CertPrepNow
FortinetNSE4_FGT_AD-7.679 concepts

NSE4_FGT_AD-7.6 Cheat Sheet

Quick reference for the Fortinet NSE 4 - FortiOS 7.6 Administrator exam.

FortiGate Deployment Modes

NAT/Route Mode
Default mode. FortiGate acts as a Layer 3 router and firewall. Interfaces have IP addresses. Performs routing and NAT between zones. Required for VPN, SD-WAN, and most features.
Transparent Mode
Layer 2 bridge mode. Interfaces have no IP addresses (except management). No NAT, no routing. Insert inline without re-addressing the network. Firewall policies still enforce on bridged traffic.
get system status | grep 'Operation Mode'
Show whether FortiGate is operating in NAT/Route mode or Transparent mode. Output: 'Operation Mode: NAT' or 'Operation Mode: Transparent'.
VDOM Mode
Virtual Domain — divide one FortiGate into multiple logical firewalls. Each VDOM has independent interfaces, routing, and policies. Used for multi-tenant or segmented environments.
Interface types
Physical, VLAN (802.1Q sub-interface), Aggregate (LACP bonding), Redundant (active-standby bonding), Loopback (always-up virtual), Software Switch (L2 bridge of physical ports)

System Administration

config system admin
Configure administrator accounts. Set password, profile, trusted hosts, and access method (GUI/CLI/API).
Trusted hosts
config system admin → edit admin → set trusthost1 10.10.10.0/24. Restricts logins to specified source IPs only. Lock-out risk: always include your current management subnet.
config system interface
Configure interface IP, admin access, role, and aliases. set allowaccess https ssh ping sets permitted management protocols.
Firmware backup before upgrade
execute backup config ftp <filename> <FTP_IP> [user] [pass] — OR — GUI: System > Firmware > Backup. Always back up config before firmware upgrade.
execute restore image ftp
execute restore image ftp <filename> <FTP_IP> — download firmware image and schedule upgrade. Requires reboot to apply.
Factory reset
execute factoryreset — resets all config. Default management IP: 192.168.1.99. Default credentials: admin / (no password).
HA configuration
config system ha → set mode a-p (active-passive) or a-a (active-active) → set group-name → set password → set monitor (monitored interfaces) → set hbdev (heartbeat interfaces)
diagnose sys ha status
Show HA cluster status: primary/secondary role, serial numbers, heartbeat interface status, and sync state.

Firewall Policies

Policy matching order
Top-to-bottom. First matching policy wins. Implicit deny-all at the bottom. Never-match policies below a broad allow are dead — reorder or delete them.
config firewall policy
config firewall policy → edit <id> → set name → set srcintf → set dstintf → set srcaddr → set dstaddr → set service → set action accept|deny → set schedule → next
Enable NAT on policy
set nat enable — enables SNAT (overload with interface IP by default). set ippool enable + set poolname <pool> — uses a named IP pool instead of interface IP.
Apply security profiles to policy
set utm-status enable → set av-profile <name> → set webfilter-profile <name> → set ips-sensor <name> → set application-list <name> → set ssl-ssh-profile <name>
set inspection-mode proxy|flow
Per-policy inspection mode. proxy: full content buffering, all UTM features including DLP with full file analysis. flow: stream inspection, lower latency. In FortiOS 7.6, DLP supports both modes (set feature-set {flow|proxy} in dlp profile) — proxy mode provides deeper analysis.
diagnose debug flow trace
Step-by-step packet trace showing policy lookup, NAT, and routing. ALWAYS use a filter: diagnose debug flow filter addr <IP> — then diagnose debug flow show function-name enable — then diagnose debug enable
diagnose sniffer packet <intf> 'host <IP>' 4
Tcpdump-style packet capture. Run before debug flow to confirm traffic is arriving on the expected interface. Verbose level 4 shows headers.

NAT Configuration

IP Pool types (SNAT)
Overload: many-to-one PAT (most common). One-to-one: each internal IP gets a dedicated external IP. Fixed Port Range: allocates port ranges per source IP. Port Block Allocation: dynamic port block allocation.
config firewall ippool
config firewall ippool → edit <name> → set type overload|one-to-one|fixed-port-range|port-block-allocation → set startip <IP> → set endip <IP>
Virtual IP (VIP) for DNAT
Maps external IP/port to internal server IP/port. VIP must be referenced as the DESTINATION address in a firewall policy. Creating a VIP alone does not open access.
config firewall vip
config firewall vip → edit <name> → set type static-nat → set extip <external_IP> → set mappedip <internal_IP> → set extintf <WAN_interface> → set portforward enable → set extport 80 → set mappedport 8080
Central NAT mode
Separate SNAT and DNAT tables (config firewall central-snat-map). Mutually exclusive with per-policy NAT per VDOM. More scalable for large deployments with many NAT rules.
NAT46 / NAT64
NAT46: translate IPv4 clients to IPv6 servers. NAT64: translate IPv6 clients to IPv4 servers. Configured under config firewall vip46 and vip64.

Authentication and FSSO

Local user accounts
config user local → edit <username> → set type password → set passwd <password>. Add user to a user group for use in firewall policies.
LDAP server configuration
config user ldap → edit <name> → set server <IP> → set dn 'dc=example,dc=com' → set bind-type regular → set username 'cn=svc_fortigate,ou=service' → set password <pwd>
RADIUS server configuration
config user radius → edit <name> → set server <IP> → set secret <shared_secret>. RADIUS authentication for VPN users, admin login, and captive portal.
User groups
config user group → edit <name> → set member <local_user1> <local_user2> → config match → edit 1 → set server-name <LDAP_server> → set group-name 'CN=VPN_Users,OU=Groups,DC=...'
FSSO Collector Agent mode
Windows agent installed on a server, reads Security Event Log from DCs via WMI. FortiGate connects to Collector Agent (TCP 8000). More reliable for large AD environments.
FSSO Agentless mode
FortiGate directly polls DCs via WMI (no agent). Simpler but generates more DC traffic. config user fsso-polling → edit <DC_name> → set server <DC_IP> → set user <domain\user> → set password <pwd>
diagnose debug fsso
diagnose debug application authd -1 — shows FSSO authentication events and login/logoff messages. Use to verify FSSO is receiving user logins from AD.
diagnose firewall auth list
Lists all active authenticated users: IP address, username, authentication method, and timeout timer.

Security Profiles

Antivirus profile (proxy mode)
config antivirus profile → edit <name> → set inspection-mode proxy → config http → set options scan → set archive-block encrypted → end. Buffers full file for scanning.
Antivirus profile (flow mode)
config antivirus profile → edit <name> → set inspection-mode flow-based. Streams packets through AV engine. Faster but cannot scan encrypted archives.
Web filter profile
config webfilter profile → edit <name> → config ftgd-wf → config filters → edit 1 → set category <cat_id> → set action block. FortiGuard cloud lookup for URL categories.
Web filter static URL filter
config webfilter urlfilter → edit <name> → config entries → edit 1 → set url 'www.example.com' → set type simple|wildcard|regex → set action block|allow|monitor
Application control profile
config application list → edit <name> → config entries → edit 1 → set category <cat_id> → set action block|allow|monitor|shape. Blocks by Layer 7 DPI signature, not URL.
IPS sensor
config ips sensor → edit <name> → config entries → edit 1 → set severity high critical → set action block → set status enable. Override specific signatures with custom entries.
DNS filter profile
config dnsfilter profile → edit <name> → set ftgd-dns enable → config ftgd-dns-filters → edit 1 → set category <cat_id> → set action block. Blocks DNS resolution for malicious/unwanted domains.
DLP profile (flow or proxy feature-set)
config dlp profile → edit <name> → set feature-set {flow|proxy} → config rule → edit 1 → set sensor <dlp_sensor_name> → set action block|allow|log → end. FortiOS 7.6 supports both flow and proxy feature-sets. Proxy mode provides full content buffering for deeper analysis; flow mode uses stream-based scanning. DLP archiving requires proxy mode.

SSL/SSH Inspection

SSL inspection modes
Certificate Inspection: validates cert only, no decrypt. No CA cert needed on endpoints. Cannot inspect content. Deep Inspection: decrypt + inspect + re-encrypt. CA cert MUST be trusted by endpoints.
config firewall ssl-ssh-profile
config firewall ssl-ssh-profile → edit 'deep-inspection' → set ssl-invalid-server-cert-action block|allow|ignore → config https → set ports 443 → set status deep-inspection
SSL inspection CA cert
The FortiGate uses its local CA certificate to re-sign decrypted content. Download the CA cert from System > Certificates and push to all endpoints via GPO or MDM to prevent browser warnings.
SSL exemptions
Exempt specific domains or IP ranges from deep inspection (banking apps, certificate-pinned apps). config firewall ssl-ssh-profile → edit <name> → config ssl-exempt → edit 1 → set type domain → set domain 'bank.com'
SSH inspection
Inspects SSH sessions. Can block specific SSH algorithms or port forwarding. set ssh-policy-check enable enables command logging and policy application to SSH sessions.
Apply SSL profile to policy
In the firewall policy: set ssl-ssh-profile 'deep-inspection'. Must be explicitly set — policies do NOT inherit SSL inspection by default.

Routing and SD-WAN

config router static
config router static → edit 1 → set dst 0.0.0.0/0 → set gateway 203.0.113.1 → set device wan1 → set distance 10 → set priority 0. Lower distance = preferred. Lower priority = preferred.
Policy route (PBR)
config router policy → edit 1 → set input-device internal → set src 10.1.1.0/24 → set dst 0.0.0.0/0 → set output-device wan2. Evaluated BEFORE routing table.
get router info routing-table all
Display full routing table including all installed routes with source, distance, metric, and next-hop.
SD-WAN members
config system sdwan → config members → edit 1 → set interface wan1 → set gateway 203.0.113.1 → edit 2 → set interface wan2 → set gateway 198.51.100.1
SD-WAN Performance SLA
config system sdwan → config health-check → edit 'ISP_Health' → set server '8.8.8.8' → set protocol ping → set update-static-route enable → set members 1 2 → set latency-threshold 100 → set packet-loss-threshold 5
SD-WAN rules (traffic steering)
config system sdwan → config service → edit 1 → set name 'Best_Quality' → set mode best-quality (or load-balance|manual|priority) → set health-check 'ISP_Health' → set member 1 2
OSPF configuration
config router ospf → set router-id 10.0.0.1 → config area → edit 0.0.0.0 → config network → edit 1 → set prefix 192.168.1.0/24 → set area 0.0.0.0
BGP configuration
config router bgp → set as 65001 → set router-id 10.0.0.1 → config neighbor → edit 203.0.113.1 → set remote-as 65002 → set update-source wan1

IPsec VPN

IPsec Phase 1 (IKEv1)
config vpn ipsec phase1-interface → edit <name> → set interface wan1 → set ike-version 1 → set keylife 86400 → set peertype any|one → set psksecret <PSK> → set proposal aes256-sha256 → set dhgrp 14
IPsec Phase 2 (route-based)
config vpn ipsec phase2-interface → edit <name> → set phase1name <p1_name> → set proposal aes256-sha256 → set pfs enable → set dhgrp 14 → set keylifeseconds 3600. No proxy IDs needed for route-based.
IPsec Phase 2 (policy-based)
config vpn ipsec phase2-interface → edit <name> → set phase1name <p1_name> → set src-subnet 10.0.1.0/24 → set dst-subnet 10.0.2.0/24. Proxy IDs must match on both peers.
Route-based VPN static route
config router static → edit 1 → set dst 10.0.2.0/24 → set device <tunnel_interface_name>. Traffic to 10.0.2.0/24 is routed into the IPsec tunnel interface.
diagnose vpn ike gateway list
Show IKE Phase 1 SA status: peer IP, auth method, IKE version, established time, and SA status (established/connecting/failed).
diagnose vpn tunnel list
Show IPsec Phase 2 SA status: tunnel name, remote IP, encryption/integrity algorithms, bytes in/out, and lifetime remaining.
diagnose debug application ike -1
Enable real-time IKE debug output. Use with diagnose debug enable. Verbose — use only for active troubleshooting. Disable with diagnose debug application ike 0 after troubleshooting.
IKEv2 Phase 1 config
config vpn ipsec phase1-interface → edit <name> → set ike-version 2 → set proposal aes256-sha256 → set dhgrp 14 19 → set psksecret <PSK>. IKEv2 combines Phase 1 and initial Phase 2 in fewer messages.

SSL VPN

SSL VPN settings
config vpn ssl settings → set servercert 'self-sign' → set tunnel-ip-pools <ip_pool_name> → set dns-server1 8.8.8.8 → set port 443 → set idle-timeout 300
SSL VPN portal (tunnel mode)
config vpn ssl web portal → edit 'full-access' → set tunnel-mode enable → set web-mode disable → set split-tunneling enable → config split-tunneling-routing-address → edit 1 → set addr 192.168.0.0/16
SSL VPN portal (web mode)
config vpn ssl web portal → edit 'web-only' → set web-mode enable → set tunnel-mode disable → config bookmark-group → (add internal web app bookmarks). No FortiClient required.
SSL VPN firewall policy (required)
config firewall policy → edit <id> → set srcintf ssl.root → set dstintf internal → set srcaddr all → set dstaddr 192.168.1.0/24 → set action accept → set groups <vpn_user_group>. Required for users to reach internal resources.
get vpn ssl monitor
Show active SSL VPN sessions: username, IP address, assigned tunnel IP, connection duration, and bytes transferred.
Split tunneling
set split-tunneling enable in portal config — only subnets in split-tunneling-routing-address go through VPN. All other internet traffic uses local connection. set split-tunneling disable sends ALL traffic through VPN.
SSL VPN IP pool
config firewall ippool → edit 'SSLVPN_Pool' → set type overload → set startip 10.10.10.1 → set endip 10.10.10.254. This pool is referenced in SSL VPN settings as tunnel-ip-pools.

Troubleshooting Commands

diagnose debug flow filter addr
diagnose debug flow filter addr 192.168.1.100 — set filter to trace only packets from/to this IP. Always filter before enabling debug flow on production systems.
Debug flow trace sequence
1) diagnose debug flow filter addr <IP> 2) diagnose debug flow show function-name enable 3) diagnose debug flow show iprope enable 4) diagnose debug enable 5) Generate traffic 6) diagnose debug disable
Debug flow output: policy lookup
iprope_in_check() shows which policy matched: 'find policy … id=<policy_id> (deny/accept)'. id=0 means implicit deny. Look for 'drop' reason in output.
diagnose sniffer packet
diagnose sniffer packet wan1 'host 8.8.8.8 and icmp' 4 10 — capture 10 packets on wan1 matching ICMP to 8.8.8.8. Levels 1-6: 6 = full hex dump.
get system session list
Show active session table entries. Filter: get system session list | grep 192.168.1.100. Verifies traffic is being processed and NAT translation.
diagnose ip route list
Show kernel routing table including SD-WAN route cache entries. Complements get router info routing-table all.
FortiGate support log
execute log filter device disk → execute log display — view local disk logs. diagnose log test — generate test log entries to verify logging is working.
diagnose debug reset
Reset all active debug filters. Run after troubleshooting to stop debug output and remove filters. diagnose debug disable also stops output.

Ready to test yourself?

Start a timed NSE4_FGT_AD-7.6 mock exam or review practice questions by domain.