CertPrepNow
FortinetNSE4_FGT_AD-7.65 domains

NSE4_FGT_AD-7.6 Exam Notes

Last-minute traps, must-know facts, and scenario tips for the Fortinet NSE 4 - FortiOS 7.6 Administrator exam.

General Exam Tips

  • 1.Read every word of multi-select questions — the exam uses 'select ALL that apply' with no partial credit. Missing one option loses the entire question.
  • 2.Policy order questions are the most-tested concept: always visualize the policy table top-to-bottom and ask 'which policy matches FIRST?'
  • 3.For scenario questions, identify the constraint in the question (no IP change, passive auth, clientless access) before looking at the options.
  • 4.When you see 'users can connect but cannot reach resources' in a VPN or auth scenario, the answer is almost always a missing firewall policy.
  • 5.If the question involves CLI output interpretation, diagnose vpn ike gateway list = Phase 1, diagnose vpn tunnel list = Phase 2. Do not mix these up.
  • 6.Flag and skip any question taking more than 90 seconds — come back to it. The exam is 90 minutes for 50 questions, which gives you about 100 seconds per question on average.
  • 7.For 'what is wrong' troubleshooting scenarios, work through the OSI model: interface up? route? policy match? NAT? security profile? SSL inspection?
  • 8.On multiple-select questions, use elimination — identify clearly wrong options first, then decide among the remaining candidates.
  • 9.Do not second-guess your first instinct on straightforward definitional questions. Change answers only if you find a concrete reason to.
Domain 122% of exam

Deployment and System Configuration

Must-Know Facts

  • NAT/Route mode = Layer 3, routing + NAT, interfaces have IPs. Transparent mode = Layer 2 bridge, no interface IPs, no NAT, no routing — used to insert inline without re-addressing.
  • Transparent mode still enforces firewall policies and security profiles — it is NOT a pass-through switch. The firewall is active, just at Layer 2.
  • HA Active-Passive: primary handles ALL traffic. Secondary monitors via heartbeat. On failover, secondary promotes to primary. The demoted unit rejoins as secondary when it recovers.
  • HA Active-Active: primary distributes sessions to ALL units. All units process traffic. Primary holds the cluster virtual MACs and receives all inbound; response packets from subordinate units go directly out without returning through primary.
  • HA session pickup is NOT enabled by default. Without it, active sessions drop on failover. Proxy-based sessions (SSL VPN, explicit proxy) cannot be handed off regardless — they must restart.
  • Trusted hosts restrict login SOURCE IPs. If configured and your source IP is not in the list, login is blocked even with correct credentials. Always include your own management subnet.
  • Factory reset restores management IP to 192.168.1.99, admin password blank.
  • Log levels in order: emergency, alert, critical, error, warning, notification, information, debug. More log data = more storage overhead. Set minimum level appropriate for the deployment.
  • VDOM sub-interfaces inherit the parent physical interface's zone unless explicitly reassigned — this affects which policies govern their traffic.
  • FortiGate-VM does not have hardware ASIC (NP6/NP7) offloading available. All inspection is software-only, which affects throughput compared to physical appliances.

Common Traps

TrapChoosing NAT/Route mode when the question says 'insert without changing IP addressing'
RealityAny scenario requiring inline insertion without network redesign demands Transparent mode. NAT/Route mode requires interface IPs and re-addressing. Transparent mode bridges at Layer 2 with a management IP only.
TrapAssuming Active-Active HA provides automatic external load balancing
RealityIn FortiGate Active-Active HA, the PRIMARY unit does the session load balancing internally. It receives all inbound traffic via the cluster virtual MAC addresses and distributes sessions to subordinate units. There is no external load balancer involved.
TrapBelieving session failover in HA works automatically for all session types
RealitySession pickup must be explicitly enabled in HA settings. Even then, proxy-based sessions (SSL VPN tunnels, explicit proxy connections) cannot be synchronized and will drop on failover — users must reconnect.
TrapThinking configuring Trusted Hosts is optional and only affects unauthorized users
RealityTrusted Hosts is an absolute block on source IP. The CORRECT password from a non-trusted IP will be rejected. You can lock yourself out of your own FortiGate if you configure this incorrectly. Always include your own source IP/subnet.
TrapTreating Transparent mode as a dumb switch that just passes traffic
RealityFortiGate in Transparent mode actively inspects and enforces security policies on all bridged traffic. It is invisible at Layer 3 but fully functional as a security device at all application layers.

Confusing Pairs

NAT/Route ModeTransparent Mode

NAT/Route = standard deployment with interface IPs, routing, NAT; required for VPN, SD-WAN, most features. Transparent = inline bridge, no interface IPs, no NAT; used ONLY when you cannot change IP addressing. Key question: 'Does the scenario require inserting without IP changes?' Yes = Transparent. No = NAT/Route.

Active-Passive HAActive-Active HA

Active-Passive = one unit processes all traffic, other is standby; simple, lower complexity. Active-Active = both units process traffic, primary distributes sessions; higher throughput but more complex. Exam trap: A-A does NOT use an external load balancer — the primary distributes sessions itself.

VLAN Sub-interfacePhysical Interface

VLAN sub-interfaces use 802.1Q tagging on a physical parent. They inherit the parent's zone assignment unless explicitly moved to a different zone. This zone inheritance affects which firewall policies apply — a trap when the parent is in a zone with permissive intrazone rules.

Scenario Tips

If the question asks about:

A FortiGate must be inserted between an existing router and switch without changing any IP addresses or routes on existing devices.

Answer:

Choose Transparent mode. The FortiGate bridges at Layer 2, requiring no interface IPs and no changes to existing device routing.

Distractor to avoid:

VDOM mode is wrong — VDOMs segment one FortiGate into multiple logical firewalls but do not change the deployment mode.

If the question asks about:

An HA cluster fails over but users report their browsing sessions dropped. Sessions do NOT resume automatically. Why?

Answer:

Session pickup (session synchronization) was not enabled, OR the sessions are proxy-based (SSL VPN / explicit proxy) which cannot be handed off. Enable session-pickup in HA settings for stateful failover of regular sessions.

Distractor to avoid:

Do not assume HA automatically preserves all sessions. Proxy sessions always restart on failover regardless of session-pickup configuration.

Last-Minute Facts

1Default management IP after factory reset: 192.168.1.99
2Default admin credentials after factory reset: username 'admin', password blank
3HA heartbeat interfaces: should be direct physical connections between units, NOT through a production switch
4Transparent mode limitations: no NAT, very limited routing (no OSPF/BGP support in transparent mode), management IP only
5Session pickup default: OFF. Must be explicitly enabled in config system ha.
6Active-Active HA: primary holds cluster virtual MACs. Subordinate response traffic goes DIRECTLY to destination, not back through primary.
Domain 228% of exam

Firewall Policies and Authentication

Must-Know Facts

  • Policy matching is strictly top-to-bottom, first match wins. No best-match logic. A broad ALLOW above a specific DENY means the deny is never evaluated.
  • The implicit deny-all (policy ID 0) is always at the bottom. Traffic not matched by any explicit policy is silently dropped.
  • ALL five fields must match for a policy to fire: source interface, destination interface, source address, destination address, and service.
  • SNAT IP pool types: Overload (many-to-one PAT, most common), One-to-one (dedicated external IP per internal IP, preserves ports), Fixed Port Range (static port range per source IP), Port Block Allocation (dynamic port block per source IP).
  • DNAT is implemented via Virtual IPs (VIPs). A VIP maps an external IP/port to an internal IP/port. VIPs MUST be referenced as the destination address in a firewall policy to take effect.
  • Central NAT and per-policy NAT are mutually exclusive per VDOM. Central NAT has a separate SNAT table and DNAT table; per-policy NAT has the NAT checkbox in each policy.
  • FSSO is passive — FortiGate learns user identity from AD login events without prompting users. It does NOT show users a FortiGate login page.
  • Firewall active authentication shows users a portal/captive page. FSSO is passive authentication. LDAP and RADIUS can be used for either active auth or FSSO backend.
  • VIP default behavior: the 'all' address object in a policy does NOT match VIPs by default unless match-vip is enabled. To deny traffic to a VIP specifically, reference the VIP object in the destination field of the deny policy.
  • FSSO workstation verification: FortiGate pings the endpoint to confirm the user is still logged in. If ICMP is blocked, workstation verification fails silently and user-based policies stop matching. Disable workstation verification if endpoints block ICMP.

Common Traps

TrapCreating a VIP for DNAT and thinking access is now open to the internal server
RealityA VIP object is just a NAT mapping definition. It does NOTHING until referenced as the destination address in an explicit allow firewall policy. Without the policy, inbound traffic destined for the VIP external IP is blocked by the implicit deny.
TrapPlacing a specific deny policy BELOW a broad allow policy to block a subset of traffic
RealityPolicies match top-to-bottom, first match wins. If the broad allow is above, the specific deny is never reached. Always place specific policies ABOVE the broad policies they should override.
TrapAssuming FSSO shows users a login prompt if their session fails
RealityFSSO is passive and invisible to users. If an FSSO session expires or fails verification, FortiGate may silently fail to match user-based policies. FortiGate may fall back to active authentication (showing a portal), but this is a fallback, not the primary behavior.
TrapConfusing IP pool Overload with One-to-one for publishing services
RealityOverload (PAT) is for SNAT (outbound). It does NOT preserve source ports and cannot be used for inbound server publishing. One-to-one maps a specific internal IP to a specific external IP but is still SNAT (outbound). Use VIPs for inbound DNAT (publishing servers).
TrapThinking the 'all' address object automatically includes VIP addresses in deny policies
RealityBy default, 'all' in a firewall policy does NOT match VIP destination addresses. To match traffic destined to a VIP in a deny policy, you must either reference the VIP object as destination, or enable match-vip on the policy.
TrapAssuming Central NAT and per-policy NAT can coexist in the same VDOM
RealityThey are mutually exclusive per VDOM. When Central NAT is enabled, the NAT checkbox in firewall policies is inactive. You choose one or the other at the VDOM level.

Confusing Pairs

SNAT (IP Pool)DNAT (Virtual IP)

SNAT translates SOURCE addresses of OUTBOUND traffic (internal clients going out). IP pool types determine how many external IPs are used and how ports are handled. DNAT translates DESTINATION addresses of INBOUND traffic (internet users reaching internal servers). Implemented with VIPs. Rule of thumb: publishing a server = VIP (DNAT). Internal clients reaching internet = IP pool (SNAT).

FSSO (Passive Auth)Captive Portal / LDAP Active Auth

FSSO = NO user interaction with FortiGate; identity comes from AD login events; users authenticate to AD only. Captive portal / LDAP active = users see a FortiGate login page and must enter credentials. Key scenario signal: 'without requiring users to log in again' or 'transparent to users' = FSSO.

Overload IP PoolOne-to-One IP Pool

Overload = classic PAT (Port Address Translation); many internal IPs share one external IP via different source ports; most common for general internet access. One-to-one = each internal IP gets its own external IP; source port is NOT changed; required when the destination server logs real source IPs or when a specific external IP is needed per host.

Central NATPer-Policy NAT

Central NAT = dedicated SNAT/DNAT policy tables separate from firewall policies; more flexible and scalable; explicit source/destination matching in NAT rules. Per-Policy NAT = NAT checkbox inside each firewall policy; simpler for small deployments; each policy carries its own NAT config. They are mutually exclusive per VDOM — choose one approach at deployment time.

Scenario Tips

If the question asks about:

An internal web server at 192.168.1.10 needs to be accessible from the internet on the FortiGate's external IP 203.0.113.10:80. Users are still blocked after configuring the VIP.

Answer:

The VIP was created but not added to a firewall policy. Create a policy with source interface = WAN, destination interface = LAN, destination address = the VIP object, service = HTTP, action = accept.

Distractor to avoid:

Do not use an IP pool here — IP pools are for outbound SNAT. VIPs handle inbound DNAT. Also do not create a static route to the internal server — routing and NAT are different things.

If the question asks about:

A company uses Active Directory. They want FortiGate to apply different policies to HR vs IT users without any additional login prompts.

Answer:

Use FSSO (Fortinet Single Sign-On). FortiGate passively monitors AD login events to build IP-to-user mappings. No FortiGate login prompt is shown to users.

Distractor to avoid:

LDAP and RADIUS require active authentication — users see a portal or are prompted. Local user database requires maintaining separate FortiGate accounts. Only FSSO is transparent.

If the question asks about:

Traffic from 10.0.0.100 is hitting the broad allow policy instead of the specific deny policy below it.

Answer:

Move the specific deny policy ABOVE the broad allow policy. Policy tables are top-to-bottom first-match — specific exceptions must appear before the broad rule they override.

Distractor to avoid:

You cannot fix this with administrative distance or priority — those are routing concepts. Policy order is the only solution.

If the question asks about:

FSSO appears to be working (Collector Agent shows logins) but user-based policies are not matching for some users.

Answer:

Check whether FSSO workstation verification is enabled. If endpoints block ICMP pings from FortiGate, verification fails silently and user-to-IP mappings are not used. Disable workstation verification or allow ICMP from FortiGate to endpoints.

Distractor to avoid:

Do not immediately blame the Collector Agent configuration — the agent is logging logins correctly. The failure is in FortiGate's confirmation step (ICMP workstation check).

Last-Minute Facts

1Policy ID 0 = implicit deny (the last policy in every table, cannot be deleted)
2VIP default: 'all' address object does NOT match VIP destinations unless match-vip is enabled on the deny policy
3IP pool types: Overload (PAT), One-to-one, Fixed Port Range, Port Block Allocation
4Central NAT vs per-policy NAT: mutually exclusive per VDOM
5FSSO workstation verification: enabled by default in some modes; pings endpoint; fails silently if ICMP blocked
6FSSO is passive (no FortiGate login prompt); LDAP/RADIUS/captive portal are active (prompt shown)
7Traffic shaping: shaper object must be APPLIED to a firewall policy to take effect — creating the shaper alone does nothing
Domain 322% of exam

Content Inspection

Must-Know Facts

  • Security profiles (AV, IPS, web filter, app control, DNS filter, DLP) do NOTHING unless attached to a firewall policy. Creating the profile is not enough.
  • Without an SSL inspection profile on a policy, ALL encrypted HTTPS/SMTPS/IMAPS traffic is invisible to AV, IPS, and web filter. Malware in HTTPS tunnels is undetectable.
  • Certificate inspection validates the TLS certificate only — it does NOT decrypt traffic. No content inspection is possible. No CA cert required on endpoints.
  • Deep/Full SSL inspection decrypts, inspects, re-encrypts. Requires the FortiGate SSL inspection CA certificate to be trusted by all endpoints. Without this, browsers show 'untrusted certificate' warnings.
  • Deep SSL inspection breaks certificate-pinned apps (banking, some Office 365 features). Use SSL exemptions for these domains.
  • Proxy mode buffers full content before inspection — more thorough, higher latency/memory. Flow mode inspects streaming packets — lower latency, uses different detection engine.
  • In FortiOS 7.6, DLP supports BOTH flow and proxy feature-sets. Proxy mode DLP = full file buffering for deeper analysis. Flow mode DLP = stream-based scanning. Both work but proxy is more thorough.
  • Web filter uses FortiGuard cloud category lookups for URLs. Requires internet connectivity to FortiGuard servers and active web filtering subscription.
  • Application control identifies apps by Layer 7 DPI signatures regardless of port or protocol. It can block BitTorrent on any port, WhatsApp on non-standard ports, etc. Web filter cannot do this.
  • When FortiGuard subscription expires, signatures stop updating but the feature continues working with stale last-known signatures/categories.
  • Application control has its own logging toggle. IPS logging being enabled does NOT automatically enable application control logging. Only blocked applications log without enabling 'log all sessions'.
  • Botnet C&C blocking requires active FortiGuard subscription and is enabled within AV or IPS profiles — not a standalone feature.

Common Traps

TrapAttaching AV and IPS profiles to a policy and expecting HTTPS traffic to be scanned without SSL inspection
RealityTLS encryption is opaque to all content inspection. Without an SSL inspection profile (at minimum certificate inspection, ideally deep inspection) on the policy, AV and IPS see only encrypted bytes and cannot detect anything inside HTTPS sessions.
TrapUsing web filter to block applications like BitTorrent, Skype, or WhatsApp
RealityWeb filter blocks based on URLs and FortiGuard categories — it operates on HTTP(S). Applications that use non-HTTP protocols or dynamic ports bypass web filter entirely. Use application control (Layer 7 DPI signatures) for these.
TrapAssuming proxy mode inspection is always superior to flow mode
RealityProxy mode has higher latency and memory usage due to content buffering. Flow mode uses a fast inline detection engine optimized for throughput. For VoIP, real-time video, and high-throughput links, flow mode is preferred. In FortiOS 7.6, most features including DLP work in both modes.
TrapEnabling deep SSL inspection and thinking browser certificate errors will go away on their own
RealityDeep SSL inspection requires the FortiGate SSL CA certificate to be deployed to every endpoint's OS or browser trust store. Without this, every HTTPS site will show certificate warnings. Deploy via Group Policy, MDM, or manual installation.
TrapThinking FortiGuard subscription expiry disables web filtering, AV, and IPS immediately
RealityExpired FortiGuard subscriptions stop receiving updates. Features continue functioning with the last-downloaded signatures and categories. The risk is stale signatures, not a sudden feature shutdown.

Confusing Pairs

Certificate InspectionDeep/Full SSL Inspection

Certificate Inspection = checks cert validity, chain, expiry, SNI only; NO traffic decryption; NO content inspection possible; no CA cert required on endpoints; minimal performance impact. Deep Inspection = full MITM decrypt/inspect/re-encrypt; content inspection (AV, IPS, web filter) is effective; CA cert MUST be deployed to endpoints; higher performance cost. Key signal in questions: 'detect malware in HTTPS' = must use Deep Inspection.

Web FilterApplication Control

Web Filter = URL/domain/FortiGuard category blocking; only works on HTTP/HTTPS protocols; cannot block non-browser apps. Application Control = Layer 7 DPI signature matching; works on ANY protocol and port; can block P2P, messaging, streaming apps regardless of transport. For 'block BitTorrent' or 'block WhatsApp' scenarios, app control is required — web filter alone is insufficient.

Proxy Mode InspectionFlow Mode Inspection

Proxy mode = buffers full file before scanning; supports all UTM features with deepest analysis; higher memory/latency. Flow mode = inspects packets as they stream; lower latency; DLP supported in FortiOS 7.6 with stream-based scanning. Key exam distinction: proxy mode DLP provides DEEPER analysis via full file buffering; flow mode DLP uses stream scanning. Neither is universally 'better' — it depends on the use case.

Scenario Tips

If the question asks about:

IPS and AV profiles are attached to a policy. An attacker sends malware inside an HTTPS connection. Will the profiles detect it?

Answer:

No. Without an SSL inspection profile applied to the same policy, HTTPS content is encrypted and invisible. Add a deep SSL inspection profile to the policy to enable content scanning of HTTPS.

Distractor to avoid:

IPS does NOT operate below the encryption layer — it cannot decrypt TLS on its own. Both IPS and AV require the FortiGate to have decrypted the traffic first via SSL inspection.

If the question asks about:

After enabling deep SSL inspection, users report 'untrusted certificate' errors on every HTTPS website. The FortiGate is correctly intercepting traffic. What is the fix?

Answer:

Deploy the FortiGate's SSL inspection CA certificate to all endpoint operating systems or browsers (via Group Policy, MDM, or manual installation). This makes clients trust the FortiGate-signed certificates.

Distractor to avoid:

Adding certificate exemptions for every site is impractical and does not solve the root cause. Switching to certificate inspection avoids the error but also loses content inspection capability.

If the question asks about:

Web filter is configured and active, but users are still using BitTorrent to download files.

Answer:

Add an application control profile with BitTorrent blocked in the P2P category. BitTorrent operates on arbitrary ports and does not use URLs — web filter cannot block it. Application control DPI signatures identify it regardless of port.

Distractor to avoid:

IPS profile is for blocking attacks/exploits, not blocking application usage. DNS filter blocks domain resolution but BitTorrent uses IP tracker connections that bypass DNS.

Last-Minute Facts

1Security profiles do nothing unless ATTACHED to a firewall policy
2SSL inspection profile is ALSO a profile that must be attached to a policy — not automatic
3FortiGuard web filter requires internet connectivity for category lookups (unless using local FortiManager/FDS)
4Deep SSL inspection + no CA cert on endpoints = browser certificate warnings on every HTTPS site
5Application control logs: only blocked apps log by default; enable 'log all sessions' to log allowed apps
6DLP in FortiOS 7.6: supported in BOTH flow and proxy feature-sets (proxy mode = deeper analysis)
7Botnet C&C protection: enabled in AV or IPS profile, requires FortiGuard subscription
Domain 414% of exam

Routing

Must-Know Facts

  • Administrative distance determines preference between routes from DIFFERENT sources. Lower = preferred. Static = 10, eBGP = 20, OSPF = 110, iBGP = 200.
  • Priority is the tie-breaker for routes with the SAME administrative distance (e.g., two static routes). Lower priority value = more preferred. Priority 0 wins over priority 5.
  • ECMP requires equal distance AND equal priority. If either differs, no ECMP — the lower value wins exclusively.
  • Policy routes (PBR) are evaluated BEFORE the routing table. They override any routing table entry, regardless of how specific it is.
  • SD-WAN rules are evaluated top-to-bottom like firewall policies. First matching rule wins. Place application-specific rules ABOVE broader address-based rules.
  • SD-WAN performance SLA health checks monitor link quality (latency, jitter, packet loss) but do NOT steer traffic by themselves. SD-WAN rules that REFERENCE the SLA determine traffic placement.
  • SD-WAN load balancing algorithms: source-ip-based (default, hash on src IP), weight-based, usage-based/spillover (use primary until threshold), source-dest-ip-based, measured-volume-based.
  • Route monitoring (link health monitor): if a monitored IP becomes unreachable, static routes with that monitor are removed from the routing table — enabling failover to backup routes.
  • eBGP neighbors: different AS numbers. iBGP neighbors: same AS. FortiGate supports both for dynamic routing with ISPs (eBGP) and internal networks (iBGP or OSPF).

Common Traps

TrapThinking two static routes with the same distance automatically form ECMP
RealityECMP requires BOTH equal distance AND equal priority. If one route has priority 0 and the other has priority 5 (even with the same distance), only the priority 0 route is active. Set both distance and priority equal to achieve ECMP.
TrapAssuming a more-specific routing table entry always beats a policy route
RealityPolicy routes are processed BEFORE any routing table lookup. A policy route for source 10.0.0.0/24 overrides even a /32 static route for the same destination. Policy routes take absolute precedence over the routing table.
TrapConfiguring an SD-WAN performance SLA and expecting traffic to automatically use the better link
RealitySLA health checks only MEASURE link quality. Traffic steering requires an SD-WAN rule that references the SLA and specifies the selection mode (best-quality, lowest-cost, etc.). Without a rule, SLA data is collected but not used for routing decisions.
TrapConfusing administrative distance with priority in static route selection
RealityAdministrative distance compares routes from different sources (static vs OSPF vs BGP). Priority is the tie-breaker within the same source type (two static routes). They are evaluated at different stages: distance first, then priority.
TrapAssuming SD-WAN application rules match at session start even for dynamic protocols
RealityApplication identification with DPI may not occur until the application is recognized (several packets in). Early packets in a session may match an address-based rule before the application is identified. Place application rules above address rules, and accept that the first few packets of a new session may take a non-application-specific path.

Confusing Pairs

Administrative DistancePriority

Administrative distance = preference between routes from DIFFERENT routing protocols/sources (static=10, OSPF=110, eBGP=20). Lower wins. Priority = tie-breaker between routes from the SAME source with the SAME distance. Lower wins. Sequence: first compare distance across sources, then compare priority within tied distance routes.

Static RoutePolicy Route (PBR)

Static route = matches by DESTINATION prefix only; entered in routing table; subject to distance/priority/ECMP. Policy route = matches by source, destination, protocol, TOS; evaluated BEFORE routing table; bypasses routing table entirely. Use PBR when you need source-based routing (different WAN per source subnet).

SD-WAN Performance SLASD-WAN Rule

Performance SLA = health check probe (ping/HTTP/DNS) that measures link latency, jitter, and packet loss. It gathers data. SD-WAN Rule = traffic steering policy that references an SLA and selects which member (WAN interface) to use based on SLA results and selection mode. SLA without a rule = monitoring only. Rule without SLA = static member selection.

Scenario Tips

If the question asks about:

Two default routes exist: ISP1 with distance 10, priority 0 and ISP2 with distance 10, priority 10. Both links are up. Which is used?

Answer:

ISP1. Same distance, so priority is the tie-breaker. Priority 0 is preferred over priority 10 (lower value wins). This is NOT ECMP because the priorities differ.

Distractor to avoid:

Do not confuse higher priority VALUE with higher preference. In FortiOS, LOWER priority number = MORE preferred, not the other way around.

If the question asks about:

All HR traffic from 10.1.1.0/24 must exit WAN2, while all other traffic uses the standard routing table.

Answer:

Create a policy route matching source address 10.1.1.0/24 with WAN2 as the outgoing interface. Policy routes override the routing table for matching traffic.

Distractor to avoid:

A static route matches destination, not source — you cannot differentiate traffic by source subnet using a static route. SD-WAN rules work only if WAN interfaces are SD-WAN members.

Last-Minute Facts

1Administrative distances: Static=10, eBGP=20, OSPF=110, iBGP=200, Connected=0
2ECMP requirement: same distance AND same priority on competing routes
3Policy route evaluation: BEFORE routing table — absolute override
4SD-WAN ECMP algorithms: source-ip-based (default), weight-based, usage-based (spillover), source-dest-ip-based, measured-volume-based
5SD-WAN SLA checks do NOT steer traffic on their own — SD-WAN rules are required
6Route monitoring: if monitored IP unreachable, associated static routes are removed from routing table
Domain 514% of exam

VPN

Must-Know Facts

  • IKE Phase 1 establishes the ISAKMP SA (secure management channel). Parameters: authentication method (PSK or cert), encryption, hash/integrity, DH group, lifetime. ALL must match on both peers.
  • IKE Phase 2 establishes the IPsec SA (data encryption). Parameters: encryption, hash/integrity, PFS DH group, proxy IDs (for policy-based), lifetime. ALL must match on both peers.
  • Phase 1 failure = no tunnel at all. Phase 2 failure = Phase 1 is up but no traffic flows. Understanding which phase failed is critical for troubleshooting.
  • Route-based VPN creates a virtual tunnel interface (VTI). Traffic is routed into the tunnel via static or dynamic routes. Policies reference the tunnel as source/destination interface.
  • Policy-based VPN has no tunnel interface. Traffic is selected by proxy IDs (local subnet, remote subnet). Required for interoperability with devices that enforce specific proxy IDs.
  • Route-based VPN is the Fortinet-recommended approach. It supports dynamic routing (OSPF/BGP over tunnel), ECMP, and easier HA failover.
  • SSL VPN tunnel mode requires FortiClient and creates a virtual NIC. Users get an IP from the SSL VPN IP pool and are routed into the internal network via the ssl.root virtual interface.
  • SSL VPN web mode is clientless (browser only). FortiGate acts as a reverse proxy. Access is limited to HTTP/HTTPS applications via bookmarks.
  • SSL VPN requires TWO mandatory components: (1) portal/user group configuration and (2) a firewall policy from ssl.root to the internal destination interface. Both must exist for users to access resources.
  • Split tunneling in SSL VPN sends only specified subnets through the VPN tunnel. All other traffic (internet browsing) goes directly out the user's local connection. Without split tunneling, ALL traffic goes through corporate VPN.

Common Traps

TrapAn SSL VPN user connects successfully and gets an IP but cannot reach internal servers
RealityThe SSL VPN tunnel is established but there is no firewall policy from ssl.root to the internal interface. This missing policy is the most common SSL VPN access failure. Creating the portal and user group is not enough — the ssl.root-to-internal policy must also exist.
TrapTroubleshooting a VPN by checking Phase 2 when Phase 1 is not up
RealityPhase 2 cannot establish if Phase 1 is down. Always verify Phase 1 status first with 'diagnose vpn ike gateway list'. If Phase 1 is not up, investigate Phase 1 parameter mismatches before anything else.
TrapAssuming route-based and policy-based VPN are interchangeable
RealityRoute-based VPN uses a tunnel interface and routes traffic via the routing table. Policy-based VPN uses proxy IDs and a special IPsec action in firewall policies. Route-based is more flexible and Fortinet-preferred. Policy-based is needed primarily for third-party interoperability where the remote end enforces specific proxy IDs.
TrapUsing split tunneling and expecting all internet traffic to be inspected by the corporate FortiGate
RealitySplit tunneling sends ONLY the specified subnets through the VPN. Internet-bound traffic exits directly from the user's local internet connection, bypassing the corporate FortiGate entirely. To inspect all internet traffic, disable split tunneling (full tunnel mode).
TrapThinking IKEv2 and IKEv1 Phase 1 parameters are fully interchangeable
RealityIKEv2 consolidates IKE negotiation into fewer messages and has some parameter differences (e.g., supports multiple transforms per proposal natively). Both peers must use the same IKE version. IKEv2 cannot negotiate with an IKEv1-only peer.

Confusing Pairs

IKE Phase 1IKE Phase 2

Phase 1 = ISAKMP SA (the management/key exchange channel). Failure here = no tunnel whatsoever. Phase 2 = IPsec SA (the data encryption channel). Phase 1 must be up for Phase 2 to negotiate. 'diagnose vpn ike gateway list' shows Phase 1. 'diagnose vpn tunnel list' shows Phase 2. Common trap: Phase 1 up but no traffic = Phase 2 mismatch (likely proxy IDs for policy-based VPN or encryption/PFS mismatch).

Route-Based IPsec VPNPolicy-Based IPsec VPN

Route-based = virtual tunnel interface (VTI) created; routes point to the VTI; policies use VTI as interface; supports dynamic routing and ECMP; Fortinet-recommended. Policy-based = no VTI; traffic selected by proxy IDs (local/remote subnets) in the firewall policy; needed for third-party devices requiring specific proxy IDs; no dynamic routing over tunnel.

SSL VPN Web ModeSSL VPN Tunnel Mode

Web mode = clientless, browser only, FortiGate proxies HTTP/HTTPS to internal apps, no FortiClient needed, limited to web applications. Tunnel mode = requires FortiClient, virtual NIC created, user gets VPN pool IP, supports all IP protocols, full or split tunneling. Key signals: 'no client software required' = web mode. 'full network access' or 'any protocol' = tunnel mode.

Scenario Tips

If the question asks about:

A site-to-site IPsec VPN Phase 1 fails even though pre-shared keys match on both ends.

Answer:

Check Phase 1 proposal parameters: encryption algorithm, hash/integrity algorithm, and Diffie-Hellman group must all match on both peers. A single mismatched parameter prevents Phase 1 from establishing.

Distractor to avoid:

Proxy IDs (local/remote subnets) are Phase 2 parameters — they do not affect Phase 1 negotiation. Tunnel interface IPs are route-based VPN config, not Phase 1 negotiation parameters.

If the question asks about:

An SSL VPN user connects and receives an IP from the VPN pool but cannot reach any internal hosts. They can ping the FortiGate's internal interface IP.

Answer:

A firewall policy from ssl.root to the internal network interface is missing or not matching the traffic. Create a policy: srcintf=ssl.root, dstintf=internal, source=all (or VPN pool), destination=internal subnet, action=accept.

Distractor to avoid:

The fact that the user can ping the FortiGate itself does not mean internal host access is working — the FortiGate responds to ping on its own interface from ssl.root, but traffic to LAN hosts requires a separate policy.

If the question asks about:

Which CLI command shows the status of active IKE Phase 1 security associations including peer IP and authentication status?

Answer:

'diagnose vpn ike gateway list' shows Phase 1 ISAKMP SA status. 'diagnose vpn tunnel list' shows Phase 2 IPsec SA status. 'get vpn ssl monitor' shows SSL VPN user sessions.

Distractor to avoid:

'diagnose debug application ike -1' enables REAL-TIME IKE debug output, not a status summary — do not confuse it with a status command.

Last-Minute Facts

1Troubleshooting order: check Phase 1 FIRST with 'diagnose vpn ike gateway list' — if Phase 1 is not established, Phase 2 cannot exist
2Phase 1 down = 'diagnose vpn ike gateway list' shows no established SA. Phase 1 up but no traffic = 'diagnose vpn tunnel list' shows no Phase 2 SA (likely encryption/PFS/proxy ID mismatch)
3get vpn ssl monitor = SSL VPN active sessions (shows username, assigned IP, duration)
4SSL VPN tunnel mode requires: (1) portal config with tunnel-mode enabled, (2) user group assignment, (3) ssl.root-to-internal firewall policy
5Route-based VPN: traffic routed to tunnel interface via static/dynamic route; policies reference tunnel interface
6Policy-based VPN: proxy IDs define traffic selectors; used for third-party interoperability
7IKEv1 main mode = 6 messages; aggressive mode = 3 messages (less secure, no identity protection)
8IKEv2: combines Phase 1 and initial Phase 2 in fewer exchanges; peers must both use IKEv2
9Split tunneling: specified subnets go through VPN; all other internet traffic exits locally (bypasses corporate inspection)

Feeling confident?

Put your knowledge to the test with a timed NSE4_FGT_AD-7.6 mock exam.