NSE4_FGT_AD-7.6 Fortinet NSE 4 - FortiOS 7.6 Administrator Questions and Answers

“The only security features you can apply using SSL certificate inspection mode are web filtering and application control... Note that while offering some level of security, certificate inspection does not allow FortiGate to inspect the flow of encrypted data.”

“To perform SSL inspection on traffic flowing through the FortiGate device, you must allow the traffic with a firewall policy and apply an SSL inspection profile to the policy... For antivirus or IPS control, you should use a deep-inspection profile.”

“When you use deep inspection, FortiGate impersonates the recipient of the originating SSL session, and then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.”

Technical Deep Dive:

The exhibit shows that the policy is allowing HTTPS and the SSL/SSH inspection profile is certificate-inspection , not deep-inspection . That is the key issue. With certificate inspection, FortiGate can inspect only SSL metadata such as the certificate and SNI/hostname context; it cannot decrypt the HTTPS payload itself. Because EICAR is detected by antivirus through payload inspection, FortiGate must see the file contents. Without deep SSL inspection, the antivirus engine never gets the decrypted payload, so the file can pass even though the antivirus profile is attached.

Option A is incorrect because FortiGate firewall policies often use ACCEPT + security profile enforcement ; the session can still be blocked by antivirus after policy match. Option B is incorrect because web filter is not required for antivirus detection. Option C is incorrect because the real requirement is deep SSL inspection , not specifically proxy-based mode; full SSL inspection is the deciding factor here.

In practice, to block EICAR over HTTPS, you would apply a deep-inspection SSL profile to the policy, for example:

config firewall policy

edit < policy-id >

set inspection-mode flow

set av-profile " default "

set ssl-ssh-profile " deep-inspection "

next

end

On real hardware, this also matters for performance design. Simple firewall/NAT sessions are often NP fast-pathed, but once you enable deep SSL inspection and content scanning, traffic is typically handed to CPU/WAD/content-inspection path for decryption and scanning, so throughput is lower than certificate-inspection or no-inspection.

“In FortiOS, there are three main components of web filtering:

• Web content filtering...

• URL filtering: uses URLs and URL patterns to block or exempt web pages from specific sources ...

• FortiGuard Web Filtering service...”

“In the web filter profile, Fortiguard category filtering enhances the web filter features. Rather than block or allow websites individually, it looks at the category that a website has been rated with. Then, FortiGate takes action based on that category, not based on the URL.”

“If you consider that a particular URL does not have the correct category, you can ask to re-evaluate the rating in the Fortinet URL Rating Submission website. You can also override a web rating for an exceptional URL in the FortiGate configuration. ”

“Static URL filtering is another web filter feature, which provides more granularity. Configured URLs in the URL filter are checked from top to bottom against the visited websites. If FortiGate finds a match, it applies the configured action.”

“To find the exact match, URL filtering has three pattern types: Simple, Regular Expressions, and Wildcard .”

“So, with these different features, what is the inspection order? If you have enabled many of them, the inspection order flows as follows:

The local static URL filter

FortiGuard category filtering...”

Technical Deep Dive:

The correct answers are A and B .

A is correct because a static URL filter gives per-URL granularity. Since the category Freeware and Software Downloads is currently allowed in the profile, adding a local static URL filter entry for download.com with Block lets FortiGate deny only that site while continuing to allow the rest of the category. This also aligns with the documented inspection order, where the local static URL filter is checked before FortiGuard category filtering .

B is also correct because a web rating override can reclassify a specific exceptional URL. If download.com is re-rated into a blocked category such as Malicious Websites , it will be blocked by the profile while other sites in Freeware and Software Downloads remain allowed.

Why the others are wrong:

C is not the intended web-filter solution. A firewall policy with an FQDN object operates at policy/routing resolution level, not as a category-aware web filtering exception.

D is wrong because changing the whole category to Warning affects all sites in that category, not just download.com.

In production, the cleaner design is usually: keep the category allowed, then add a local URL-filter exception or a web-rating override for the specific site . For HTTPS traffic, remember FortiGate still needs enough SSL inspection visibility to identify the hostname correctly. A representative CLI approach for URL filtering is:

config webfilter urlfilter

edit 1

config entries

edit 1

set url " download.com "

set type wildcard

set action block

next

end

next

end

This is the most deterministic way to block one site without penalizing the rest of the category.

In FortiOS 7.6, when multiple dialup IPsec VPNs are configured on the same FortiGate—especially in Aggressive Mode—FortiGate must identify which Phase 1 configuration a connecting client should match.

How FortiGate selects a dialup IPsec tunnel

For dialup VPNs:

The remote peer (user or device) does not have a fixed IP address

Multiple Phase 1 interfaces may exist on the HQ FortiGate

FortiGate uses identifying information sent during IKE Phase 1 to select the correct tunnel

Aggressive Mode behavior

Aggressive mode sends ID information in clear text during Phase 1

This allows FortiGate to match incoming peers to the correct Phase 1 configuration

Why Peer ID is the correct answer

C. Peer ID

Peer ID (also called IKE ID) is used to:

Identify the remote peer

Differentiate between multiple dialup tunnels

Common Peer ID formats:

FQDN

User FQDN

Key ID

FortiGate matches the received Peer ID against the Phase 1 configuration to select the correct tunnel

This is the documented and recommended method for:

Mapping users to different department tunnels

Supporting multiple dialup IPsec VPNs in aggressive mode

Why the other options are incorrect

A. Local GatewayIdentifies the local FortiGate interface/IP, not the remote user.

B. Dead Peer DetectionUsed only for tunnel health monitoring, not tunnel selection.

D. IKE Mode ConfigUsed for assigning IP addresses and pushing settings, not for selecting the Phase 1 tunnel.

“To reduce the number of log messages generated and improve performance, you can enable a session table entry of dropped traffic. This creates the denied session in the session table and, if the session is denied, all packets for that session are also denied. This ensures that FortiGate does not have to perform a policy lookup for each new packet matching the denied session, which reduces CPU usage and log generation.”

“The CLI command is ses-denied-traffic. You can also set the duration for block sessions. This determines how long a session will be kept in the session table by setting block-session-timer in the CLI. By default, it is set to 30 seconds.”

Technical Deep Dive:

The correct answers are A and B .

When set ses-denied-traffic enable is configured, FortiGate creates a session-table entry for denied traffic . That means once traffic is denied, subsequent packets that belong to the same denied flow do not need a full policy lookup again. FortiGate can drop them immediately based on the existing denied-session entry. That directly confirms B .

Because FortiGate no longer re-evaluates every repeated denied packet in the same way, the device generates fewer logs and uses less CPU for repeated denied traffic. That is exactly why A is also correct.

Why the other two are wrong:

C is incorrect because block-session-timer 30 means 30 seconds , not 30 minutes. The denied session entry is kept in the session table for that duration.

D is incorrect because these settings do not disable session helpers. They only control how denied traffic is tracked in the session table.

In operational terms, this feature is useful when a host repeatedly retries traffic that FortiGate is already denying. Instead of doing a fresh lookup for every retry, FortiGate caches the denied decision temporarily and drops the repeated packets faster.

“FSSO is a software agent that enables FortiGate to identify network users for security policies or for VPN access, without asking for their username and password. When a user logs in to a directory service, the FSSO agent sends FortiGate the username, the IP address , and the list of groups that the user belongs to. FortiGate uses this information to maintain a local database of usernames, IP addresses , and group mappings.”

“To display the list of FSSO users that are currently logged in, use the CLI command diagnose debug authd fsso list . For each user, the user name, user group, IP address , and the name of the workstation from which they logged in shows.”

“You can monitor users who authenticate through your firewall policies using the Dashboard > Assets & Identities > Firewall Users page. It displays the user, user group, duration, IP address , traffic volume, and authentication method.”

Technical Deep Dive:

The first thing to verify is whether FortiGate has actually learned the user correctly in its FSSO active users table , especially the user-to-IP mapping . FSSO enforcement is identity-based, but the real-time match on live traffic still depends on FortiGate associating the traffic’s source IP with the authenticated Windows user. If that mapping is missing, stale, or tied to the wrong IP because of DHCP changes, DNS update lag, or collector-agent timing, the firewall policy match can fail even though the user successfully logged in to Windows.

That is why C is the best first check.

A may be the next thing to verify if the user is present but still denied, but first you must confirm the user is even present in the FSSO table with the correct IP.

B is unrelated to the initial FSSO identity-mapping problem.

D is less likely because the Windows logon already succeeded.

Useful checks:

diagnose debug authd fsso list

diagnose debug authd fsso server-status

execute fsso refresh

These commands confirm whether FortiGate has the user, group, and IP mapping needed for policy matching.

From the exhibits, there are three relevant firewall policies from LAN (port4) to WAN (port2), each using a different IP pool for source NAT:

TCP traffic

Service: ALL_TCP

Destination: BR1-FGT

IP Pool: SNAT-Pool → 100.65.0.49

PING traffic

Service: PING

Destination: all

IP Pool: SNAT-Remote1 → 100.65.0.99

IGMP traffic

Service: IGMP

Destination: all

IP Pool: SNAT-Remote → 100.65.0.149

The user on HQ-PC-1 (10.0.11.50) is pinging BR1-FGT (100.65.1.111). In FortiOS, policy matching is based on (among other fields) source, destination, and service, and the first matching policy in top-down order is applied.

Because the traffic is ICMP echo (ping), it matches the policy named PING traffic (service PING, destination all). That policy explicitly uses Use Dynamic IP Pool with SNAT-Remote1, which is configured with external IP 100.65.0.99.

Therefore, the source NAT IP used for this ping is 100.65.0.99.

In FortiOS 7.6 Application Control, security logs are generated primarily for actions such as Block or Monitor, not for Allow actions.

What is happening in the exhibit

An Application Override is configured for ABC.Com

Type: Application

Action: Allow

The application control profile is applied to a firewall policy

Logging is enabled on the firewall policy

Traffic to ABC.Com is successfully allowed

However, no security logs appear for ABC.Com.

Why no logs are generated

In FortiOS 7.6:

Application Control logs are written to Security Logs when:

An application is Blocked

An application is Monitored

When an application action is set to Allow:

The traffic is permitted silently

No application control security log is generated

Even if policy logging is enabled

This is expected and documented behavior.

To generate logs for allowed applications, the action must be set to Monitor, not Allow.

Why the other options are incorrect

A. ABC.Com is hitting the category Excessive-BandwidthIncorrect. ABC.Com has a higher-priority explicit override (priority 1), so it is not evaluated against the Excessive-Bandwidth filter.

B. The ABC.Com Type is set as Application instead of FilterIncorrect. Application-type overrides are valid and commonly used; this does not suppress logging.

C. The ABC.Com must be configured as a web filter profileIncorrect. This traffic is being evaluated by Application Control, not Web Filter.

In FortiOS 7.6, SD-WAN Performance SLAs are used to measure link quality and influence SD-WAN rule decisions. The following three statements are true.

C. All the SLA targets can be configured.

True

SD-WAN Performance SLAs allow administrators to configure:

Latency

Jitter

Packet loss

Mean Opinion Score (MOS) (for voice)

Threshold values for these metrics are fully configurable per SLA.

This is explicitly documented in the SD-WAN Performance SLA configuration section.

D. They are applied in an SD-WAN rule lowest cost strategy.

True

Performance SLAs are commonly used with the Lowest Cost (SLA-based) strategy.

In this strategy:

FortiGate selects the lowest-cost link that meets the SLA requirements.

If a link violates the SLA, it is excluded from selection.

E. They can be measured actively or passively.

True

FortiOS supports:

Active probing (synthetic probes such as ping/HTTP)

Passive measurement (based on real traffic statistics)

Administrators can choose how SLAs are measured depending on the deployment and requirements.

Why the other options are incorrect

A. They rely on session loss and jitter.

Incorrect

SLAs measure packet loss, latency, and jitter.

Session loss is not an SLA metric in FortiOS.

B. They monitor the state of the FortiGate device.

Incorrect

Performance SLAs monitor link quality, not FortiGate system health or device state.

“This slide shows the SD-WAN rule lookup process. SD-WAN rules are essentially policy routes.”

“FortiGate performs a forwarding information base (FIB) lookup for the packet destination IP (dstip). If the resolved interface for the fib-best-match isn’t an SD-WAN member, then FortiGate moves on to the next rule. This behavior follows the key routing principle: SD-WAN rules are skipped if the best route to the destination isn’t an SD-WAN member .”

“If the resolved interface is an SD-WAN member, then FortiGate looks for one or more acceptable members in the oif list... An acceptable member is an alive member that has a route to the destination. This behavior follows the key routing principle: SD-WAN rules are skipped if none of the configured members in the rule have a valid route to the destination .”

“Because regular policy routes have precedence over any other routes...”

“Also note that policy routes have precedence over SD-WAN rules, and over any routes in the FIB.”

Technical Deep Dive:

The correct answers are A, C, and E .

A is correct because an SD-WAN rule is not enough by itself. A selected member must also be alive and have a valid route to the destination. If none of the members referenced by the rule can actually reach the destination, the rule is skipped.

C is correct because a regular policy route is evaluated before SD-WAN rules. This is a classic exam trap. FortiGate treats SD-WAN steering like policy-route logic, but standard policy routes still win if they match and are valid.

E is correct because FortiGate first checks the FIB best match . If that best route resolves to an interface that is not an SD-WAN member, FortiGate skips the SD-WAN rule and continues.

Why the others are wrong:

B is false because SD-WAN rules do not have precedence over everything; regular policy routes do.

D is false because the number of available routes is not the deciding rule. Even with only one route, SD-WAN can still steer traffic if the routing and member conditions are met.

Operationally, think of SD-WAN routing in this order: policy route check → SD-WAN rule lookup → standard FIB fallback . On FortiGate, the practical validation commands are:

get router info routing-table all

diagnose sys sdwan service

diagnose firewall proute list

That combination lets you confirm whether a packet is being captured by a policy route, whether an SD-WAN rule has acceptable members, and what the FIB currently resolves for the destination.

According to the FortiOS 7.6 Study Guide and technical documentation, conserve mode is a protective state triggered when memory utilization reaches the Extreme Threshold (typically 95% by default). When this occurs, the FortiGate implements several measures to prioritize system stability over new functionality. One of the primary restrictions is that the FortiGate refuses to accept configuration changes (Statement B). This prevents the system from initiating new processes or allocating additional memory that could lead to a total system crash.

Regarding traffic handling, the behavior is determined by specific " fail-open " settings. For the IPS engine, if the fail-open global setting is enabled, the FortiGate continues to transmit packets without IPS inspection (Statement D). This ensures that network connectivity is maintained even when the system lacks the memory resources to perform deep packet inspection. In contrast, Statement A is incorrect because the system may skip non-essential actions to save memory. Statement C is incorrect because conserve mode is designed to avoid a system halt; the device remains operational and will automatically exit conserve mode once memory usage drops below the Release Threshold (typically 82%).

According to the FortiOS 7.6 Administrator Guide and the specific behavior of the SD-WAN GUI, here is the technical breakdown:

SD-WAN Zone Hierarchy and UI Elements: In the FortiGate GUI, SD-WAN zones that contain member interfaces are displayed with a plus (+) icon next to the checkbox. This icon allows administrators to expand the zone and view the specific physical or logical interfaces assigned to it.

Analysis of the " Underlay " Zone: In the provided exhibit, the virtual-wan-link and overlay zones both feature the plus (+) expansion icon, indicating they have active members. The Underlay zone, however, lacks this icon and displays a red status icon. This is the visual indicator in FortiOS that the zone is currently empty and contains no member interfaces.

Mandatory Zone Membership: In FortiOS 7.x, every SD-WAN member interface must be assigned to a zone. It is not possible for an interface to be an " SD-WAN member " (as shown in the legend with port2 and port3) without being assigned to a zone. Since port2 and port3 are listed in the legend, they are indeed assigned to one of the other expanded zones (likely virtual-wan-link or overlay), making Option D incorrect.

Default Zone Behavior: While FortiOS 7.6 often creates default zones like virtual-wan-link, underlay, and overlay during certain configuration wizards or by default in newer versions, they are distinct entities. There is no single " default " zone that acts as a global catch-all in the way Option C suggests.

Immutability of System Zones: While certain system-defined zones have restrictions, the primary focus of this specific exhibit is the current membership state, which clearly shows the Underlay zone is empty.

Based on the FortiOS 7.6 Infrastructure and IPsec VPN documentation, Dead Peer Detection (DPD) can be configured in three primary modes: On Demand, On Idle, and Disabled.

On Demand (Default Mode): This mode is specifically designed to minimize unnecessary traffic. In this mode, FortiGate sends DPD probes only when there is no inbound traffic but the FortiGate is attempting to send outbound traffic. Because network communication is typically bidirectional, the absence of inbound traffic while outbound traffic is being sent is a primary indicator of a potentially dead tunnel. This matches the specific requirement described in the question.

On Idle: In this mode, DPD probes are sent if no traffic (neither inbound nor outbound) has been observed in the tunnel for a specific period. It verifies the tunnel status even when the connection is completely idle.

Enabled: In older versions or specific CLI contexts, " Enabled " may refer to periodic DPD, but in the current FortiOS 7.x/7.6 GUI and CLI terminology for Phase 1 settings, the active modes are defined as on-demand or on-idle.

Disabled: In this mode, the FortiGate does not send DPD probes but will still respond to DPD probes sent by the remote peer.

The requirement that the administrator wants probes sent only when there is no inbound traffic (usually implying the FortiGate is sending but not receiving) is the fundamental definition of the On Demand mechanism in the Fortinet curriculum.

Phase 1 being up confirms the two FortiGate devices can authenticate and build the IKE SA. Phase 2 failing indicates the IPsec (Quick Mode) SA negotiation is failing due to mismatched Phase 2 parameters.

From the exhibit, the Phase 2 mismatches that would prevent SA establishment are:

1) Phase 2 selectors must mirror each other (Proxy IDs)

HQ-NGFW Phase 2 selector shows:

Local: 10.0.11.0/24

Remote: 172.20.1.0/24

BR1-FGT Phase 2 selector shows:

Local: 172.20.1.0/24

Remote: 10.11.0.0/24 ⟵ does not match HQ’s local subnet (10.0.11.0/24)

In FortiOS, Phase 2 comes up only when the peers’ selectors (proxy IDs) match as opposite pairs (local on one side = remote on the other).

✅ Fix: A. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0.

2) Phase 2 proposal must match (encryption/authentication)

HQ-NGFW shows encryption AES128 (with SHA1)

BR1-FGT shows encryption AES256 (with SHA1)

For Phase 2 to establish, both peers must have at least one common proposal (same encryption and authentication settings). With one side set to AES128 and the other to AES256, there is no match.

✅ Fix: D. On HQ-NGFW, set Encryption to AES256.

Why the other options are not correct

B. Enable Diffie-Hellman Group 2: The exhibit’s mismatch is not resolved by adding DH group 2, and DH group must match when PFS is enabled. This option does not align the peers based on what’s shown.

C. Set Seconds to 43200: Phase 2 lifetime mismatches typically do not prevent Phase 2 from coming up (the negotiated lifetime can be adjusted by the peers). The hard blockers here are the selectors and proposal mismatch.

In FortiSASE Secure Internet Access (SIA) agent-based mode, traffic steering and security enforcement rely on components integrated with the FortiClient agent.

Components used in SIA agent-based mode

A. FortiSASE Firewall-as-a-Service (FWaaS)

Correct.

FWaaS is a core security component of FortiSASE.

It enforces firewall policies, security inspection, and access control for agent-based users.

All user traffic tunneled by the agent is inspected by FWaaS.

C. VPN policies

Correct.

In agent-based mode, the FortiClient establishes a secure tunnel to FortiSASE.

VPN policies define:

Authentication

Access control

Traffic steering

These policies are fundamental to agent-based connectivity.

Why the other options are incorrect

B. Proxy auto-configuration (PAC) filePAC files are used in agentless or proxy-based modes, not agent-based SIA.

D. FortiExtenderFortiExtender is a WAN extension device and is unrelated to FortiSASE SIA agent-based architecture.

When the Application sensor receives traffic on that port, the protocol decoder will try to determine if the received data matches the HTTPS traffic In this case it will not match because it is P2P traffic, so this will class as violation and blocked The protocol decoder also try to determine what type of traffic it is, and even if it could not figure out it is P2P traffic, it still count as a violation because even though it does not know what it is, it knows for fact it is not HTTPS

From the exhibits:

System performance output

Memory used: 90%

Free memory: ~5%

Default memory thresholds (FortiOS 7.6)

memory-use-threshold-green 82%

memory-use-threshold-red 88%

memory-use-threshold-extreme 89%

Because memory usage (90%) exceeds the extreme threshold (89%), the FortiGate enters conserve mode.

Effects of conserve mode (FortiOS 7.6 – verified)

B. FortiGate has entered conserve mode.

Correct

When memory usage exceeds the red/extreme threshold, FortiGate automatically enters conserve mode.

This is exactly the condition shown in the system performance output.

D. Administrators can change the configuration.

Correct

Even in conserve mode:

Administrators can still log in (GUI, SSH, console)

Configuration changes are allowed

FortiGate does not lock configuration access during conserve mode.

This behavior is explicitly documented in the FortiOS 7.6 Conserve Mode section.

Why the other options are incorrect

A. Administrators can access FortiGate only through the console port.

Incorrect

Network access (GUI/SSH) is still available in conserve mode unless otherwise restricted.

Console-only access is not a conserve-mode requirement.

C. FortiGate drops new sessions.

Incorrect (as a general statement)

FortiGate may drop or bypass new inspection-required sessions depending on fail-open/fail-close settings.

It does not universally drop all new sessions, so this statement is not always true.

“You may need to exempt traffic from SSL inspection if it is causing problems with traffic, or for legal reasons.”

“Performing SSL inspection on a site that is enabled with HTTP Strict Transport Security (HSTS), for example, can cause problems with traffic. Remember, the only way for FortiGate to inspect encrypted traffic is to intercept the certificate coming from the server and generate a temporary one. After FortiGate presents the temporary SSL certificate, browsers that use HSTS refuse to proceed.”

“Laws protecting privacy might be another reason to bypass SSL inspection. For example, in some countries, it is illegal to inspect SSL bank-related traffic. Configuring an exemption for sites is simpler than setting up firewall policies for each individual bank. You can exempt sites based on their web category, such as Finance and Banking...”

“The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories—Finance and Banking, and Health and Wellness—and some FQDN addresses...”

Technical Deep Dive:

The correct answers are B and D .

B is correct because the study guide explicitly says SSL inspection may be bypassed for legal reasons , especially where privacy laws restrict inspection of sensitive categories such as Finance and Banking . The same privacy rationale also explains why Health and Wellness is commonly exempted.

D is correct because some sites break under deep inspection due to HSTS . FortiGate must generate and present a temporary certificate during full SSL inspection, and browsers enforcing HSTS can reject that interception flow. That is why some sites are exempted from deep inspection.

Why the others are wrong:

A is not stated in the guide.

C refers to the separate Reputable websites option, which is a FortiGuard-maintained allowlist feature, not the reason the predefined categories shown in the exhibit are excluded.

From an operational standpoint, this is a classic balance between security visibility and application/legal compatibility . Deep inspection gives FortiGate payload visibility, but it can interfere with pinned-certificate/HSTS behavior and can violate privacy policy for regulated content.

A closely related routing principle from the guide is:

“For each session, FortiGate performs two route lookups... After completing these two lookups, FortiGate writes the routing information to its session table. Subsequent packets are routed according to the session table, not the routing table.”

Also, the guide notes an HA limitation that helps explain the same design principle for FortiGate-terminated sessions:

“Enabling session pickup allows active sessions to be seamlessly handed picked up by the new primary in the event of an HA failover... Note that there are some limitations to this – for example, any sessions that terminate at the FortiGate itself ( e.g. SSL VPN, proxy sessions ) cannot be handed off to another FortiGate and must be restarted on the new primary.”

Technical Deep Dive:

The correct answer is D .

In multi-WAN environments, session preservation is used so that traffic for sessions that are tightly bound to the FortiGate interface they terminate on—most notably SSL VPN and other FortiGate-terminated flows—does not suddenly switch to another egress interface just because the routing table changes. Those sessions are sensitive to interface consistency. If replies start leaving through a different WAN after a route recalculation, the remote peer may see an address/interface mismatch and the session can break.

That means:

A is the opposite of session preservation. Preservation is meant to avoid moving active sessions around.

B is not the purpose of the feature.

C is unrelated.

D correctly describes why an administrator would enable it.

Operationally, this matters most for SSL VPN , management-plane flows, and other sessions that terminate on the FortiGate itself , not just ordinary transit traffic. Transit sessions are generally tracked in the session table and can often survive normal routing behavior more gracefully, but FortiGate-terminated sessions are much more sensitive to WAN/interface changes.

In FortiSASE site-based (remote internet access) deployments, FortiExtender is used to onboard branch or remote sites without a local FortiGate.

According to FortiSASE and FortiExtender architecture documentation:

FortiExtender integrates with FortiSASE using a secure VXLAN-over-IPsec tunnel

This tunnel:

Extends the site network to FortiSASE

Transparently forwards traffic for inspection

Preserves network segmentation and routing context

This design is similar to cloud-based LAN extension and is not proxy-based

Why the other options are incorrect

B: FortiClient is used for agent-based user access, not FortiExtender

C: Secure Web Gateway (SWG) is a service, not a transport mechanism

D: PAC files and explicit proxies are used in agentless / proxy-based access, not site-based FortiExtender deployments

“When you enable reliable logging on FortiGate, the log transport delivery method changes from UDP to TCP. TCP provides reliable data transfer, guaranteeing that the transferred data remains intact and arrives in the same order in which it was sent.”

“Optionally, if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely transmitted across an unsecured network.”

Technical Deep Dive:

The correct answer is C . The study guide explicitly ties reliable logging to TCP transport and optionally to SSL-encrypted OFTP . Among the choices, the padlock icon is the only one that meaningfully indicates secure, reliable log transport behavior. A green check icon usually indicates that the FortiGate–FortiAnalyzer connection is simply up , not specifically that reliable logging is enabled. Interface status being up is unrelated, and real-time logging mode describes delivery behavior, not the reliable transport indicator itself.

So, exam-wise, the best answer is C .

From the CLI perspective, reliable logging changes the transport from UDP to TCP, and with encryption enabled it uses SSL-protected OFTP. That is why the GUI indicator associated with secure transport is the most relevant visual clue here.

The exhibit shows the output of the following command:

diagnose test application ipsmonitor 1

pid = 2044, engine count = 0 (+1)

0 - pid:2074:2074 cfg:1 master:0 run:1

How to interpret this output (FortiOS 7.6 – IPS internals)

ipsmonitor displays the status of IPS engines running on the FortiGate.

engine count = 0 means:

No IPS scanning engines are currently active

IPS is not processing any traffic

In FortiOS, IPS engines are started on demand.

Critical documented behavior

IPS processes are only spawned when at least one firewall policy is configured with an IPS profile and traffic matches that policy.

If no firewall policy references an IPS profile, the IPS engine:

Does not start

Shows engine count = 0

Appears “not working,” even though the IPS profile exists

This is exactly what the diagnose output indicates.

Why option A is correct

A. There is no firewall policy configured with an IPS security profile.

Creating an IPS profile alone is not sufficient

IPS must be applied to an active firewall policy

Traffic must match that policy for the IPS engine to run

Otherwise, ipsmonitor will show engine count = 0

This matches FortiOS 7.6 IPS operational behavior.

Why the other options are incorrect

B. Administrator entered the command diagnose test application ipsmonitor 5.

Incorrect.

The exhibit clearly shows ipsmonitor 1

Using a different argument would not explain engine count = 0

C. FortiGate entered into IPS fail open state.

Incorrect.

In fail-open, IPS engines may be bypassed, but they still initialize

engine count = 0 specifically indicates IPS is not in use at all

D. Administrator entered the command diagnose test application ipsmonitor 99.

Incorrect.

The command argument affects debug level, not engine creation

Again, the exhibit shows ipsmonitor 1

According to the FortiOS 7.6 Study Guide and technical documentation regarding High Availability (HA), the FortiGate Clustering Protocol (FGCP) uses a specific set of rules to elect the primary unit in a cluster. By default, the election order follows: Connected Monitored Ports > HA Uptime > Priority > Serial Number.

However, when the HA override setting is enabled , the election logic is modified to prioritize the administrator-defined priority value over the uptime of the cluster members. In this specific configuration, the election process follows this sequence:

Connected monitored ports : The unit with the most functioning monitored interfaces is preferred.

Priority : The unit with the highest manually configured priority value (e.g., 255) is selected next.

HA uptime : If monitored ports and priority are equal, the unit that has been up in the HA cluster the longest is chosen.

FortiGate serial number : As a final tie-breaker, the unit with the higher serial number is elected. 1

Statement A is correct because it reflects the shift where Priority is evaluated immediately after monitored ports, overriding the standard uptime advantage. Statements B and D are incorrect because the FGCP uses HA uptime , not system uptime, for its calculations.