Free Fortinet NSE4_FGT_AD-7.6 Practice Exam with Questions & Answers | Set: 2

Based on the FortiOS 7.6 Infrastructure and IPsec VPN documentation, Dead Peer Detection (DPD) can be configured in three primary modes: On Demand, On Idle, and Disabled.

On Demand (Default Mode): This mode is specifically designed to minimize unnecessary traffic. In this mode, FortiGate sends DPD probes only when there is no inbound traffic but the FortiGate is attempting to send outbound traffic. Because network communication is typically bidirectional, the absence of inbound traffic while outbound traffic is being sent is a primary indicator of a potentially dead tunnel. This matches the specific requirement described in the question.

On Idle: In this mode, DPD probes are sent if no traffic (neither inbound nor outbound) has been observed in the tunnel for a specific period. It verifies the tunnel status even when the connection is completely idle.

Enabled: In older versions or specific CLI contexts, " Enabled " may refer to periodic DPD, but in the current FortiOS 7.x/7.6 GUI and CLI terminology for Phase 1 settings, the active modes are defined as on-demand or on-idle.

Disabled: In this mode, the FortiGate does not send DPD probes but will still respond to DPD probes sent by the remote peer.

The requirement that the administrator wants probes sent only when there is no inbound traffic (usually implying the FortiGate is sending but not receiving) is the fundamental definition of the On Demand mechanism in the Fortinet curriculum.

Exact Extract:

“In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: main, and aggressive mode. Settings on both ends must agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel.”

“When both peers know each other ' s IP address or FQDN, you may want to use main mode to take advantage of its more secure negotiation. In this case, FortiGate can identify the remote peer by its IP address and, as a result, associate it with the correct IPsec tunnel.”

“FortiGate supports three DPD modes... The default DPD mode is On Demand .”

“ Diffie-Hellman (DH) ... is used during IKE SA negotiation. The use of DH in phase 1 is mandatory and can’t be disabled . You must select at least one DH group.”

Technical Deep Dive:

The correct answers are B and C .

B is correct because phase 1 fails when IKE mode settings do not match between peers. The study guide explicitly says phase 1 settings on both ends must agree. Since this is a static site-to-site tunnel and both peers know each other’s IP addresses, Main (ID protection) is the appropriate mode.

C is correct based on the exhibit: BR1-FGT appears bound to the wrong physical interface. The screenshot shows Interface = port1 , while the diagram/answer choice indicates the tunnel should be using port2 . If the phase 1 is bound to the wrong WAN interface, FortiGate sends IKE packets out the wrong path and phase 1 will not come up.

Why the others are not the fix:

A is not correct because DH is mandatory in phase 1. The issue is not “disable DH group 2” by itself; the real requirement is that the peers negotiate a compatible proposal. The option as written is not the proper corrective action from the guide.

D is not correct because DPD does not determine whether phase 1 can initially establish. It is a tunnel health/failure-detection feature after negotiation behavior, and On Demand is already the default mode.

“As previously stated, collector agent-based polling mode has three methods (or options) for collecting login information. The order on the slide from left to right shows most recommend to least recommended:

• WMI ...

• WinSecLog ...

• NetAPI ...”

Technical Deep Dive:

The correct three AD polling methods are WMI, WinSecLog, and NetAPI . These are the collector-agent polling options FortiGate FSSO uses against Windows domain controllers. WMI is generally the most efficient because the DC returns requested login events directly. WinSecLog polls Windows Security Event Logs and is typically more reliable than NetAPI for not missing recorded logons. NetAPI can be faster, but it is more prone to missing events under load because it depends on temporary session information rather than persistent security logs.

Why the other options are wrong:

DNS reverse lookup is not one of the three AD polling methods. DNS is used by FSSO to resolve workstation names to IP addresses and to track IP changes, but it is not itself a polling method for collecting AD logon events. FSSO REST API is also not one of the documented collector-agent AD polling methods in the study guide.

From an operational standpoint, FSSO login collection and workstation verification are separate functions. The collector agent may still rely on DNS and workstation checks after a login is learned, but the actual AD polling methods remain only WMI, WinSecLog, and NetAPI . On a FortiGate, when troubleshooting FSSO behavior, you would typically validate the collector feed and user cache with commands such as:

diagnose debug authd fsso list

diagnose debug authd fsso server-status

Those commands help confirm whether the users gathered by the collector through one of those three polling methods are reaching FortiGate correctly.

“When using FortiGuard servers for DNS, FortiOS uses DNS over TLS (DoT) by default to secure the DNS traffic. New FortiGuard DNS servers have been added as primary and secondary servers.”

Technical Deep Dive:

The correct answer is C. It uses DNS over TLS .

This is a direct default-behavior question. If you configure FortiGuard servers as DNS servers and do not change anything else, FortiGate uses DoT rather than plain DNS. That means the DNS session is encrypted, which protects DNS queries from simple interception or tampering on the path.

Why the other options are wrong:

A is standard clear-text DNS behavior, not the FortiGuard DNS default stated in the guide.

B is incorrect because the guide specifically says DNS over TLS , not DNS over HTTPS.

D is incorrect; the guide does not describe UDP 8888 as the default transport for this DNS use case.

Operationally, this matters because FortiGate relies on DNS not only for client-facing services, but also for resolving objects and securely reaching cloud-based services. Using DoT improves confidentiality for those DNS lookups.

“When you create a new entry to add signatures or filters, you can select the action by clicking Action.”

“When you enable Packet logging , FortiGate stores a local copy of the packet that matches the signature . This enhances the view of erroneous or suspicious packets.”

“You can configure IP exemptions on individual signatures only .”

Technical Deep Dive:

The correct answer is C .

The exhibit shows an IPS entry being added with:

Type = Signature

Action = Block

Packet logging = Enable

Rate-based settings = Default

The most certain conclusion from that configuration is that packet logging is enabled , and the study guide explicitly states that this causes FortiGate to store a local copy of the matching packet .

Why the others are wrong:

A is wrong because the exhibit shows Rate-based settings = Default , not a custom threshold.

B is wrong because the configured action is Block , not allow/monitor.

D is wrong because the entry type is Signature , meaning an individual signature is being added, not a signature group.

A useful operational note: packet logging is powerful for IPS investigation and false-positive analysis, but it consumes more storage and processing resources. It should be enabled selectively on signatures where deeper forensic visibility is needed.

“FortiGate looks for the matching firewall policy from top-to-bottom and, if a match is found, the traffic is processed based on the firewall policy. If no match is found, the traffic is dropped by the default implicit deny firewall policy. ”

Technical Deep Dive:

The debug flow output clearly points to the implicit deny :

ret-no-match

policy-0 is matched, act-drop

Denied by forward policy check (policy 0)

On FortiGate, policy 0 is the internal representation of the default implicit deny firewall policy . That means the packet did not match any user-defined forward firewall policy, so FortiGate dropped it automatically.

Why the other options are wrong:

B is wrong because an RPF failure would show a reverse-path-related drop reason, not Denied by forward policy check (policy 0).

C is wrong because the trace does not show a matched explicit policy ID with deny action; it shows policy 0 , which is the implicit rule.

D is wrong because the trace actually shows a route lookup result: find a route: ... gw-0.0.0.0 via port2. So this is not a next-hop reachability failure.

In packet-flow troubleshooting, this pattern is one of the most important to recognize. If you see policy 0 in FortiGate debug flow, the first things to verify are:

diagnose debug flow filter addr < src_or_dst_ip >

diagnose debug flow show function-name enable

diagnose debug enable

Then review whether a firewall policy exists with the correct incoming interface, outgoing interface, source, destination, schedule, and service . If any one of those does not match, FortiGate falls through to policy 0 and drops the session.

“This slide shows the different criteria that a cluster considers during the primary FortiGate election process. The criteria order evaluation depends on the HA override setting.”

For the default case shown in the guide:

“1. The cluster compares the number of monitored interfaces that have a status of up. The member with the most available monitored interfaces becomes the primary.

2. The cluster compares the HA uptime of each member...

3. The member with the highest priority becomes the primary.

4. The member with the highest serial number becomes the primary.”

For this question’s case:

“If the HA override setting is enabled, the priority is considered before the HA uptime .”

Technical Deep Dive:

Because override is enabled , the election order changes from the default sequence. The first criterion is still Connected monitored ports , because interface health is evaluated first. After that, Priority moves ahead of HA uptime . If those still do not decide the winner, FortiGate uses the serial number as the final tie-breaker. Therefore the correct order is:

1. Connected monitored ports

2. Priority

3. HA uptime

4. FortiGate serial number

This distinction matters in production. With set override enable, you are effectively making HA priority authoritative over uptime, so the preferred unit will reclaim the primary role when it comes back online. That is useful for deterministic primary selection, but it can also cause an additional failover event when the preferred chassis returns to service. The guide explicitly notes this tradeoff.

In practice, the relevant HA checks and verification commands are:

show system ha

get system ha status

diagnose sys ha status

These let you confirm override status, device priority, monitored interfaces, and recent election results. From a control-plane perspective, FGCP election logic is handled by FortiOS over heartbeat links, while data-plane forwarding after election continues using the cluster’s virtual MAC behavior and synchronized HA state.

“Three different configurable thresholds define when FortiGate enters and exits conserve mode. If memory usage goes above the percentage of total RAM defined as the red threshold , FortiGate enters conserve mode.”

“If memory usage keeps increasing, it might exceed the extreme threshold . While memory usage is above this highest threshold, all new sessions are dropped. ”

“What actions does FortiGate take to preserve memory while in conserve mode?

• FortiGate does not accept configuration changes , because they might increase memory usage.”

“However, if the memory usage exceeds the extreme threshold, new sessions are always dropped , regardless of the FortiGate configuration.”

Technical Deep Dive:

The system performance output shows Memory: 2042076k total, 1837868k used (90%) . The configured thresholds shown are:

green = 82

red = 88

extreme = 89

Because memory usage is 90% , it is:

Above the red threshold (88%) → so FortiGate has entered conserve mode

Above the extreme threshold (89%) → so all new sessions are dropped

That makes A and D correct.

Why the others are wrong:

B is not stated anywhere in the study guide as an automatic outcome of conserve mode.

C is the opposite of what the guide says. In conserve mode, FortiGate does not accept configuration changes .

A useful verification command is:

diagnose hardware sysinfo conserve

Operationally, once a FortiGate crosses the red threshold , it starts protecting itself by limiting behavior that could increase memory usage. Once it crosses the extreme threshold , it becomes more severe and drops new sessions to keep the system from becoming unstable.

With full SSL inspection, FortiGate performs a man-in-the-middle process: it decrypts the HTTPS session, inspects it, then re-encrypts it. To do this, FortiGate presents a substitute certificate to the client, signed by the CA certificate configured in the SSL/SSH inspection profile (for example, Fortinet_CA_SSL or a custom enterprise CA).

Browsers will show certificate warning errors when the issuing CA is not trusted by the client device/browser trust store. This only happens for HTTPS because certificates are used in TLS; HTTP has no certificate exchange, so no warning appears.

Why the other options are incorrect:

A: Allowing invalid server certificates affects whether FortiGate blocks/permits connections to sites with bad certs; it does not fix the client warning about FortiGate’s substituted cert.

B: Proxy vs flow inspection mode does not inherently cause certificate warnings; the warning is about trust of the signing CA.

D: Missing extensions is not the typical reason across “any HTTPS website”; the standard reason is the client does not trust the FortiGate inspection CA

From the exhibits:

The firewall policy has Application Control enabled and uses certificate-inspection for SSL inspection.

The application sensor has Application and Filter Overrides with the following order (priority):

Excessive-Bandwidth with action Block

Google (vendor filter) with action Monitor

In FortiOS, Application and Filter Overrides are evaluated by priority (top-down). The first matching override is applied. If traffic matches an earlier override with Block, it will be blocked even if a later override would Monitor/Allow it.

Why Google apps fail while www.fortinet.com works:

Many Google applications can be detected as (or can trigger) the Excessive-Bandwidth behavior/signature depending on the specific service and traffic pattern.

Because Excessive-Bandwidth (Block) is above Google (Monitor), Google-related traffic may match the first rule and be blocked before the Google override is evaluated.

Access to www.fortinet.com works because that traffic is not matching the Excessive-Bandwidth override.

Therefore, to resolve:

B. Move up Google in the Application and Filter Overrides section to set its priority higher

This ensures Google matches the Google override before any broader blocking override is applied.

E. Set the action for Google in the Application and Filter Overrides section to Allow

This explicitly permits Google applications once the higher-priority match occurs (stronger than Monitor for troubleshooting and ensuring access).

Why the other options are not the best fit here:

A (deep-content inspection) can help identify more HTTPS applications, but the exhibit already shows a specific Google override configured; the immediate issue is the override evaluation order and action.

C relates to Web Filter URL categories, but the problem is occurring under Application Control behavior/vendor overrides.

D (flow-based) is not required to fix an override priority/action conflict.