Fortinet NSE4_FGT_AD-7.6 - Fortinet NSE 4 - FortiOS 7.6 Administrator

“In FortiOS, there are three main components of web filtering:

• Web content filtering...

• URL filtering: uses URLs and URL patterns to block or exempt web pages from specific sources ...

• FortiGuard Web Filtering service...”

“In the web filter profile, Fortiguard category filtering enhances the web filter features. Rather than block or allow websites individually, it looks at the category that a website has been rated with. Then, FortiGate takes action based on that category, not based on the URL.”

“If you consider that a particular URL does not have the correct category, you can ask to re-evaluate the rating in the Fortinet URL Rating Submission website. You can also override a web rating for an exceptional URL in the FortiGate configuration. ”

“Static URL filtering is another web filter feature, which provides more granularity. Configured URLs in the URL filter are checked from top to bottom against the visited websites. If FortiGate finds a match, it applies the configured action.”

“To find the exact match, URL filtering has three pattern types: Simple, Regular Expressions, and Wildcard .”

“So, with these different features, what is the inspection order? If you have enabled many of them, the inspection order flows as follows:

The local static URL filter

FortiGuard category filtering...”

Technical Deep Dive:

The correct answers are A and B .

A is correct because a static URL filter gives per-URL granularity. Since the category Freeware and Software Downloads is currently allowed in the profile, adding a local static URL filter entry for download.com with Block lets FortiGate deny only that site while continuing to allow the rest of the category. This also aligns with the documented inspection order, where the local static URL filter is checked before FortiGuard category filtering .

B is also correct because a web rating override can reclassify a specific exceptional URL. If download.com is re-rated into a blocked category such as Malicious Websites , it will be blocked by the profile while other sites in Freeware and Software Downloads remain allowed.

Why the others are wrong:

C is not the intended web-filter solution. A firewall policy with an FQDN object operates at policy/routing resolution level, not as a category-aware web filtering exception.

D is wrong because changing the whole category to Warning affects all sites in that category, not just download.com.

In production, the cleaner design is usually: keep the category allowed, then add a local URL-filter exception or a web-rating override for the specific site . For HTTPS traffic, remember FortiGate still needs enough SSL inspection visibility to identify the hostname correctly. A representative CLI approach for URL filtering is:

config webfilter urlfilter

edit 1

config entries

edit 1

set url " download.com "

set type wildcard

set action block

next

end

next

end

This is the most deterministic way to block one site without penalizing the rest of the category.

“If SD-WAN is disabled, you can change the ECMP load balancing algorithm on the FortiGate CLI using the commands shown on this slide.”

“When SD-WAN is enabled, FortiOS hides the v4-ecmp-mode setting and replaces it with the load-balance-mode setting under config system sdwan . That is, when you enable SD-WAN, you control the ECMP algorithm with the load-balance-mode setting.”

“There are some differences between the two settings. The main difference is that load-balance-mode supports the volume algorithm, and v4-ecmp-mode does not .”

“These routes are called equal cost multipath (ECMP) routes...”

Technical Deep Dive:

The correct answers are A and D .

A is correct because when SD-WAN is enabled, FortiOS no longer uses v4-ecmp-mode; it uses load-balance-mode under config system sdwan. That is the explicit SD-WAN control point for ECMP behavior.

D is correct because when SD-WAN is disabled, ECMP configuration is done in the regular system routing settings, not under SD-WAN. The study guide states that you change the ECMP algorithm on the FortiGate CLI when SD-WAN is disabled, which corresponds to the classic config system settings ECMP controls.

Why the others are wrong:

B is wrong because the guide explicitly says load-balance-mode supports volume , while v4-ecmp-mode does not . So you cannot set v4-ecmp-mode to volume-based.

C is wrong because ECMP requires equal-cost routes. If distance or priority differ, they are no longer ECMP candidates; FortiGate selects the preferred route instead. The concept of ECMP itself requires equal route cost attributes.

From an implementation standpoint, the common CLI patterns are:

config system settings

set v4-ecmp-mode source-ip-based

end

and, with SD-WAN enabled:

config system sdwan

set load-balance-mode source-ip-based

end

On hardware platforms, ECMP still affects session distribution at the routing decision stage before later security services are applied. NP offload can accelerate forwarding after route selection, but the ECMP decision itself is a FortiOS control-plane routing function.

“With these multiple filters, which one has the priority? After the IPS engine examines the traffic stream for a signature match, FortiGate scans packets for matches, in this order, for the application control profile:

1. Application and filter overrides ...”

“Next, the scan checks for application and filter overrides. Because a filter override is configured to block applications that use excessive bandwidth, it blocks all applications using excessive bandwidth , regardless of other categories that allow these applications.”

“In this scenario, the filter override (Excessive-Bandwidth) is blocked and, since Dailymotion falls under the excessive bandwidth category, Dailymotion is blocked even though it is set to Monitor in the Application and Filter Overrides section. The priority in which application and filter overrides are placed takes precedence. ”

“To allow web filtering, DNS filtering, or application control for HTTPS traffic , you must select an SSL inspection profile with certificate inspection or a deep inspection enabled.”

Technical Deep Dive:

The problem is not flow-based mode and not the SSL profile. Your firewall policy already has certificate-inspection , and the study guide explicitly says that application control for HTTPS traffic works with certificate inspection or deep inspection . So option B is unnecessary, and option A is unrelated.

The real issue is the override order inside the application sensor:

Priority 1: Filter = Excessive-Bandwidth , Action = Block

Priority 2: Vendor = Google , Action = Monitor

FortiGate evaluates overrides from top to bottom and applies the first match . Many Google applications match the Excessive-Bandwidth filter, so they are blocked before the later Google/Monitor override is ever reached. That is why Google apps fail while www.fortinet.com still works.

So the correct fix is to move the Google override above the Excessive-Bandwidth filter , making Google the first match.

A representative CLI-style logic would be:

config application list

edit " default "

config entries

edit 1

set vendor " Google "

set action monitor

next

edit 2

set filter " Excessive-Bandwidth "

set action block

next

end

next

end

That preserves the bandwidth block for other apps while allowing Google applications to match the higher-priority override first.

Phase 1 being up confirms the two FortiGate devices can authenticate and build the IKE SA. Phase 2 failing indicates the IPsec (Quick Mode) SA negotiation is failing due to mismatched Phase 2 parameters.

From the exhibit, the Phase 2 mismatches that would prevent SA establishment are:

1) Phase 2 selectors must mirror each other (Proxy IDs)

HQ-NGFW Phase 2 selector shows:

Local: 10.0.11.0/24

Remote: 172.20.1.0/24

BR1-FGT Phase 2 selector shows:

Local: 172.20.1.0/24

Remote: 10.11.0.0/24 ⟵ does not match HQ’s local subnet (10.0.11.0/24)

In FortiOS, Phase 2 comes up only when the peers’ selectors (proxy IDs) match as opposite pairs (local on one side = remote on the other).

✅ Fix: A. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0.

2) Phase 2 proposal must match (encryption/authentication)

HQ-NGFW shows encryption AES128 (with SHA1)

BR1-FGT shows encryption AES256 (with SHA1)

For Phase 2 to establish, both peers must have at least one common proposal (same encryption and authentication settings). With one side set to AES128 and the other to AES256, there is no match.

✅ Fix: D. On HQ-NGFW, set Encryption to AES256.

Why the other options are not correct

B. Enable Diffie-Hellman Group 2: The exhibit’s mismatch is not resolved by adding DH group 2, and DH group must match when PFS is enabled. This option does not align the peers based on what’s shown.

C. Set Seconds to 43200: Phase 2 lifetime mismatches typically do not prevent Phase 2 from coming up (the negotiated lifetime can be adjusted by the peers). The hard blockers here are the selectors and proposal mismatch.

“The only security features you can apply using SSL certificate inspection mode are web filtering and application control... certificate inspection does not allow FortiGate to inspect the flow of encrypted data.”

“For antivirus or IPS control, you should use a deep-inspection profile.”

“Within the full SSL inspection profile, you can also specify which SSL sites, if any, you want to exempt from SSL inspection.”

Technical Deep Dive:

The correct answers are A and B .

A is correct because if the firewall policy uses certificate inspection , FortiGate can inspect certificate/SNI metadata only. It cannot decrypt the HTTPS payload, so the antivirus engine never sees the EICAR file contents. That means HTTPS malware scanning fails even though HTTP scanning works.

B is also correct because if the destination site is exempt from SSL inspection , FortiGate intentionally skips decryption for that HTTPS session. Again, no payload decryption means no antivirus content scan.

Why the others are wrong:

C is not the likely reason here, especially for EICAR, which is a very small test file.

D would usually cause browser certificate warnings or connection issues during deep inspection, not a clean download that bypasses AV inspection.

Operationally, HTTPS antivirus requires this chain to be true:

firewall policy match → SSL deep inspection active → site not exempted → AV profile applied .

If either certificate-inspection is used or the site is exempted, FortiGate cannot inspect the encrypted file body.

From the routing table in the exhibit, there is already a static route for 172.20.1.0/24 pointing out port3 with:

Distance = 9

Priority = 2

Type = Static

In FortiOS, route selection prefers (in order) the route with the lowest administrative distance to a destination. Therefore, to make traffic to 172.20.1.0/24 go through port2 only, the administrator must ensure the port2 static route is more preferred than the existing port3 route.

Why C is correct

C. The existing static route through port3 must have the distance set to 11.

If the existing port3 route distance is increased to 11, then a new port2 route with distance 9 will be preferred (9 < 11). This makes the port3 route a backup route instead of the active one.

Why D is correct

D. The new static route must have the distance set to 9

Setting the new port2 route distance to 9 (and increasing the port3 route to 11 as in option C) ensures FortiGate selects the port2 route as the best route for 172.20.1.0/24.

Why A and B are not correct

A (priority 3): By itself it does not guarantee selection over the existing route, and FortiOS route choice is driven primarily by distance.

B (metric 1): Metric is not the primary selector for static route preference compared to administrative distance in this scenario.

So the two criteria that achieve the objective are:

Make the existing port3 route less preferred by increasing its distance (C)

Ensure the new port2 route uses the preferred distance (D)

In FortiOS 7.6 Application Control, security logs are generated primarily for actions such as Block or Monitor, not for Allow actions.

What is happening in the exhibit

An Application Override is configured for ABC.Com

Type: Application

Action: Allow

The application control profile is applied to a firewall policy

Logging is enabled on the firewall policy

Traffic to ABC.Com is successfully allowed

However, no security logs appear for ABC.Com.

Why no logs are generated

In FortiOS 7.6:

Application Control logs are written to Security Logs when:

An application is Blocked

An application is Monitored

When an application action is set to Allow:

The traffic is permitted silently

No application control security log is generated

Even if policy logging is enabled

This is expected and documented behavior.

To generate logs for allowed applications, the action must be set to Monitor, not Allow.

Why the other options are incorrect

A. ABC.Com is hitting the category Excessive-BandwidthIncorrect. ABC.Com has a higher-priority explicit override (priority 1), so it is not evaluated against the Excessive-Bandwidth filter.

B. The ABC.Com Type is set as Application instead of FilterIncorrect. Application-type overrides are valid and commonly used; this does not suppress logging.

C. The ABC.Com must be configured as a web filter profileIncorrect. This traffic is being evaluated by Application Control, not Web Filter.

" Also, advanced mode supports nested or inherited groups; that is, users can be members of subgroups that belong to monitored parent groups. " " In advanced mode, you can configure FortiGate as an LDAP client and configure the group filters on FortiGate. You can also configure group filters on the collector agent. "

Collector Agent Advanced Mode provides deeper integration between FortiGate, LDAP, and Active Directory, compared to standard mode.

Key features of Collector Agent Advanced Mode

B. FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate.

Correct

In advanced mode:

FortiGate directly queries LDAP/AD

User group filters are configured on FortiGate, not only on the Collector Agent

This allows more flexible and scalable user/group-based policies

D. Advanced mode supports nested or inherited groups.

Correct

Advanced mode supports:

Nested AD groups

Inherited group memberships

This is one of the primary reasons advanced mode is used in complex AD environments

Why the other options are incorrect

A. Security profiles only to user groups

Incorrect.

Security profiles can be applied to users or groups, depending on policy configuration.

C. Uses NetBIOS Domain\Username format

Incorrect.

NetBIOS naming is associated with standard mode

Advanced mode typically uses LDAP DN-based identification

“With this method, you must create a user group and add the preconfigured remote server to the group. This setup allows you to select one or more pre-existing groups from the Radius server, enabling any user within those groups to be authenticated.”

“The response from the server reports success, failure, and group membership details.”

“Note that Fortinet has a vendor-specific attributes (VSA) dictionary to identify the Fortinet-proprietary RADIUS attributes. This capability allows you to extend the basic functionality of RADIUS.”

Technical Deep Dive:

The attribute shown in the exhibit is Fortinet-Group-Name = Training. This is a Fortinet RADIUS Vendor-Specific Attribute (VSA) used to return group membership information to FortiGate. FortiGate uses that returned value to match the authenticated user to the corresponding FortiGate user group, in this case Training.

That is why A is correct: the administrator needs this so FortiGate can authenticate users and place or match them into the Training group for identity-based policy control.

Why the others are wrong:

* B is wrong because the RADIUS secret is configured separately as the shared secret between FortiGate and the RADIUS server, not as a Fortinet-Group-Name attribute.

* C is wrong because OU matching is an LDAP concept, not standard RADIUS group matching.

* D is wrong because this attribute is not for “any” group; it is explicitly returning the specific group name Training.

In practice, this lets FortiGate apply firewall policies such as:

```bash

config user group

edit " Training "

set member " RADIUS_Server "

next

end

```

Then the RADIUS server returns Fortinet-Group-Name=Training, and FortiGate matches the user into that group for policy enforcement.