Fortinet NSE4_FGT_AD-7.6 Dumps

“After the IPS engine examines the traffic stream for a signature match, FortiGate scans packets for matches, in this order, for the application control profile:

1. Application and filter overrides ...”

“Because application overrides are applied first in the scan, these two applications are allowed and generate logs.”

“The priority in which application and filter overrides are placed takes precedence.”

Technical Deep Dive:

The correct answer is C. Application and Filter Overrides .

If you already set the P2P category to Block , but some peer-to-peer traffic is still being allowed, the first thing to check is whether there is an application override or filter override that matches that traffic before the category action is applied. FortiGate processes Application and Filter Overrides before Categories , so any matching override set to Allow or Monitor will effectively bypass the category block.

Why the others are wrong:

A only affects user-facing block-page behavior for HTTP/HTTPS applications, not whether P2P is blocked.

B is for enforcing expected services on expected ports and for blocking applications on non-default ports. It is not the first place to look when a category block is being bypassed.

D concerns web categorization, not application-control category enforcement.

Operationally, this is a classic troubleshooting sequence: first inspect the override table , then the category action , then logs under Application Control to see which signature and action actually matched.

“This slide shows the different criteria that a cluster considers during the primary FortiGate election process. The criteria order evaluation depends on the HA override setting.”

For the default case shown in the guide:

“1. The cluster compares the number of monitored interfaces that have a status of up. The member with the most available monitored interfaces becomes the primary.

2. The cluster compares the HA uptime of each member...

3. The member with the highest priority becomes the primary.

4. The member with the highest serial number becomes the primary.”

For this question’s case:

“If the HA override setting is enabled, the priority is considered before the HA uptime .”

Technical Deep Dive:

Because override is enabled , the election order changes from the default sequence. The first criterion is still Connected monitored ports , because interface health is evaluated first. After that, Priority moves ahead of HA uptime . If those still do not decide the winner, FortiGate uses the serial number as the final tie-breaker. Therefore the correct order is:

1. Connected monitored ports

2. Priority

3. HA uptime

4. FortiGate serial number

This distinction matters in production. With set override enable, you are effectively making HA priority authoritative over uptime, so the preferred unit will reclaim the primary role when it comes back online. That is useful for deterministic primary selection, but it can also cause an additional failover event when the preferred chassis returns to service. The guide explicitly notes this tradeoff.

In practice, the relevant HA checks and verification commands are:

show system ha

get system ha status

diagnose sys ha status

These let you confirm override status, device priority, monitored interfaces, and recent election results. From a control-plane perspective, FGCP election logic is handled by FortiOS over heartbeat links, while data-plane forwarding after election continues using the cluster’s virtual MAC behavior and synchronized HA state.

From the routing table in the exhibit, there is already a static route for 172.20.1.0/24 pointing out port3 with:

Distance = 9

Priority = 2

Type = Static

In FortiOS, route selection prefers (in order) the route with the lowest administrative distance to a destination. Therefore, to make traffic to 172.20.1.0/24 go through port2 only, the administrator must ensure the port2 static route is more preferred than the existing port3 route.

Why C is correct

C. The existing static route through port3 must have the distance set to 11.

If the existing port3 route distance is increased to 11, then a new port2 route with distance 9 will be preferred (9 < 11). This makes the port3 route a backup route instead of the active one.

Why D is correct

D. The new static route must have the distance set to 9

Setting the new port2 route distance to 9 (and increasing the port3 route to 11 as in option C) ensures FortiGate selects the port2 route as the best route for 172.20.1.0/24.

Why A and B are not correct

A (priority 3): By itself it does not guarantee selection over the existing route, and FortiOS route choice is driven primarily by distance.

B (metric 1): Metric is not the primary selector for static route preference compared to administrative distance in this scenario.

So the two criteria that achieve the objective are:

Make the existing port3 route less preferred by increasing its distance (C)

Ensure the new port2 route uses the preferred distance (D)

“This slide shows the SD-WAN rule lookup process. SD-WAN rules are essentially policy routes.”

“FortiGate performs a forwarding information base (FIB) lookup for the packet destination IP (dstip). If the resolved interface for the fib-best-match isn’t an SD-WAN member, then FortiGate moves on to the next rule. This behavior follows the key routing principle: SD-WAN rules are skipped if the best route to the destination isn’t an SD-WAN member .”

“If the resolved interface is an SD-WAN member, then FortiGate looks for one or more acceptable members in the oif list... An acceptable member is an alive member that has a route to the destination. This behavior follows the key routing principle: SD-WAN rules are skipped if none of the configured members in the rule have a valid route to the destination .”

“Because regular policy routes have precedence over any other routes...”

“Also note that policy routes have precedence over SD-WAN rules, and over any routes in the FIB.”

Technical Deep Dive:

The correct answers are A, C, and E .

A is correct because an SD-WAN rule is not enough by itself. A selected member must also be alive and have a valid route to the destination. If none of the members referenced by the rule can actually reach the destination, the rule is skipped.

C is correct because a regular policy route is evaluated before SD-WAN rules. This is a classic exam trap. FortiGate treats SD-WAN steering like policy-route logic, but standard policy routes still win if they match and are valid.

E is correct because FortiGate first checks the FIB best match . If that best route resolves to an interface that is not an SD-WAN member, FortiGate skips the SD-WAN rule and continues.

Why the others are wrong:

B is false because SD-WAN rules do not have precedence over everything; regular policy routes do.

D is false because the number of available routes is not the deciding rule. Even with only one route, SD-WAN can still steer traffic if the routing and member conditions are met.

Operationally, think of SD-WAN routing in this order: policy route check → SD-WAN rule lookup → standard FIB fallback . On FortiGate, the practical validation commands are:

get router info routing-table all

diagnose sys sdwan service

diagnose firewall proute list

That combination lets you confirm whether a packet is being captured by a policy route, whether an SD-WAN rule has acceptable members, and what the FIB currently resolves for the destination.

With full SSL inspection, FortiGate performs a man-in-the-middle process: it decrypts the HTTPS session, inspects it, then re-encrypts it. To do this, FortiGate presents a substitute certificate to the client, signed by the CA certificate configured in the SSL/SSH inspection profile (for example, Fortinet_CA_SSL or a custom enterprise CA).

Browsers will show certificate warning errors when the issuing CA is not trusted by the client device/browser trust store. This only happens for HTTPS because certificates are used in TLS; HTTP has no certificate exchange, so no warning appears.

Why the other options are incorrect:

A: Allowing invalid server certificates affects whether FortiGate blocks/permits connections to sites with bad certs; it does not fix the client warning about FortiGate’s substituted cert.

B: Proxy vs flow inspection mode does not inherently cause certificate warnings; the warning is about trust of the signing CA.

D: Missing extensions is not the typical reason across “any HTTPS website”; the standard reason is the client does not trust the FortiGate inspection CA

From the exhibits:

The Web Filter profile is configured with Feature set = Flow-based.

The Firewall policy is configured with Inspection mode = Proxy-based and has Web Filter enabled.

In FortiOS 7.6, security profiles that have a feature set selection (Flow-based vs Proxy-based) must match the inspection mode used by the firewall policy. If the profile’s feature set does not match the policy’s inspection mode, the profile behavior will not align with what the administrator expects (and in many cases FortiOS will prevent correct use/selection, or the feature behavior will not apply as intended).

That mismatch explains why the configured URL filter entry for (set to Monitor) is not producing the expected result, and instead the session is being evaluated by category rating and blocked (shown as Malicious Websites on the FortiGuard block page).

Why the other options are not the best fit:

A: A web rating override is not shown in the exhibits, and nothing indicates an override misconfiguration.

C: While the policy inspection mode could be changed, the root cause shown is the profile feature set mismatch (profile is Flow-based).

D: The URL filter action shown is Monitor, which would not produce a block page by itself.

According to the FortiOS 7.6 Study Guide and technical documentation regarding High Availability (HA), the FortiGate Clustering Protocol (FGCP) uses a specific set of rules to elect the primary unit in a cluster. By default, the election order follows: Connected Monitored Ports > HA Uptime > Priority > Serial Number.

However, when the HA override setting is enabled , the election logic is modified to prioritize the administrator-defined priority value over the uptime of the cluster members. In this specific configuration, the election process follows this sequence:

Connected monitored ports : The unit with the most functioning monitored interfaces is preferred.

Priority : The unit with the highest manually configured priority value (e.g., 255) is selected next.

HA uptime : If monitored ports and priority are equal, the unit that has been up in the HA cluster the longest is chosen.

FortiGate serial number : As a final tie-breaker, the unit with the higher serial number is elected. 1

Statement A is correct because it reflects the shift where Priority is evaluated immediately after monitored ports, overriding the standard uptime advantage. Statements B and D are incorrect because the FGCP uses HA uptime , not system uptime, for its calculations.

“You may need to exempt traffic from SSL inspection if it is causing problems with traffic, or for legal reasons.”

“Performing SSL inspection on a site that is enabled with HTTP Strict Transport Security (HSTS), for example, can cause problems with traffic. Remember, the only way for FortiGate to inspect encrypted traffic is to intercept the certificate coming from the server and generate a temporary one. After FortiGate presents the temporary SSL certificate, browsers that use HSTS refuse to proceed.”

“Laws protecting privacy might be another reason to bypass SSL inspection. For example, in some countries, it is illegal to inspect SSL bank-related traffic. Configuring an exemption for sites is simpler than setting up firewall policies for each individual bank. You can exempt sites based on their web category, such as Finance and Banking...”

“The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories—Finance and Banking, and Health and Wellness—and some FQDN addresses...”

Technical Deep Dive:

The correct answers are B and D .

B is correct because the study guide explicitly says SSL inspection may be bypassed for legal reasons , especially where privacy laws restrict inspection of sensitive categories such as Finance and Banking . The same privacy rationale also explains why Health and Wellness is commonly exempted.

D is correct because some sites break under deep inspection due to HSTS . FortiGate must generate and present a temporary certificate during full SSL inspection, and browsers enforcing HSTS can reject that interception flow. That is why some sites are exempted from deep inspection.

Why the others are wrong:

A is not stated in the guide.

C refers to the separate Reputable websites option, which is a FortiGuard-maintained allowlist feature, not the reason the predefined categories shown in the exhibit are excluded.

From an operational standpoint, this is a classic balance between security visibility and application/legal compatibility . Deep inspection gives FortiGate payload visibility, but it can interfere with pinned-certificate/HSTS behavior and can violate privacy policy for regulated content.

“The only security features you can apply using SSL certificate inspection mode are web filtering and application control... Note that while offering some level of security, certificate inspection does not allow FortiGate to inspect the flow of encrypted data.”

“To perform SSL inspection on traffic flowing through the FortiGate device, you must allow the traffic with a firewall policy and apply an SSL inspection profile to the policy... For antivirus or IPS control, you should use a deep-inspection profile.”

“When you use deep inspection, FortiGate impersonates the recipient of the originating SSL session, and then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.”

Technical Deep Dive:

The exhibit shows that the policy is allowing HTTPS and the SSL/SSH inspection profile is certificate-inspection , not deep-inspection . That is the key issue. With certificate inspection, FortiGate can inspect only SSL metadata such as the certificate and SNI/hostname context; it cannot decrypt the HTTPS payload itself. Because EICAR is detected by antivirus through payload inspection, FortiGate must see the file contents. Without deep SSL inspection, the antivirus engine never gets the decrypted payload, so the file can pass even though the antivirus profile is attached.

Option A is incorrect because FortiGate firewall policies often use ACCEPT + security profile enforcement ; the session can still be blocked by antivirus after policy match. Option B is incorrect because web filter is not required for antivirus detection. Option C is incorrect because the real requirement is deep SSL inspection , not specifically proxy-based mode; full SSL inspection is the deciding factor here.

In practice, to block EICAR over HTTPS, you would apply a deep-inspection SSL profile to the policy, for example:

config firewall policy

edit < policy-id >

set inspection-mode flow

set av-profile " default "

set ssl-ssh-profile " deep-inspection "

next

end

On real hardware, this also matters for performance design. Simple firewall/NAT sessions are often NP fast-pathed, but once you enable deep SSL inspection and content scanning, traffic is typically handed to CPU/WAD/content-inspection path for decryption and scanning, so throughput is lower than certificate-inspection or no-inspection.

Based on the exhibit and FortiOS 7.6 Active Authentication (captive portal) behavior, the most likely reason the user is not presented with a login prompt is that DNS is missing from the firewall policy.

What the exhibit shows

The firewall policy configured for active authentication includes:

Source: HQ_SUBNET and Remote-users

Destination: all

Services:

HTTP

HTTPS

ALL_ICMP

Security Profiles: Web filter and SSL inspection enabled

Authentication: Active (user group referenced)

DNS is not included as a service in the policy.

Why DNS is required for active authentication

In FortiOS 7.6, active authentication (captive portal) works as follows:

The user attempts to access a website using a URL (for example,

The client must first perform a DNS lookup to resolve the domain name.

FortiGate intercepts the initial HTTP/HTTPS request and redirects the user to the authentication portal.

If DNS traffic is blocked or not allowed:

The hostname cannot be resolved.

The HTTP/HTTPS request never properly occurs.

FortiGate has nothing to intercept, so the login prompt is never triggered.

This is explicitly documented in the FortiOS 7.6 Authentication and Captive Portal requirements, which state that DNS must be permitted for captive portal–based authentication to function correctly.

Why the other options are incorrect

A. No matching user account exists for this user

Incorrect.

If the user account did not exist, the login page would still appear, but authentication would fail after credentials are entered.

B. The Remote-users group must be set up correctly in the FSSO configuration

Incorrect.

This policy is using active authentication, not FSSO.

FSSO configuration is irrelevant for active authentication login prompts.

C. The Remote-users group is not added to the Destination

Incorrect.

User groups are applied in the Source field for authentication-based policies.

Destination does not accept user groups.

“The Security Rating page is separated into three major scorecards: Security Posture, Fabric Coverage, and Optimization, which provide an executive summary of the three largest areas of security focus in the Security Fabric .” ( Fortinet Document Library )

“On the root FortiGate , go to Security Fabric > Security Rating.” ( Fortinet Document Library )

“The Info and Compliance tab includes the security controls used for the test and links to specific FSBP, PCI, or CIS compliance policies .” ( Fortinet Document Library )

“A new Security Rating Insights feature provides immediate access to crucial security information. Hover over any tested object to reveal a tooltip...” and “Objects, such as firewall policies, with security rating recommendations are highlighted... click Security Rating Insights to display relevant issues.” ( Fortinet Document Library )

Technical Deep Dive:

The correct answers are B and C .

B is correct because Security Rating is viewed from the root FortiGate and its scorecards provide an executive summary for the Security Fabric, not just an isolated downstream unit. The root device is the point from which the Security Fabric summary is presented. ( Fortinet Document Library )

C is correct because the Security Rating results include an Info and Compliance view with references to PCI compliance policies. That means PCI-related compliance results are part of the Security Rating reporting associated with the security categories, including Security Posture. ( Fortinet Document Library )

Why the others are incorrect:

A is incorrect because Fortinet documents state there is a base set of free checks and a separate licensed set of checks. A license is not required just to obtain the executive summary view itself. ( Fortinet Document Library )

D is incorrect because Security Rating Insights are not limited to the Security Rating page. Fortinet documents show they also appear as tooltips and buttons on other GUI objects and pages . ( Fortinet Document Library )

According to the FortiOS 7.6 Administrator Study Guide and official documentation, SD-WAN rules (services) determine the path selection for traffic matching specific criteria. Version 7.6 provides specific flexibility regarding how these strategies handle multiple member interfaces.

First, Manual with load balancing (Statement B) is a valid configuration. In the Manual strategy, the administrator orders interfaces by preference, but by enabling the Load balancing toggle, the FortiGate can distribute traffic across all members that are up.

Second, the Lowest Cost (SLA) strategy has been enhanced to support two modes. When the load balancing option is disabled, it acts as Lowest Cost (SLA) without load balancing (Statement A), selecting the single lowest-cost link that meets the SLA. Alternatively, by enabling the toggle, it functions as Lowest Cost (SLA) with load balancing (Statement D), where the FortiGate distributes traffic across all interfaces that satisfy the SLA target, regardless of their individual costs.

Statements C and E are incorrect because " Lowest Quality " is not a recognized SD-WAN strategy, and the Best Quality strategy is specifically a priority-based selection for a single " best " link, meaning the load balancing toggle is not available in the GUI when this mode is selected.

According to the FortiOS 7.6 Administrator Guide and the specific behavior of the SD-WAN GUI, here is the technical breakdown:

SD-WAN Zone Hierarchy and UI Elements: In the FortiGate GUI, SD-WAN zones that contain member interfaces are displayed with a plus (+) icon next to the checkbox. This icon allows administrators to expand the zone and view the specific physical or logical interfaces assigned to it.

Analysis of the " Underlay " Zone: In the provided exhibit, the virtual-wan-link and overlay zones both feature the plus (+) expansion icon, indicating they have active members. The Underlay zone, however, lacks this icon and displays a red status icon. This is the visual indicator in FortiOS that the zone is currently empty and contains no member interfaces.

Mandatory Zone Membership: In FortiOS 7.x, every SD-WAN member interface must be assigned to a zone. It is not possible for an interface to be an " SD-WAN member " (as shown in the legend with port2 and port3) without being assigned to a zone. Since port2 and port3 are listed in the legend, they are indeed assigned to one of the other expanded zones (likely virtual-wan-link or overlay), making Option D incorrect.

Default Zone Behavior: While FortiOS 7.6 often creates default zones like virtual-wan-link, underlay, and overlay during certain configuration wizards or by default in newer versions, they are distinct entities. There is no single " default " zone that acts as a global catch-all in the way Option C suggests.

Immutability of System Zones: While certain system-defined zones have restrictions, the primary focus of this specific exhibit is the current membership state, which clearly shows the Underlay zone is empty.

Phase 1 being up confirms the two FortiGate devices can authenticate and build the IKE SA. Phase 2 failing indicates the IPsec (Quick Mode) SA negotiation is failing due to mismatched Phase 2 parameters.

From the exhibit, the Phase 2 mismatches that would prevent SA establishment are:

1) Phase 2 selectors must mirror each other (Proxy IDs)

HQ-NGFW Phase 2 selector shows:

Local: 10.0.11.0/24

Remote: 172.20.1.0/24

BR1-FGT Phase 2 selector shows:

Local: 172.20.1.0/24

Remote: 10.11.0.0/24 ⟵ does not match HQ’s local subnet (10.0.11.0/24)

In FortiOS, Phase 2 comes up only when the peers’ selectors (proxy IDs) match as opposite pairs (local on one side = remote on the other).

✅ Fix: A. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0.

2) Phase 2 proposal must match (encryption/authentication)

HQ-NGFW shows encryption AES128 (with SHA1)

BR1-FGT shows encryption AES256 (with SHA1)

For Phase 2 to establish, both peers must have at least one common proposal (same encryption and authentication settings). With one side set to AES128 and the other to AES256, there is no match.

✅ Fix: D. On HQ-NGFW, set Encryption to AES256.

Why the other options are not correct

B. Enable Diffie-Hellman Group 2: The exhibit’s mismatch is not resolved by adding DH group 2, and DH group must match when PFS is enabled. This option does not align the peers based on what’s shown.

C. Set Seconds to 43200: Phase 2 lifetime mismatches typically do not prevent Phase 2 from coming up (the negotiated lifetime can be adjusted by the peers). The hard blockers here are the selectors and proposal mismatch.

In FortiOS 7.6, GUI session inactivity timeout behavior for administrators is controlled by admin profiles, not by general access permissions or profile ordering.

How GUI idle timeout works in FortiOS 7.6

FortiGate has a global admin timeout (admintimeout), but

Admin profiles can override this value using the Override idle timeout setting.

When Override idle timeout is enabled in an admin profile, the timeout value defined inside that profile takes precedence over the global setting.

The exhibit shows that the NOC team logs in using the NOC_Access admin profile. Therefore, to prevent their GUI sessions from disconnecting too quickly during inactivity, the timeout must be adjusted within that specific admin profile.

Why option B is correct

B. Increase the value of the Override Idle Timeout parameter in the NOC_Access admin profile.

This directly controls how long GUI sessions remain active when users assigned to NOC_Access are idle.

It affects only the NOC team, which matches the requirement precisely.

This is the recommended and documented approach in FortiOS 7.6.

Why the other options are incorrect

A. Increase admintimeout under config system accprofileIncorrect. admintimeout is a global admin setting, not configured under accprofile, and it would affect all administrators, not just NOC users.

C. Move NOC_Access to the top of the listIncorrect. Admin profile order has no impact on session timeout behavior.

D. Assign super_admin roleIncorrect and insecure. Super_admin does not control idle timeout and would unnecessarily grant full privileges.

With a dialup IPsec VPN on FortiGate, when add-route is enabled, FortiGate will only install the corresponding route when it has enough negotiated information from the tunnel. In FortiOS 7.6, that means the route is tied to the Phase 2 (Quick Mode) selectors and is created dynamically when the IPsec SA is actually up.

B. The administrator must ensure phase 2 is successfully established

This is required. FortiGate does not install the add-route route just because Phase 1 exists or because the configuration is present. The route is added when the tunnel is effectively usable, which requires Phase 2 (IPsec SA) to be up. If Phase 2 is not established, there is no active SA and FortiGate will not inject the related route into the routing table.

So, if the static route is not showing, one correct explanation is that Phase 2 is not up.

C. The administrator must define the remote network correctly in the phase 2 selectors

This is also required. For dialup tunnels, FortiGate derives what route to add from the remote subnet(s) defined in the Phase 2 selector (proxy ID). If the remote network in Phase 2 is missing, incorrect, or too broad/too narrow in a way that prevents negotiation, the tunnel either won’t come up (so no route), or the route that would be installed won’t match what the administrator expects.

So, another correct explanation is that the Phase 2 remote network is not correctly defined, preventing the correct route from being created.

Why the other options are incorrect

A. Policy route instead of a static route

Add-route does not require policy routes. It is specifically a feature that injects a route (route-table entry) associated with the IPsec tunnel/SA and the Phase 2 selector networks.

D. Enable a dynamic routing protocol

Dynamic routing protocols (OSPF/BGP/RIP) are not required for add-route. Add-route is independent of dynamic routing and works by installing routes locally based on the negotiated selectors.

“FortiGate looks for the matching firewall policy from top-to-bottom and, if a match is found, the traffic is processed based on the firewall policy. If no match is found, the traffic is dropped by the default implicit deny firewall policy. ”

Technical Deep Dive:

The debug flow output clearly points to the implicit deny :

ret-no-match

policy-0 is matched, act-drop

Denied by forward policy check (policy 0)

On FortiGate, policy 0 is the internal representation of the default implicit deny firewall policy . That means the packet did not match any user-defined forward firewall policy, so FortiGate dropped it automatically.

Why the other options are wrong:

B is wrong because an RPF failure would show a reverse-path-related drop reason, not Denied by forward policy check (policy 0).

C is wrong because the trace does not show a matched explicit policy ID with deny action; it shows policy 0 , which is the implicit rule.

D is wrong because the trace actually shows a route lookup result: find a route: ... gw-0.0.0.0 via port2. So this is not a next-hop reachability failure.

In packet-flow troubleshooting, this pattern is one of the most important to recognize. If you see policy 0 in FortiGate debug flow, the first things to verify are:

diagnose debug flow filter addr < src_or_dst_ip >

diagnose debug flow show function-name enable

diagnose debug enable

Then review whether a firewall policy exists with the correct incoming interface, outgoing interface, source, destination, schedule, and service . If any one of those does not match, FortiGate falls through to policy 0 and drops the session.

In FortiOS 7.6, HA cluster heartbeat IP addresses are automatically managed by FortiGate and play a critical role in cluster communication and synchronization.

Correct statements

A. Heartbeat IP addresses are used to distinguish between cluster members.

Correct

FortiGate assigns unique heartbeat IP addresses (link-local addresses in the 169.254.0.0/16 range) to each HA member.

These addresses are used for:

Cluster member identification

Health checks

Synchronization traffic

This allows FortiGate units to uniquely identify and communicate with each other inside the HA cluster.

C. A change in the heartbeat IP address happens when a FortiGate device joins or leaves the cluster.

Correct

Heartbeat IPs are dynamically assigned.

When:

A new FortiGate joins the cluster, or

A member leaves or fails,

FortiGate may reassign heartbeat IP addresses to maintain unique identification among members.

This behavior is documented in the FortiOS HA operation and troubleshooting guides.

Why the other options are incorrect

B. The heartbeat interface of the primary device is always assigned IP address 169.254.0.1.

Incorrect

There is no fixed or guaranteed heartbeat IP (such as 169.254.0.1) for the primary unit.

Heartbeat IP assignment is dynamic, not role-based.

D. Heartbeat interfaces have virtual IP addresses that are manually assigned.

Incorrect

Heartbeat IP addresses are:

Automatically assigned

Link-local

Administrators do not manually configure heartbeat IP addresses.

From the exhibits:

A VIP named VIP-WEB-SERVER is configured on WAN (port2) with:

External IP: 100.65.0.200

Mapped (internal) IP: 10.0.11.50

Port forwarding enabled (TCP)

External service port: 443

Map to IPv4 port: 4443

The inbound firewall policy Web_Server_Access is:

From WAN (port2) to LAN (port4)

Destination: VIP-WEB-SERVER

Service: HTTPS

NAT: Disabled (meaning no source NAT is applied)

What happens to the packet

A host 100.65.1.111 sends TCP SYN dst-port 443 to 100.65.0.200.

When FortiGate matches the VIP and forwards traffic to the internal server, FortiGate performs destination NAT (DNAT) based on the VIP:

Source IP is unchanged because policy NAT is disabled:

Source remains 100.65.1.111

Destination IP is translated by the VIP:

Destination becomes 10.0.11.50

Destination port is translated by the VIP port-forward:

Destination port becomes 4443

Therefore, at the time FortiGate forwards the packet to the destination (internal server), it will be:

Source address: 100.65.1.111

Destination address: 10.0.11.50

Destination port: 4443

From the exhibits:

The firewall policy has Application Control enabled and uses certificate-inspection for SSL inspection.

The application sensor has Application and Filter Overrides with the following order (priority):

Excessive-Bandwidth with action Block

Google (vendor filter) with action Monitor

In FortiOS, Application and Filter Overrides are evaluated by priority (top-down). The first matching override is applied. If traffic matches an earlier override with Block, it will be blocked even if a later override would Monitor/Allow it.

Why Google apps fail while works:

Many Google applications can be detected as (or can trigger) the Excessive-Bandwidth behavior/signature depending on the specific service and traffic pattern.

Because Excessive-Bandwidth (Block) is above Google (Monitor), Google-related traffic may match the first rule and be blocked before the Google override is evaluated.

Access to works because that traffic is not matching the Excessive-Bandwidth override.

Therefore, to resolve:

B. Move up Google in the Application and Filter Overrides section to set its priority higher

This ensures Google matches the Google override before any broader blocking override is applied.

E. Set the action for Google in the Application and Filter Overrides section to Allow

This explicitly permits Google applications once the higher-priority match occurs (stronger than Monitor for troubleshooting and ensuring access).

Why the other options are not the best fit here:

A (deep-content inspection) can help identify more HTTPS applications, but the exhibit already shows a specific Google override configured; the immediate issue is the override evaluation order and action.

C relates to Web Filter URL categories, but the problem is occurring under Application Control behavior/vendor overrides.

D (flow-based) is not required to fix an override priority/action conflict.

According to the FortiOS 7.6 Security Fabric documentation and Study Guide, several conditions must be met for a downstream FortiGate to successfully join a Security Fabric.

First, the Upstream FortiGate IP/FQDN configured on the downstream device must point to the IP address of the interface on the upstream device that is listening for fabric connections. In the provided logical topology, the Fabric Root (HQ-NGFW-1) uses port4 with the IP 10.0.11.254 to connect to the internal segmentation firewalls (ISFWs). Since HQ-ISFW-2 is in the same subnet as HQ-ISFW, it is physically and logically connected to the network segment serviced by port4. Therefore, the current configuration of 10.0.13.254 (which is port6, likely the WAN side) is incorrect, and it must be set to 10.0.11.254 (Statement A).

Second, once the downstream device successfully reaches the upstream device, it enters a Pending state. For security purposes, FortiOS does not allow devices to join the fabric automatically; the administrator of the upstream device (in this case, HQ-ISFW or the root) must manually authorize the new device (Statement C) in the Fabric Management console. Until this authorization is granted, the status will remain " Pending " and no fabric data will be synchronized. Statements B and D are incorrect as SAML settings do not block the initial fabric join, and the management IP should be the local device ' s IP, not the upstream ' s IP.

Exact Extract:

“In IKEv1, there are two possible modes in which the IKE SA negotiation can take place: main, and aggressive mode. Settings on both ends must agree; otherwise, phase 1 negotiation fails and both IPsec peers are not able to establish a secure channel.”

“When both peers know each other ' s IP address or FQDN, you may want to use main mode to take advantage of its more secure negotiation. In this case, FortiGate can identify the remote peer by its IP address and, as a result, associate it with the correct IPsec tunnel.”

“FortiGate supports three DPD modes... The default DPD mode is On Demand .”

“ Diffie-Hellman (DH) ... is used during IKE SA negotiation. The use of DH in phase 1 is mandatory and can’t be disabled . You must select at least one DH group.”

Technical Deep Dive:

The correct answers are B and C .

B is correct because phase 1 fails when IKE mode settings do not match between peers. The study guide explicitly says phase 1 settings on both ends must agree. Since this is a static site-to-site tunnel and both peers know each other’s IP addresses, Main (ID protection) is the appropriate mode.

C is correct based on the exhibit: BR1-FGT appears bound to the wrong physical interface. The screenshot shows Interface = port1 , while the diagram/answer choice indicates the tunnel should be using port2 . If the phase 1 is bound to the wrong WAN interface, FortiGate sends IKE packets out the wrong path and phase 1 will not come up.

Why the others are not the fix:

A is not correct because DH is mandatory in phase 1. The issue is not “disable DH group 2” by itself; the real requirement is that the peers negotiate a compatible proposal. The option as written is not the proper corrective action from the guide.

D is not correct because DPD does not determine whether phase 1 can initially establish. It is a tunnel health/failure-detection feature after negotiation behavior, and On Demand is already the default mode.

“Authentication-wise, both versions support PSK and certificate signature . Although only IKEv1 supports XAuth ...”

“Now, you will learn about the Authentication section in phase 1 configuration:

• Method: FortiGate supports two authentication methods: Pre-shared Key and Signature. When you select Pre-shared Key, you must configure both peers with the same pre-shared key. When you select Signature, phase 1 authentication is based on digital certificate signatures.”

“The purpose of phase 1 is to authenticate peers and set up a secure channel... To authenticate each other, the peers use two methods: pre-shared key or digital signature . You can also enable an additional authentication method, XAuth, to enhance authentication. ”

“A common use of the IPsec wizard is for configuring a remote access VPN for FortiClient users. The wizard enables IKE mode config, XAuth , and other appropriate settings for FortiClient users.”

Technical Deep Dive:

The correct answers are C and D .

D is correct because FortiGate supports the two primary IKEv1 authentication methods: pre-shared key and certificate signature . That is explicitly stated in the study guide.

C is also correct because FortiGate supports XAuth with IKEv1 as an additional authentication mechanism. In practice, XAuth is used to request extra user credentials such as a username and password , especially in remote-access VPN deployments such as FortiClient.

Why the other options are incorrect:

A is incorrect because when using Signature , certificate-based authentication is in use. The study guide states that digital signature validation depends on the relevant certificates and CA trust chain being present. It is not a certificate-free method.

B is incorrect because “fewer packets are exchanged” is a characteristic of aggressive mode , not XAuth. XAuth enhances authentication; it is not the feature that makes IKE negotiation faster.

So the two supported IKEv1 authentication features are:

Extended authentication (XAuth) to request the remote peer to provide a username and password

Pre-shared key and certificate signature as authentication methods

“To perform SSL inspection on traffic flowing through the FortiGate device, you must allow the traffic with a firewall policy and apply an SSL inspection profile to the policy. Note that an SSL inspection profile alone will not trigger a security inspection. You must combine it with other security profiles like Antivirus, Web Filter, Application Control, or IPS.”

“By default, firewall policies are set with the no-inspection SSL profile. Therefore, any encrypted traffic flows through uninspected... For antivirus or IPS control, you should use a deep-inspection profile. ”

“When you use deep inspection, FortiGate impersonates the recipient of the originating SSL session, and then decrypts and inspects the content to find threats and block them . It then re-encrypts the content and sends it to the real recipient. Deep inspection protects from attacks that use HTTPS and other commonly used SSL-encrypted protocols...”

Technical Deep Dive:

The correct answer is D . HTTP and FTP are working because FortiGate can inspect those payloads directly with the antivirus profile. HTTPS is different because the traffic is encrypted. If the firewall policy uses only certificate inspection or another non-decrypting SSL mode, FortiGate can identify certificate/SNI information, but it cannot see the downloaded file contents. Without decrypting the HTTPS session, the antivirus engine never receives the payload to scan, so EICAR or other malware can pass.

Why the other options are wrong:

A is not the issue here. The exhibit shows the antivirus profile and policy are already aligned for proxy-based operation, and the failure is specific to HTTPS visibility.

B is wrong because web filter is not required for antivirus scanning.

C is wrong because firewall policies commonly use ACCEPT with security profiles; the antivirus engine can still block the file after policy match. The study guide explicitly says ACCEPT allows the session and then applies antivirus scanning and other packet-processing features.

To fix it, apply deep-inspection on the firewall policy:

config firewall policy

edit < policy-id >

set ssl-ssh-profile " deep-inspection "

set av-profile " HTTP_AV_Profile "

next

end

On real FortiGate hardware, this also has performance implications. Simple flow handling can often stay on accelerated paths, but full SSL deep inspection forces decryption and content scanning through the inspection engine, increasing CPU/WAD workload.

In FortiOS 7.6, firewall policies can be displayed in multiple views to help administrators understand and manage rules more effectively. The difference in ordering between Interface Pair View and By Sequence View is intentional and documented.

Why the policy order is different

Interface Pair View

Groups firewall policies based on the incoming (From) and outgoing (To) interfaces.

Policies are organized under interface pairs such as:

LAN → WAN

WAN → LAN

Within each interface pair, policies may appear reordered compared to the global list.

This view is designed for readability and troubleshooting, not to show execution order.

By Sequence View

Displays firewall policies in their actual evaluation (processing) order.

This is the top-down order FortiGate uses when matching traffic.

It reflects the real rule sequence that determines which policy is hit first.

Why option C is correct

C. Interface Pair View sorts policies based on matching interfaces, while By Sequence View shows the actual processing order of rules.

This statement exactly matches FortiOS behavior as documented in the FortiOS 7.6 Firewall Policy Views section of the Administrator Guide.

Why the other options are incorrect

A: Interface Pair View does not follow traffic logs, and By Sequence View is not based on “rule priority” grouping.

B: FortiGate does not dynamically reorder policies based on traffic patterns.

D: Security levels do not affect policy ordering in Interface Pair View.

“When you enable reliable logging on FortiGate, the log transport delivery method changes from UDP to TCP. TCP provides reliable data transfer, guaranteeing that the transferred data remains intact and arrives in the same order in which it was sent.”

“Optionally, if using reliable logging, you can encrypt communications using SSL-encrypted OFTP traffic, so when a log message is generated, it is safely transmitted across an unsecured network.”

Technical Deep Dive:

The correct answer is C . The study guide explicitly ties reliable logging to TCP transport and optionally to SSL-encrypted OFTP . Among the choices, the padlock icon is the only one that meaningfully indicates secure, reliable log transport behavior. A green check icon usually indicates that the FortiGate–FortiAnalyzer connection is simply up , not specifically that reliable logging is enabled. Interface status being up is unrelated, and real-time logging mode describes delivery behavior, not the reliable transport indicator itself.

So, exam-wise, the best answer is C .

From the CLI perspective, reliable logging changes the transport from UDP to TCP, and with encryption enabled it uses SSL-protected OFTP. That is why the GUI indicator associated with secure transport is the most relevant visual clue here.