B. Facebook access is blocked based on the category filter settings.

The Application Sensor shows Social Media configured with a Block action.

Facebook is categorized under Social Media, so it will be blocked when matched by Application Control.

Why C is not correct

C. Facebook access is allowed but you cannot play Facebook videos...

Since the Social Media category is set to Block, Facebook would be blocked at the category level (not merely video playback).

Why D is not correct

D. YouTube search is allowed based on the Google override...

The Google override action is Monitor, not Allow.

“Monitor” logs/detects but does not override a block condition to “allow” traffic.

Also, YouTube traffic is not guaranteed to be treated as “Google” in a way that would permit it, and any matching block condition (such as Excessive-Bandwidth) would still take precedence.

Based on the diagnose debug rating output provided in the exhibit and the standard behavior of the FortiGuard connection mechanism in FortiOS 7.6:

Weight Calculation (Statement A is True):

In FortiOS, the rating server selection process uses a weight-based system.

According to official documentation, the weight increases with failed packets (lost responses) and decreases with successful packets.

This mechanism ensures that servers with poor reliability are penalized by having higher weights, effectively pushing them to the bottom of the preference list.

Default Port Communication (Statement D is True):

The exhibit explicitly shows the communication is using HTTPS on port 8888.

In FortiOS 7.6 (and legacy versions like 6.2/6.4), FortiGuard filtering supports specific protocols and ports: HTTPS on ports 443, 53, and 8888, where 8888 is considered a default port for FortiGuard queries.

Ports 53 and 8888 are standard for both UDP and TCP/HTTPS FortiGuard communications to avoid common firewall blocks on standard web ports.

Why other options are incorrect:

Statement B (Unreliable protocols): While you can configure UDP (which is unreliable), the exhibit specifically shows HTTPS is being used, which is a reliable (TCP-based) protocol.

Statement C (DNS lookup): In the " Flags " column of the server list, a server found via DNS lookup would be marked with the " D " flag. The exhibit shows the flag as " I " (indicating the last INIT request was sent to this server) and a numeric " 2, " but the " D " flag is absent. Additionally, the IP 10.0.1.241 is a private address, suggesting it is a manually configured FortiManager or local override server rather than a public server found via global DNS lookup.

“When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.”

Technical Deep Dive:

The correct answer is C. It uses DNS over TLS .

This is a direct default-behavior question. If you configure FortiGuard servers as DNS servers and do not change anything else, FortiGate uses DoT rather than plain DNS. That means the DNS session is encrypted, which protects DNS queries from simple interception or tampering on the path.

Why the other options are wrong:

A is standard clear-text DNS behavior, not the FortiGuard DNS default stated in the guide.

B is incorrect because the guide specifically says DNS over TLS , not DNS over HTTPS.

D is incorrect; the guide does not describe UDP 8888 as the default transport for this DNS use case.

Operationally, this matters because FortiGate relies on DNS not only for client-facing services, but also for resolving objects and securely reaching cloud-based services. Using DoT improves confidentiality for those DNS lookups.

In FortiOS 7.6 Application Control, security logs are generated primarily for actions such as Block or Monitor, not for Allow actions.

What is happening in the exhibit

An Application Override is configured for ABC.Com

Type: Application

Action: Allow

The application control profile is applied to a firewall policy

Logging is enabled on the firewall policy

Traffic to ABC.Com is successfully allowed

However, no security logs appear for ABC.Com.

Why no logs are generated

In FortiOS 7.6:

Application Control logs are written to Security Logs when:

An application is Blocked

An application is Monitored

When an application action is set to Allow:

The traffic is permitted silently

No application control security log is generated

Even if policy logging is enabled

This is expected and documented behavior.

To generate logs for allowed applications, the action must be set to Monitor, not Allow.

Why the other options are incorrect

A. ABC.Com is hitting the category Excessive-BandwidthIncorrect. ABC.Com has a higher-priority explicit override (priority 1), so it is not evaluated against the Excessive-Bandwidth filter.

B. The ABC.Com Type is set as Application instead of FilterIncorrect. Application-type overrides are valid and commonly used; this does not suppress logging.

C. The ABC.Com must be configured as a web filter profileIncorrect. This traffic is being evaluated by Application Control, not Web Filter.

Phase 1 being up confirms the two FortiGate devices can authenticate and build the IKE SA. Phase 2 failing indicates the IPsec (Quick Mode) SA negotiation is failing due to mismatched Phase 2 parameters.

From the exhibit, the Phase 2 mismatches that would prevent SA establishment are:

1) Phase 2 selectors must mirror each other (Proxy IDs)

HQ-NGFW Phase 2 selector shows:

Local: 10.0.11.0/24

Remote: 172.20.1.0/24

BR1-FGT Phase 2 selector shows:

Local: 172.20.1.0/24

Remote: 10.11.0.0/24 ⟵ does not match HQ’s local subnet (10.0.11.0/24)

In FortiOS, Phase 2 comes up only when the peers’ selectors (proxy IDs) match as opposite pairs (local on one side = remote on the other).

✅ Fix: A. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0.

2) Phase 2 proposal must match (encryption/authentication)

HQ-NGFW shows encryption AES128 (with SHA1)

BR1-FGT shows encryption AES256 (with SHA1)

For Phase 2 to establish, both peers must have at least one common proposal (same encryption and authentication settings). With one side set to AES128 and the other to AES256, there is no match.

✅ Fix: D. On HQ-NGFW, set Encryption to AES256.

Why the other options are not correct

B. Enable Diffie-Hellman Group 2: The exhibit’s mismatch is not resolved by adding DH group 2, and DH group must match when PFS is enabled. This option does not align the peers based on what’s shown.

C. Set Seconds to 43200: Phase 2 lifetime mismatches typically do not prevent Phase 2 from coming up (the negotiated lifetime can be adjusted by the peers). The hard blockers here are the selectors and proposal mismatch.

Based on the FortiOS 7.6 Authentication and User Group documentation, the correct answer is A.

Meaning of “Include in every user group” (FortiOS 7.6)

When configuring a RADIUS server on FortiGate, enabling Include in every user group has a very specific and documented effect:

The configured RADIUS server object is automatically added to all FortiGate user groups.

As a result, any user who successfully authenticates against that RADIUS server becomes a valid member of every FortiGate user group, unless additional group filtering (such as RADIUS attributes) is applied.

This simplifies configuration when the same external authentication source must be accepted across multiple firewall policies that reference different user groups.

This behavior is explicitly described in the FortiOS 7.6 Administrator Guide under RADIUS authentication servers and user groups.

Why Option A is Correct

FortiGate user groups can include:

Local users

LDAP servers

RADIUS servers

Enabling Include in every user group causes FortiGate to:

Insert the RADIUS server into all existing and future FortiGate user groups

Therefore, all users authenticating via this RADIUS server are implicitly allowed in every FortiGate user group.

This is exactly what option A describes.

Why the Other Options Are Incorrect

B: FortiGate does not push users or groups into the RADIUS server. Authentication is always initiated by FortiGate toward RADIUS.

C: FortiGate does not manage or modify RADIUS-side group definitions.

D: LDAP and RADIUS user groups are separate authentication mechanisms; this setting does not merge or affect LDAP groups.

Based on the FortiOS 7.6 Administrator Guide regarding Fortinet Single Sign-On (FSSO) polling modes, the agentless polling mode has specific technical characteristics:

SMB Protocol Usage (Statement B is True):

In agentless polling mode, the FortiGate unit itself acts as the collector.

It establishes direct connections to the Windows Domain Controllers (DCs) using the SMB (Server Message Block) protocol, typically over TCP port 445, to read the Windows Security Event logs.

This allows FortiGate to parse login event IDs (such as 4768 and 4769) to identify users and their corresponding IP addresses without needing an external collector agent installed on a server.

Workstation Check Support (Statement C is True):

One of the primary limitations of the agentless polling mode compared to the agent-based mode is the lack of workstation verification.

In agentless mode, FortiGate does not perform " workstation checks " or " dead entry checks " . This means it cannot proactively verify if a user is still logged into a specific workstation after the initial logon event is recorded, which can lead to stale entries if a user logs off without a corresponding event being captured.

Why other options are incorrect:

Option A: In agentless mode, FortiGate (the FSSO daemon) performs the collection itself; it does not use the AD server as a " collector agent " in the functional sense of FSSO architecture.

Option D: While FortiGate uses LDAP to retrieve group membership information once a user is identified, it does not " direct " a collector agent to a remote LDAP server, as there is no external collector agent involved in this specific mode.