Deployment + System Config
20%of exam
Operation ModesVDOMsHA ClusteringSecurity FabricLoggingDiagnostics
Firewall + Authentication
20%of exam
Content Inspection
25%of exam
Routing
15%of exam
VPN
20%of exam
Quick Facts
- Exam
- NSE4_FGT-7.6
- Credential
- FCP Network Security
- Questions
- 55 multiple choice
- Time
- 90 minutes
- Pass
- ~70% pass/fail
- Fee
- $400 USD
- Valid
- 2 years
- Provider
- Pearson VUE
NAT vs Transparent Mode
NAT Mode
- Routes Layer 3
- Interfaces have IPs
- Performs NAT
Transparent
- Bridges Layer 2
- One mgmt IP
- Invisible inline
Route vs bridge
Operation + VDOM
- NAT mode
- Routes by Layer 3
- Transparent mode
- Bridges, no IP routing
- VDOM
- Virtual firewall instance
- Split-task VDOM
- Mgmt plus traffic split
- Multi-VDOM
- Separate virtual firewalls
- root VDOM
- Default, cannot delete
- config global
- Device-wide settings
- Inter-VDOM link
- Routes between VDOMs
Active-Passive vs Active-Active
Active-Passive
- One primary handles traffic
- Others standby
- Simple redundancy
Active-Active
- All units process
- Load balances sessions
- Higher throughput
Standby vs load share
System + CLI
- get system status
- Firmware, serial, uptime
- get/show
- View settings or config
- diagnose/execute
- Debug or run action
- execute factoryreset
- Erase to defaults
- GUI port
- HTTPS 443default
- SSH CLI port
- Port 22
- Config revision
- Saved rollback versions
- execute update-now
- Force FortiGuard update
HA + Security Fabric
- FGCP
- FortiGate clustering protocol
- Heartbeat
- UDP plus TCP sync
- Session pickup
- Syncs sessions on failover
- ha-override
- Highest priority stays primary
- diagnose sys ha status
- Shows role and priority
- Security Fabric
- Integrated Fortinet products
- FortiAnalyzer
- Central log analytics
- OFTP
- FortiAnalyzer log TCP 514
Policy Matching
Top-down, first match, then implicit deny
Order mattersFirst match winsUnmatched = denied
Central vs Policy NAT
Central NAT
- Separate NAT table
- Reused across policies
- Flexible mapping
Policy NAT
- NAT in policy
- Per-policy setting
- Simpler setup
Decoupled vs inline
NAT Picker
- Internal users to internet→SNAT(Outbound)
- Publish internal server→VIP(DNAT)
- Forward external port→VIP port forward
- Specific SNAT addresses→IP pool
- Reuse NAT across policies→Central NAT
- NAT tied to one policy→Policy NAT
Firewall Policies
- Top-down match
- First match wins
- Implicit deny
- Denies unmatched traffic
- ACCEPT
- Allows matching traffic
- DENY
- Silently drops traffic
- Address object
- Named IP, subnet, FQDN
- Schedule object
- Time-based policy window
- Service
- Protocol and port set
- Policy ID
- Identifier, not match order
NAT + Objects
- SNAT
- Translates source address
- DNAT
- Translates destination address
- VIP
- Maps public to internal
- IP pool
- SNAT translation addresses
- Central NAT
- NAT rules separate from policy
- Policy NAT
- NAT inside the policy
- Port forward
- VIP maps external port
- match-vip
- Policy matches VIP traffic
Authentication + FSSO
- Local auth
- Users on FortiGate
- LDAP
- Directory; STARTTLS or LDAPS
- RADIUS
- External AAA; shared secret
- Active auth
- Prompts user for login
- Passive auth
- Transparent, no prompt
- FSSO
- Transparent AD identity
- Collector Agent
- Reads DC logon events
- FSSO port
- TCP 8000 to FortiGate
IPS Actions
Pass and monitor allow; block and reset stop
pass: no logmonitor: logsblock: dropreset: drop + RST
Flow vs Proxy Inspection
Flow
- Minimal buffering
- Higher throughput
- Less depth
Proxy
- Buffers, reconstructs
- Deepest analysis
- More latency
Speed vs depth
Inspection Picker
- Need maximum throughput→Flow inspection
- Need deepest scanning→Proxy inspection
- Decrypt HTTPS content→Full SSL inspection
- Privacy, no decrypt→Certificate inspection
- Block website category→Web Filter
- Block app by signature→Application Control
Inspection Modes
- Flow inspection
- Fast, minimal buffering
- Proxy inspection
- Buffers, deepest analysis
- Certificate inspection
- Checks SNI, no decrypt
- Full SSL inspection
- Decrypts and re-encrypts
- Deep inspection
- Other name for full
- CA certificate
- Trust full SSL on client
- allow-invalid-cert
- Permit bad server certs
- SSL exemption
- Skip decryption for site
Certificate vs Full SSL
Certificate
- Checks SNI only
- No decryption
- No CA needed
Full SSL
- Decrypts payload
- Scans content
- CA on clients
Header vs content
Security Profiles
- AntiVirus
- Signature plus sandbox malware
- Web Filter
- FortiGuard category blocking
- Application Control
- App-level allow or block
- IPS
- Signature-based attack blocking
- DNS Filter
- Blocks malicious domains
- Email Filter
- Antispam, RBL, DNSBL
- Rating override
- Manual URL category change
- FortiSandbox
- Zero-day file analysis
IPS + Filter Actions
- pass
- Allow, no log
- monitor
- Allow and log
- block
- Drop matching packet
- reset
- Block and send RST
- IPS sensor
- Grouped signature filters
- Rate-based sig
- Flood threshold trigger
- Protocol decoder
- Parses application traffic
- Signature override
- Per-signature action change
Admin Distance
Connected 0 < Static 10 < OSPF 110 < BGP
Connected: 0Static: 10OSPF: 110iBGP: 200Lower wins
Route Picker
- Fixed known next-hop→Static route
- Backup path on failure→Floating route
- Route by source or app→Policy route
- Large dynamic topology→OSPF
- Routing between ISPs/AS→BGP
Routing Basics
- Connected route
- Admin distance 0
- Static route
- Default distance 10
- Admin distance
- Trust between protocols
- Priority
- Tiebreak at equal distance
- Floating route
- Backup, higher distance
- ECMP
- Load-shares equal routes
- PBR
- Routes by source or service
- RPF check
- Anti-spoof reverse path
Dynamic Routing
- OSPF
- Link-state routing protocol
- ABR
- Connects OSPF areas
- ASBR
- Injects external routes
- OSPF DR
- Reduces broadcast adjacencies
- Type 3 LSA
- Inter-area summary route
- BGP
- Path-vector, AS routing
- MED
- Influences inbound path
- Route redistribution
- Shares routes between protocols
IKE Phases
Phase 1 builds tunnel; Phase 2 carries data
P1: ISAKMP SAP2: IPsec SAP1: main/aggressiveP2: PFS option
SSL VPN vs IPsec VPN
SSL VPN
- Client-to-site
- Browser or FortiClient
- Easy through NAT
IPsec VPN
- Site-to-site
- Layer 3 tunnel
- Phase 1 and 2
Remote user vs site link
VPN Picker
- Remote user, any browser→SSL VPN web mode
- Remote user, full network→SSL VPN tunnel mode
- Site-to-site office link→IPsec VPN(Tunnel mode)
- App access, verify device→ZTNA
- Host-to-host encryption→IPsec transport mode
VPN Reference
- SSL VPN web mode
- Browser portal, bookmarks
- SSL VPN tunnel mode
- FortiClient full tunnel
- IPsec VPN
- Layer 3 site-to-site
- IKE Phase 1
- Builds secure ISAKMP SA
- IKE Phase 2
- Builds IPsec data SA
- Tunnel mode
- Encapsulates whole packet
- Transport mode
- Encrypts payload only
- PSK
- Pre-shared key authentication
- DPD
- Detects dead VPN peer
- Split tunneling
- Only some traffic encrypted
- PFS
- New key each rekey
- ZTNA
- Identity, posture-based access
SSL VPN Modes
Web = portal bookmarks; Tunnel = full client
Web: browser onlyWeb: bookmarksTunnel: FortiClientTunnel: full network
Main vs Aggressive Mode
Main Mode
- Six messages
- Identity encrypted
- More secure
Aggressive
- Three messages
- Identity exposed
- Faster setup
Secure vs fast
Common Traps
NAT vs Transparent
NAT routes Layer 3 ≠ Transparent bridges Layer 2
Certificate vs full SSL
Certificate checks SNI ≠ Full SSL decrypts content
Flow vs proxy
Flow is faster ≠ Proxy inspects deeper
Policy ID vs order
ID just identifies ≠ Sequence sets matching
SNAT vs DNAT
SNAT changes source ≠ DNAT changes destination
Phase 1 vs Phase 2
Phase 1 builds tunnel ≠ Phase 2 moves data
Pass vs monitor
Pass logs nothing ≠ Monitor allows and logs
Last Minute
- 1.Inspection ~25% is heaviest domain
- 2.NAT mode = route; Transparent = bridge
- 3.Policies match top-down; implicit deny last
- 4.SNAT = source; DNAT = VIP destination
- 5.Certificate = SNI only; Full SSL = decrypt
- 6.Flow = fast; Proxy = deepest scan
- 7.Full SSL: CA cert on clients
- 8.Phase 1 = tunnel; Phase 2 = data
- 9.SSL VPN = remote user; IPsec = site-to-site
- 10.Distance: connected 0, static 10
- 11.Active-Passive standby; Active-Active load shares
- 12.FSSO = transparent AD identity, TCP 8000
Buy on Amazon
Take courses on UdemySame family resources
Explore More Fortinet Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
More From This Family
Videos and articles for deeper review.