You Can Pass This Exam For Free
Choose Your Study Path
Limited experience with FortiGate or enterprise firewalls. You need to build foundational knowledge of network security principles and FortiOS before studying for NSE 4. Complete the free NSE 1-3 training first.
Exam Overview
Format
50-55 multiple-choice and multiple-select questions, 90 minutes. Exam code: NSE4_FGT_AD-7.6. Delivered via Pearson VUE at authorized testing centers or online proctored. Closed-book with no external resources. Multiple-select questions require all correct answers — no partial credit.
Scoring
Pass/fail scoring. Passing score is approximately 70/100 (Fortinet uses a scaled score). No penalty for wrong answers on single-answer questions — always answer every question. Score report provided after exam. Multiple-select questions: all correct answers must be selected for full credit, no partial credit awarded.
Domains & Weights
- Deployment and System Configuration22%
- Firewall Policies and Authentication28%
- Content Inspection22%
- Routing14%
- VPN14%
Registration
$200 USD. Register at pearsonvue.com/fortinet. Exam fee is $200 USD. Certification is valid for 2 years. If you fail, you must wait 15 days before retaking. NSE 1-3 free courses are strongly recommended but not formally required as prerequisites. The FCP (Fortinet Certified Professional) brand is being restructured into the NSE certification program effective July 15, 2026 — exam delivery is suspended July 13-15, 2026 for the transition. Active FCP Network Security certifications will be automatically mapped to the corresponding NSE 4 certification.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Deployment and System Configuration
Covers FortiGate initial deployment, network interface types and configuration, system administration settings, firmware management, and high availability. Questions test your ability to choose the right deployment mode, configure administrative access correctly, and understand HA failover behavior.
Key Topics
Must-Know Concepts
- NAT/Route mode vs Transparent mode: NAT/Route is standard (routing + NAT); Transparent mode is Layer 2 bridging (no NAT, no routing, no interface IPs)
- Interface types: physical, VLAN sub-interface (802.1Q), aggregate (LACP), loopback, redundant, software switch, hardware switch
- Zones: logical groupings of interfaces that simplify policy creation — intrazone traffic can be allowed or blocked; interzone traffic requires explicit policies
- Administrative access: HTTPS, HTTP, SSH, Telnet, PING, FMG-Access per interface. Principle of least privilege — only enable necessary services on each interface
- Trusted hosts: restrict administrative login source IPs to specific subnets. If configured, only those IPs can log in regardless of correct credentials
- Firmware upgrade best practices: backup config first, verify image checksum, plan maintenance window, understand that firmware downgrades may not preserve configuration
- HA Active-Passive: primary handles all traffic, secondary monitors via heartbeat interfaces. Failover when primary fails health checks (link monitoring, session monitoring)
- HA Active-Active: primary distributes sessions to all HA units using load balancing. All units process traffic. Improves throughput but more complex than active-passive
- HA heartbeat interfaces: dedicated physical interfaces for heartbeat and session synchronization. Should be direct connections between HA units, not through switches
- FortiGate initial setup: management IP, default route, DNS, NTP, admin password. Factory reset restores defaults including management IP of 192.168.1.99
- Logging configuration: log to local disk, FortiAnalyzer, FortiCloud, or syslog server. Log levels: emergency, alert, critical, error, warning, notification, information, debug. Log filtering and reliable logging (TCP-based) vs unreliable (UDP-based)
- FortiGate cloud deployments: FortiGate-VM available on AWS, Azure, GCP, and other hypervisors. FortiGate CNF (Cloud-Native Firewall) as a managed service. Same FortiOS features but ASIC offloading not available in VM/cloud deployments
Common Exam Traps
Firewall Policies and Authentication
The largest domain at 28%. Covers firewall policy types, traffic matching logic, all forms of NAT, user authentication methods (local, LDAP, RADIUS), FSSO for identity-based policies, user groups, and traffic shaping policies. This domain tests both conceptual understanding and practical configuration knowledge.
Key Topics
Must-Know Concepts
- Policy matching order: policies are evaluated top-to-bottom, first match wins. Source interface, destination interface, source address, destination address, service — all must match
- Implicit deny: every policy table ends with an implicit deny-all policy. Traffic not matched by any explicit policy is dropped silently
- Policy types: IPv4, IPv6, multicast, local (FortiGate-generated traffic), implicit. IPv4 policy is the most common exam topic
- IP pool types for SNAT — Overload (many-to-one PAT, most common), One-to-one (each internal IP maps to a specific external IP), Fixed Port Range (ranges allocated per source IP), Port Block Allocation (blocks of ports allocated dynamically)
- VIP (Virtual IP) for DNAT: maps an external IP (and optionally port) to an internal server IP (and optionally port). Must be referenced in a firewall policy as the destination address
- VIP groups: combine multiple VIPs into a single policy object for simpler policy management
- Central NAT: separate SNAT/DNAT tables. SNAT policies: original source → translated source. DNAT: done through VIPs referenced in central NAT DNAT policies
- Authentication methods: local database (user accounts stored on FortiGate), LDAP (bind and search for AD/LDAP credentials), RADIUS (remote authentication with RADIUS server)
- Firewall active authentication: users see a FortiGate login portal when accessing resources that require authentication. Browser-based (HTTP/HTTPS) or captive portal
- FSSO passive authentication: FortiGate monitors AD login events and maps IPs to usernames without requiring users to log in again through FortiGate
- User groups: combine local users, LDAP/RADIUS-retrieved groups, and FSSO groups into a single group object for use in firewall policies
- Traffic shaping: per-policy shaper (applied to all traffic in a policy), shared shaper (aggregate bandwidth limit across multiple policies), reverse shaper (inbound traffic limit)
Common Exam Traps
Content Inspection
Covers all security profiles and inspection capabilities: antivirus, web filtering, application control, IPS, DNS filter, and file filter. Also covers SSL/SSH inspection (the prerequisite for inspecting encrypted traffic) and the critical choice between proxy-based and flow-based inspection modes.
Key Topics
Must-Know Concepts
- Security profile types: antivirus (file scanning), web filter (URL/category blocking), application control (Layer 7 app identification), IPS (exploit/attack signatures), DNS filter (malicious domain blocking), file filter (block by file type), DLP (data loss prevention — supports both flow and proxy feature-sets in FortiOS 7.6)
- Profiles must be applied to firewall policies to take effect — creating a profile alone does nothing
- Proxy-based inspection: buffers full content, supports all UTM features with full file analysis for DLP and AV, higher latency and memory usage
- Flow-based inspection: streams packets through without buffering, lower latency, most profiles supported in FortiOS 7.6 (including DLP with stream-based scanning), better throughput
- SSL/TLS inspection: required to inspect HTTPS, SMTPS, IMAPS traffic. Without SSL inspection, encrypted traffic content is invisible to security profiles
- Certificate inspection: validates SSL certificate only, no content decryption. Does not require CA cert on endpoints
- Deep/Full SSL inspection: decrypts, inspects, re-encrypts. FortiGate CA certificate must be trusted by endpoints (installed in OS/browser trust store) to avoid SSL warnings
- SSH inspection: deep inspection of SSH sessions. Can inspect commands, file transfers (SCP/SFTP), and block specific SSH operations
- Web filter FortiGuard categories: FortiGate queries FortiGuard cloud for URL category. Can allow/monitor/warn/block by category. Local ratings override FortiGuard categories
- Application control detects apps by DPI signatures even on non-standard ports. Can block, allow, or shape specific applications or categories
- IPS signatures: detect and block known exploits, vulnerability scanning, and attack patterns. Signatures updated via FortiGuard IPS subscription
- Botnet C&C protection: blocks connections to known command-and-control servers. Requires FortiGuard subscription and is enabled in antivirus or IPS profiles
Common Exam Traps
Routing
Covers all routing capabilities on FortiGate: static routes, policy-based routing (PBR), equal-cost multi-path (ECMP) load balancing, BGP and OSPF dynamic routing, SD-WAN traffic steering, and route monitoring for failover. Questions test routing selection logic and SD-WAN SLA configuration.
Key Topics
Must-Know Concepts
- Administrative distance: determines preference among routes from different sources. Lower is preferred. Direct (0), Static (10), eBGP (20), OSPF (110), iBGP (200). Multiple static routes to the same destination: lower distance wins
- Priority: tie-breaker for routes with the same administrative distance. Lower priority value wins
- ECMP: multiple routes to the same destination with equal distance and priority are installed as equal-cost paths. FortiGate load balances across them. ECMP methods: source-ip-based (default), weight-based, usage-based (spillover), source-dest-ip-based, measured-volume-based
- Policy routes (PBR): match by source interface, source address, destination address, protocol, TOS. Override routing table. Evaluated BEFORE routing table. Empty match fields = match all
- SD-WAN: logical interface grouping WAN members. Performance SLA monitors link health (packet loss, latency, jitter) via ping/HTTP/DNS probes. Rules steer traffic to optimal member based on SLA criteria
- SD-WAN load balancing algorithms: source-ip-based (default, hash on source IP), weight-based (distribute by weight ratio), usage-based/spillover (use primary until bandwidth threshold), source-dest-ip-based (hash on both source and destination IP), measured-volume-based (distribute by bandwidth ratio)
- BGP: eBGP connects to ISPs (different AS numbers, default admin distance 20). iBGP connects internal routers (same AS, default admin distance 200). BGP neighbors configured with remote-AS, neighbor IP, and local AS
- OSPF: link-state routing within a single AS. Requires area configuration (area 0 = backbone). FortiGate supports OSPF areas, redistribution, and authentication
- Route monitoring: monitor a specific IP or route. If monitor fails, static routes with that monitor configured are removed from the routing table, triggering failover to backup routes
Common Exam Traps
VPN
Covers IPsec VPN for site-to-site and remote access (dial-up) configurations, SSL VPN in web mode and tunnel mode for clientless and client-based remote access, and practical VPN troubleshooting. Questions test your knowledge of IKE phases, tunnel parameters, and common VPN failure scenarios.
Key Topics
Must-Know Concepts
- IKE Phase 1: establishes the ISAKMP SA for a secure management channel. Parameters: authentication method (PSK or certificates), encryption algorithm, hash/integrity algorithm, DH group, lifetime. IKEv1 modes: main mode (6 messages) or aggressive mode (3 messages, less secure)
- IKE Phase 2: establishes the IPsec SA for actual data encryption. Parameters: encryption algorithm, hash/integrity, PFS (Perfect Forward Secrecy), proxy IDs (local/remote subnet), lifetime
- All Phase 1 and Phase 2 parameters must match on both VPN peers — mismatch is the most common cause of VPN failure
- Route-based IPsec VPN: creates a virtual tunnel interface (VTI). Traffic is routed to the tunnel via static or dynamic routes. Firewall policies use the tunnel interface as source/destination interface
- Policy-based IPsec VPN: no tunnel interface. Traffic is selected by proxy IDs (local subnet, remote subnet). Policy action is IPsec with tunnel selected. Less flexible than route-based
- Dial-up VPN (hub-and-spoke): FortiGate acts as hub, accepting incoming IPsec connections from multiple remote clients or FortiGate spokes. IKEv1 aggressive mode or IKEv2 for dial-up
- SSL VPN web mode: clientless portal on HTTPS. Users browse to FortiGate HTTPS URL and access internal web apps via reverse proxy. No FortiClient needed
- SSL VPN tunnel mode: FortiClient creates a virtual NIC. User gets an IP from the SSL VPN IP pool. Traffic is routed through the SSL VPN tunnel. Supports split tunneling (only specified subnets go through VPN)
- SSL VPN firewall policy: traffic from ssl.root (virtual SSL VPN interface) to internal destination. Must be created for users to reach internal resources after connecting
- VPN troubleshooting commands: diagnose vpn ike gateway list (Phase 1 status), diagnose vpn tunnel list (Phase 2 SAs), diagnose debug application ike -1 (IKE debug), get vpn ssl monitor (SSL VPN sessions)
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.