Fortinet NSE4_FGT_AD-7.6 - Fortinet NSE 4 - FortiOS 7.6 Administrator

“To successfully form an HA cluster, you must ensure that the members have the same:

• Model: hardware model or VM model

• Firmware version

• Licensing: includes the FortiGuard license, virtual domain (VDOM) license, FortiClient license, and so on

• Hard drive configuration: the same number and size of drives and partitions

• Operating mode: the operating mode—NAT mode or transparent mode—of the management VDOM.”

“From a configuration and setup point of view, you must ensure that the HA settings on each member have the same group ID , group name, password, and heartbeat interface settings. Try to place all heartbeat interfaces in the same broadcast domain , or for two-member clusters, connect them directly.”

Technical Deep Dive:

The correct answers are A and D .

A is correct because FGCP cluster formation requires matching HA parameters, and group ID is explicitly one of them. If the group ID differs, the units will not consider each other part of the same cluster during HA discovery and election.

D is correct because FortiGate HA expects hardware parity in critical platform characteristics, including hard drive configuration . If disk layout differs, the members do not satisfy the HA formation prerequisites.

B is incorrect because the study guide does not require heartbeat interfaces to be in the same IP subnet. The requirement is that heartbeat links be in the same broadcast domain , or directly connected in a two-node design. In practice, heartbeat links are Layer 2 adjacency links; IP subnet matching is not the stated requirement.

C is incorrect because the guide does not say both units must start with the same number of configured VDOMs. What must match is the licensing level and the operating mode of the management VDOM . After cluster formation, the primary synchronizes its configuration to the secondary.

A practical verification set before forming FGCP HA is:

get system status

show system ha

diagnose sys ha status

Operationally, FGCP then uses the heartbeat links for member discovery, health monitoring, election, and config/session synchronization. On supported hardware, session forwarding and HA processing can still benefit from FortiGate’s ASIC-assisted architecture, but HA state, config sync, and election logic remain control-plane functions handled by FortiOS.

“This slide shows the different criteria that a cluster considers during the primary FortiGate election process. The criteria order evaluation depends on the HA override setting.”

For the default case shown in the guide:

“1. The cluster compares the number of monitored interfaces that have a status of up. The member with the most available monitored interfaces becomes the primary.

2. The cluster compares the HA uptime of each member...

3. The member with the highest priority becomes the primary.

4. The member with the highest serial number becomes the primary.”

For this question’s case:

“If the HA override setting is enabled, the priority is considered before the HA uptime .”

Technical Deep Dive:

Because override is enabled , the election order changes from the default sequence. The first criterion is still Connected monitored ports , because interface health is evaluated first. After that, Priority moves ahead of HA uptime . If those still do not decide the winner, FortiGate uses the serial number as the final tie-breaker. Therefore the correct order is:

1. Connected monitored ports

2. Priority

3. HA uptime

4. FortiGate serial number

This distinction matters in production. With set override enable, you are effectively making HA priority authoritative over uptime, so the preferred unit will reclaim the primary role when it comes back online. That is useful for deterministic primary selection, but it can also cause an additional failover event when the preferred chassis returns to service. The guide explicitly notes this tradeoff.

In practice, the relevant HA checks and verification commands are:

show system ha

get system ha status

diagnose sys ha status

These let you confirm override status, device priority, monitored interfaces, and recent election results. From a control-plane perspective, FGCP election logic is handled by FortiOS over heartbeat links, while data-plane forwarding after election continues using the cluster’s virtual MAC behavior and synchronized HA state.

“FortiSASE provides secure access to remote users for the following use cases:

• SIA enables secure web browsing for remote users to protect from known and unknown threats

• SPA enables explicit application access under a zero-trust access or with SD-WAN integration to ensure secure application access

• SSA addresses shadow IT visibility challenges and safeguards data loss prevention ”

“FortiCASB provides cloud-based and API-based features to enable deep inspection of SaaS applications to enable detailed monitoring, analysis, and reporting features... Data loss prevention (DLP) helps to identify, monitor, and protect organizational data at rest and in motion. ”

Technical Deep Dive:

The correct answer is C. Secure SaaS access (SSA) .

The question gives two very specific requirements:

Shadow IT visibility

Prevent sensitive files from leaving the organization without approval

The study guide maps both directly to SSA . In FortiSASE, SSA aligns with SaaS governance and CASB-style controls. That is the right architecture when you need visibility into sanctioned and unsanctioned SaaS usage, plus DLP controls for uploads, sharing, and file movement.

Why the other options are wrong:

SIA focuses on securing internet browsing and remote web traffic.

SPA is for explicit zero-trust access to private applications.

SSD-WAN is not the FortiSASE method for SaaS visibility/DLP control.

In practice, SSA is the choice because it combines SaaS visibility, activity monitoring, and DLP-style enforcement . That lets an administrator detect shadow SaaS usage and apply controls such as blocking uploads, monitoring sharing events, or restricting file transfers based on policy. This is a CASB-oriented use case, not just generic web security.

With full SSL inspection, FortiGate performs a man-in-the-middle process: it decrypts the HTTPS session, inspects it, then re-encrypts it. To do this, FortiGate presents a substitute certificate to the client, signed by the CA certificate configured in the SSL/SSH inspection profile (for example, Fortinet_CA_SSL or a custom enterprise CA).

Browsers will show certificate warning errors when the issuing CA is not trusted by the client device/browser trust store. This only happens for HTTPS because certificates are used in TLS; HTTP has no certificate exchange, so no warning appears.

Why the other options are incorrect:

A: Allowing invalid server certificates affects whether FortiGate blocks/permits connections to sites with bad certs; it does not fix the client warning about FortiGate’s substituted cert.

B: Proxy vs flow inspection mode does not inherently cause certificate warnings; the warning is about trust of the signing CA.

D: Missing extensions is not the typical reason across “any HTTPS website”; the standard reason is the client does not trust the FortiGate inspection CA

“You can configure the fail-open setting under config ips global to control how the IPS engine behaves when the IPS socket buffer is full .”

“If the IPS engine does not have enough memory to build more sessions , the fail-open setting determines whether the FortiGate should drop the sessions or bypass the sessions without inspection .”

“It is important to understand that the IPS fail-open setting is not just for conserve mode—it kicks in whenever IPS fails. Most failures are due to a high CPU issue or a high memory (conserve mode) issue.”

Technical Deep Dive:

The correct answer is A .

The log text says:

logdesc= " IPS session scan paused "

action= " drop "

msg= " IPS session scan, enter fail open mode "

That combination indicates an IPS failure condition , specifically the condition described in the guide where the IPS socket buffer is full and the IPS engine lacks enough memory/resources to build additional sessions. In that state, FortiGate applies the configured IPS fail-open behavior . Since the log shows action= " drop " , the device is not bypassing those new sessions; it is dropping them.

Why the other choices are wrong:

B is wrong because the guide ties fail-open to socket buffer/resource exhaustion , not packet decode failure.

C is wrong because this is not evidence of a manual diagnostic pause.

D is wrong because the study guide does not associate this log with dirty-flag packet reevaluation.

Operationally, this usually points to high memory , high CPU , or conserve-mode pressure affecting the IPS engine. Useful checks are:

get system performance status

diagnose hardware sysinfo conserve

diagnose sys top

Those help confirm whether the IPS issue is being driven by memory pressure or CPU exhaustion.

“You may need to exempt traffic from SSL inspection if it is causing problems with traffic, or for legal reasons.”

“Performing SSL inspection on a site that is enabled with HTTP Strict Transport Security (HSTS), for example, can cause problems with traffic. Remember, the only way for FortiGate to inspect encrypted traffic is to intercept the certificate coming from the server and generate a temporary one. After FortiGate presents the temporary SSL certificate, browsers that use HSTS refuse to proceed.”

“Laws protecting privacy might be another reason to bypass SSL inspection. For example, in some countries, it is illegal to inspect SSL bank-related traffic. Configuring an exemption for sites is simpler than setting up firewall policies for each individual bank. You can exempt sites based on their web category, such as Finance and Banking...”

“The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories—Finance and Banking, and Health and Wellness—and some FQDN addresses...”

Technical Deep Dive:

The correct answers are B and D .

B is correct because the study guide explicitly says SSL inspection may be bypassed for legal reasons , especially where privacy laws restrict inspection of sensitive categories such as Finance and Banking . The same privacy rationale also explains why Health and Wellness is commonly exempted.

D is correct because some sites break under deep inspection due to HSTS . FortiGate must generate and present a temporary certificate during full SSL inspection, and browsers enforcing HSTS can reject that interception flow. That is why some sites are exempted from deep inspection.

Why the others are wrong:

A is not stated in the guide.

C refers to the separate Reputable websites option, which is a FortiGuard-maintained allowlist feature, not the reason the predefined categories shown in the exhibit are excluded.

From an operational standpoint, this is a classic balance between security visibility and application/legal compatibility . Deep inspection gives FortiGate payload visibility, but it can interfere with pinned-certificate/HSTS behavior and can violate privacy policy for regulated content.

“Three different configurable thresholds define when FortiGate enters and exits conserve mode. If memory usage goes above the percentage of total RAM defined as the red threshold , FortiGate enters conserve mode.”

“If memory usage keeps increasing, it might exceed the extreme threshold . While memory usage is above this highest threshold, all new sessions are dropped. ”

“What actions does FortiGate take to preserve memory while in conserve mode?

• FortiGate does not accept configuration changes , because they might increase memory usage.”

“However, if the memory usage exceeds the extreme threshold, new sessions are always dropped , regardless of the FortiGate configuration.”

Technical Deep Dive:

The system performance output shows Memory: 2042076k total, 1837868k used (90%) . The configured thresholds shown are:

green = 82

red = 88

extreme = 89

Because memory usage is 90% , it is:

Above the red threshold (88%) → so FortiGate has entered conserve mode

Above the extreme threshold (89%) → so all new sessions are dropped

That makes A and D correct.

Why the others are wrong:

B is not stated anywhere in the study guide as an automatic outcome of conserve mode.

C is the opposite of what the guide says. In conserve mode, FortiGate does not accept configuration changes .

A useful verification command is:

diagnose hardware sysinfo conserve

Operationally, once a FortiGate crosses the red threshold , it starts protecting itself by limiting behavior that could increase memory usage. Once it crosses the extreme threshold , it becomes more severe and drops new sessions to keep the system from becoming unstable.

“To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets for that session are also denied. This ensures that FortiGate does not have to perform a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation.”

“The CLI command is ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-session-timer in the CLI. By default, it is set to 30 seconds.”

Technical Deep Dive:

The correct answers are A and B .

When set ses-denied-traffic enable is configured, FortiGate creates a session-table entry for denied traffic . That means once traffic is denied, subsequent packets that belong to the same denied flow do not need a full policy lookup again. FortiGate can drop them immediately based on the existing denied-session entry. That directly confirms B .

Because FortiGate no longer re-evaluates every repeated denied packet in the same way, the device generates fewer logs and uses less CPU for repeated denied traffic. That is exactly why A is also correct.

Why the other two are wrong:

C is incorrect because block-session-timer 30 means 30 seconds , not 30 minutes. The denied session entry is kept in the session table for that duration.

D is incorrect because these settings do not disable session helpers. They only control how denied traffic is tracked in the session table.

In operational terms, this feature is useful when a host repeatedly retries traffic that FortiGate is already denying. Instead of doing a fresh lookup for every retry, FortiGate caches the denied decision temporarily and drops the repeated packets faster.

Exact Extract:

“If you want the wizard to configure the VPN for you, then select the template type Site to Site, Hub-and-Spoke, or Remote Access that best matches your VPN.”

“Use remote access VPNs when remote internet users need to securely connect to the office to access corporate resources. The remote user connects to a VPN server located on the corporate premises, such as FortiGate, to establish a secure tunnel.”

“A common use of the IPsec wizard is for configuring a remote access VPN for FortiClient users.”

Technical Deep Dive:

The correct answer is A. Remote Access .

A sales employee travelling abroad is a remote user , not another branch office or headquarters firewall. That means the tunnel type is a remote access VPN , where the user connects from an internet location back to the corporate FortiGate. In this design, the remote client typically uses FortiClient , and FortiGate acts as the VPN server.

Why the other options are incorrect:

Hub-and-Spoke is for multi-site branch connectivity through a central hub.

Site-to-Site is for connecting two fixed networks, such as branch office to headquarters.

Dial-up User describes the remote-user behavior conceptually, but it is not the IPsec Wizard template choice shown in the study guide. The wizard template to select is Remote Access .

So for a travelling sales employee, the administrator must choose the Remote Access VPN Wizard template.

In FortiSASE site-based (remote internet access) deployments, FortiExtender is used to onboard branch or remote sites without a local FortiGate.

According to FortiSASE and FortiExtender architecture documentation:

FortiExtender integrates with FortiSASE using a secure VXLAN-over-IPsec tunnel

This tunnel:

Extends the site network to FortiSASE

Transparently forwards traffic for inspection

Preserves network segmentation and routing context

This design is similar to cloud-based LAN extension and is not proxy-based

Why the other options are incorrect

B: FortiClient is used for agent-based user access, not FortiExtender

C: Secure Web Gateway (SWG) is a service, not a transport mechanism

D: PAC files and explicit proxies are used in agentless / proxy-based access, not site-based FortiExtender deployments