What is the Fortinet FCA certification?

The FCA (Fortinet Certified Associate in Cybersecurity) is Fortinet's associate-level certification validating basic FortiGate firewall operation and administration skills. It is earned for free by completing the FortiGate Operator course on the Fortinet Training Institute platform—no Pearson VUE exam is required. The FCA is the second level in the Fortinet path (after FCF) and is valid for 2 years.

What is the largest topic on the Fortinet FCA?

Firewall Policies and NAT is the largest domain at approximately 30%. This covers creating and ordering firewall policies, understanding the implicit deny rule, configuring address and service objects, source NAT for internet access, destination NAT (Virtual IPs) for publishing servers, and FSSO for identity-based policies. Focus on these topics for the biggest impact on your score.

What CLI commands should I know for the FCA?

Key CLI commands: 'get system status' (FortiOS version), 'get system interface' (interface IP and status), 'execute ping' (connectivity test), 'get router info routing-table all' (routing table), 'diagnose sys session list' (active sessions), 'execute factoryreset' (reset device), 'diagnose sniffer packet' (packet capture). The GUI covers most FCA tasks, but basic CLI is expected.

How does the FCA relate to NSE certifications?

Fortinet replaced the NSE (Network Security Expert) framework with a new tiered naming system: FCF (Fundamentals), FCA (Associate), FCP (Professional — formerly NSE 4 level), FCSS (Senior Specialist), and FCX (Expert — formerly NSE 8 level). If you hold NSE certifications, they map approximately to the new framework: NSE 3 ≈ FCA, NSE 4/5/6/7 ≈ FCP/FCSS, NSE 8 ≈ FCX.

Should I do FCA before CompTIA Security+?

The order depends on your goals. If you want to work specifically with Fortinet products, FCA is excellent preparation and is free. For broader cybersecurity hiring, Security+ has wider employer recognition. Many successful candidates do both: FCA for Fortinet-specific knowledge and Security+ for vendor-neutral hiring. FCF → FCA → Security+ is a strong entry-level cybersecurity credential bundle.

What comes after the Fortinet FCA?

After FCA, the next step is FCP (Fortinet Certified Professional) — specifically FCP Network Security, which maps to the former NSE 4 exam. FCP requires a proctored Pearson VUE exam (approximately $200 USD) and covers advanced FortiGate administration: OSPF/BGP routing, HA clustering, SD-WAN, advanced VPN, and complex content inspection. Above FCP are FCSS (Senior Specialist) and FCX (Expert).

All Practice Exams

100+ Free Fortinet FCA Practice Questions

Fortinet Certified Associate in Cybersecurity (FCA) practice questions are available now; exam metadata is being verified.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~85-90% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

What is the purpose of the FortiGate packet sniffer diagnostic command?

To assign FortiToken licenses to users

To create a replacement message for blocked websites

To capture matching packets on an interface for troubleshooting

To install FortiGuard updates manually

to track

Same family resources

Explore More Fortinet Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

More From This Family

Videos and articles for deeper review.

ArticleFREE Fortinet NSE 4 Exam Guide 2026: FortiOS 7.6, FCP Rebrand, Pass First Try22 min read

2026 Statistics

Key Facts: Fortinet FCA Exam

Certification Cost

Fortinet (free)

2 years

Certification Valid

Fortinet

~30%

Firewall Policies Weight

Largest domain

20-30 hrs

Average Study Time

Recommended

None

Hard Prerequisites

FCF recommended

1 course

Required to Certify

FortiGate Operator

FCA is a free Fortinet certification earned by completing the FortiGate Operator course on the Fortinet Training Institute platform. No proctored exam or Pearson VUE fee is required. Coverage includes FortiGate GUI/CLI administration, firewall policies, source/destination NAT, security profiles (AV, web filter, IPS, SSL inspection), basic routing, and SSL VPN. Valid for 2 years. Recommended for IT professionals beginning their Fortinet path toward FCP (formerly NSE 4).

Sample Fortinet FCA Practice Questions

Try these sample questions to test your Fortinet FCA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1After initial factory reset of a FortiGate, what is the default IP address for managing the device through the GUI?

A.192.168.0.1

B.192.168.1.1

C.10.0.0.1

D.172.16.0.1

Explanation: By default, a factory-reset FortiGate assigns 192.168.1.99 to the management interface (port1 or mgmt), and the default gateway address is 192.168.1.1. The GUI is accessible at https://192.168.1.99 from a host configured on the 192.168.1.0/24 subnet. However, many references note the default management IP as 192.168.1.1 depending on model and FortiOS version. Always check the Quick Start Guide for your specific model.

2Which FortiGate CLI command displays the current FortiOS version and system status?

A.show system interface

B.get system status

C.diagnose sys top

D.execute factoryreset

Explanation: The CLI command 'get system status' outputs key system information including the FortiOS version, build number, serial number, BIOS version, hostname, and current date/time. This is the first command used to confirm firmware version during troubleshooting or initial setup verification.

3In a FortiGate firewall policy, what happens to traffic that does not match any configured policy?

A.The traffic is forwarded to the next available interface

B.The traffic is quarantined for manual administrator review

C.The traffic is allowed by a default permit-all rule at the bottom of the policy list

D.The traffic is dropped by the implicit deny-all rule at the bottom of the policy table

Explanation: FortiGate (and all stateful firewalls) include an implicit deny-all rule at the bottom of the firewall policy table. Any traffic that does not match an explicitly configured allow policy will be silently dropped by this implicit rule. Administrators must create explicit policies to permit desired traffic flows.

4Which FortiGate feature allows administrators to centrally manage and apply security policies based on user identity rather than IP address?

A.Virtual Domains (VDOMs)

B.Security profiles

C.Identity-based policies with FSSO or local user authentication

D.Static routing policies

Explanation: FortiGate identity-based policies use user or group identity (rather than source IP address) to control access. This can be achieved through FSSO (Fortinet Single Sign-On), which transparently maps Active Directory users to IP addresses, or through local/RADIUS/LDAP user authentication. This allows granular, user-aware access control.

5What does NAT (Network Address Translation) do on a FortiGate firewall?

A.It encrypts all traffic crossing the firewall to prevent eavesdropping

B.It translates private IP addresses to a public IP address (and vice versa) to allow internet communication

C.It assigns dynamic IP addresses to hosts on the internal network

D.It monitors traffic for intrusion attempts and blocks malicious packets

Explanation: NAT translates IP addresses (and often ports) as packets pass through the FortiGate. Source NAT (SNAT) translates internal private source IPs to a public IP for outbound internet access. Destination NAT (DNAT) translates a public destination IP to an internal server IP for inbound connections (e.g., publishing a web server). This allows many devices to share a single public IP.

6Which FortiGate mode performs SSL inspection by acting as a proxy, decrypting traffic, inspecting it, and re-encrypting it before forwarding?

A.Certificate inspection mode

B.Full SSL inspection mode

C.Proxy-ARP mode

D.Transparent mode

Explanation: Full SSL/TLS inspection (also called deep inspection) places the FortiGate as a man-in-the-middle proxy: it terminates the client's TLS session, decrypts and inspects the payload, then re-encrypts and forwards the traffic to the server. This allows FortiGate security profiles (antivirus, IPS, web filter, application control) to inspect encrypted traffic. A trusted CA certificate must be installed on clients.

7In FortiOS, which table is examined FIRST when FortiGate determines how to forward a packet?

A.The firewall policy table

B.The routing table

C.The ARP table

D.The security profile table

Explanation: FortiGate performs a routing lookup first to determine the outgoing interface for a packet. Once the egress interface is determined, the firewall policy table is checked against the source and destination interface, IP addresses, ports, and protocol. Traffic must match a routing entry before firewall policy evaluation occurs.

8What is the purpose of a FortiGate 'security profile' in a firewall policy?

A.To define which source and destination IPs are allowed to communicate

B.To apply content inspection (antivirus, web filter, IPS, application control) to traffic matching the policy

C.To configure the administrative access methods allowed on the FortiGate interface

D.To define NAT rules for translating IP addresses

Explanation: Security profiles in FortiGate define content inspection settings—antivirus, web filtering, application control, IPS, DNS filter, SSL inspection, and others. A firewall policy first permits or denies traffic based on address and service criteria; security profiles attached to an allow policy then apply Layer 7 inspection to that permitted traffic stream.

9Which FortiGate feature creates a virtual, software-based partition of a single physical FortiGate into multiple independent firewall instances?

A.High Availability (HA) clustering

B.Virtual Domains (VDOMs)

C.Virtual Local Area Networks (VLANs)

D.FortiManager centralized management

Explanation: Virtual Domains (VDOMs) allow a single physical FortiGate to be partitioned into multiple independent virtual firewall instances, each with its own policies, routing tables, and interfaces. VDOMs are used by managed service providers to separate customer environments on a single physical appliance or by enterprises to separate business units.

10What is the difference between Active-Passive and Active-Active FortiGate HA clustering?

A.Active-Passive uses load sharing for traffic; Active-Active uses only one unit at a time

B.Active-Passive keeps one unit on standby while the primary handles all traffic; Active-Active both units process traffic simultaneously

C.Active-Passive requires identical hardware; Active-Active allows mixed hardware models

D.Active-Passive is only available for SSL VPN; Active-Active is used for IPsec VPN

Explanation: In Active-Passive HA, the primary FortiGate processes all traffic while the secondary unit stays in a hot standby state, ready to take over if the primary fails. In Active-Active HA, both units actively process traffic, distributing sessions across the cluster for higher throughput. Both modes synchronize session tables, configuration, and security subscriptions.

About the Fortinet FCA Practice Questions

Verified exam format metadata for Fortinet Certified Associate in Cybersecurity (FCA) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.

100+ Free Fortinet FCA Practice Questions

Explore More Fortinet Certifications

Fortinet NSE 4 Network Security Professional

Fortinet NSE 7 Network Security Architect

Fortinet Certified Expert (FCX)

Fortinet Certified Fundamentals Cybersecurity (FCF)

Fortinet FCP - FortiAuthenticator 6.5 Administrator (FCP_FAC_AD-6.5)

Fortinet FCP FortiAnalyzer 7.4 Administrator (FCP_FAZ_AD-7.4)

More From This Family

Key Facts: Fortinet FCA Exam

Sample Fortinet FCA Practice Questions

About the Fortinet FCA Practice Questions