CertPrepNow
FortinetNSE4_FGT_AD-7.6Updated 2026-06-09

NSE4_FGT_AD-7.6 Study Guide

Everything you need to pass the Fortinet NSE 4 - FortiOS 7.6 Administrator exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The Fortinet NSE 4 / FCP exam is passable with free resources if you have hands-on FortiGate experience and study consistently for 6-10 weeks:

  • Fortinet free self-paced training at training.fortinet.com — NSE 4 Network Security Professional course covers all exam objectives
  • FortiOS 7.6 Administration Guide (free PDF download from docs.fortinet.com)
  • FortiOS 7.6 CLI Reference Guide — essential for understanding diagnose and config commands
  • Fortinet Community Forums at community.fortinet.com — real-world discussion of exam topics
  • FortiGate 60F/80F/100F evaluation licenses for lab practice (request via Fortinet partner portal or use FortiGate-VM trial)
  • Fortinet NSE 1, NSE 2, and NSE 3 free self-paced courses — strongly recommended prerequisites that build foundational knowledge
  • Fortinet YouTube channel — product demos, configuration walkthroughs, and NSE training content
  • Free practice questions on this site

The NSE 4 exam tests practical configuration and troubleshooting knowledge, not just theory. Hands-on access to a FortiGate (physical, VM, or cloud trial) is strongly recommended. The free training at training.fortinet.com covers all five exam domains and is the official preparation path.

Choose Your Study Path

Limited experience with FortiGate or enterprise firewalls. You need to build foundational knowledge of network security principles and FortiOS before studying for NSE 4. Complete the free NSE 1-3 training first.

Week 1Complete Fortinet NSE 1 and NSE 2 free courses at training.fortinet.com. Learn basic network security concepts: firewalls, NAT, VLANs, routing fundamentals. Understand the OSI model, TCP/IP, and how packet flow works through a stateful firewall.
Week 2Complete Fortinet NSE 3 free course. Set up your lab environment — request a FortiGate VM trial or use a free FortiGate-VM evaluation image. Complete initial system setup: administrative access, interface configuration, default routes, and basic DHCP server setup.
Week 3Study Domain 1 (Deployment and System Configuration, 22%). Learn FortiGate deployment modes: NAT/Route mode vs Transparent mode. Configure network interfaces, VLANs, and zones. Understand HA (high availability) in active-passive and active-active modes. Practice firmware upgrade procedures.
Week 4Study Domain 2 part 1 (Firewall Policies, first half of 28%). Learn the policy table and how FortiGate matches traffic: source/destination interface, address, service, and schedule. Understand implicit deny, policy ordering, and policy lookup. Create and test basic allow/deny policies.
Week 5Study Domain 2 part 2 (Authentication and NAT). Learn NAT modes: central NAT vs per-policy NAT. Configure SNAT (IP pool types: overload, one-to-one, fixed port range) and DNAT (virtual IPs). Configure local users, LDAP/RADIUS authentication, FSSO (Fortinet Single Sign-On), and firewall authentication policies.
Week 6Study Domain 3 (Content Inspection, 22%). Configure antivirus in proxy and flow-based inspection modes. Set up web filtering using categories and URL filters. Configure application control and IPS. Understand SSL/SSH deep inspection and certificate inspection. Learn when to use proxy mode vs flow mode.
Week 7Study Domain 4 (Routing, 14%). Configure static routes, administrative distance, and priority. Learn policy-based routing (PBR). Understand ECMP load balancing. Study SD-WAN: performance SLAs, rules, and members. Lab: configure OSPF and BGP neighbors on FortiGate.
Week 8Study Domain 5 (VPN, 14%). Configure IPsec site-to-site VPN with IKEv1 and IKEv2. Configure IPsec dial-up VPN for remote users. Set up SSL VPN in web mode and tunnel mode. Practice VPN troubleshooting with diagnose vpn commands.
Week 9Review all five domains. Focus on areas where you scored poorly in practice questions. Do hands-on labs for any topic you have not configured in your lab environment. Pay special attention to FSSO, SSL inspection, and SD-WAN as these are consistently tested.
Week 10Take full mock exams targeting 75%+. Review all incorrect answers carefully. Re-read the relevant sections of the FortiOS 7.6 Administration Guide for any topics still unclear. Schedule the exam when scoring consistently above 80% on practice tests.

Exam Overview

Format

50-55 multiple-choice and multiple-select questions, 90 minutes. Exam code: NSE4_FGT_AD-7.6. Delivered via Pearson VUE at authorized testing centers or online proctored. Closed-book with no external resources. Multiple-select questions require all correct answers — no partial credit.

Scoring

Pass/fail scoring. Passing score is approximately 70/100 (Fortinet uses a scaled score). No penalty for wrong answers on single-answer questions — always answer every question. Score report provided after exam. Multiple-select questions: all correct answers must be selected for full credit, no partial credit awarded.

Domains & Weights

  • Deployment and System Configuration22%
  • Firewall Policies and Authentication28%
  • Content Inspection22%
  • Routing14%
  • VPN14%

Registration

$200 USD. Register at pearsonvue.com/fortinet. Exam fee is $200 USD. Certification is valid for 2 years. If you fail, you must wait 15 days before retaking. NSE 1-3 free courses are strongly recommended but not formally required as prerequisites. The FCP (Fortinet Certified Professional) brand is being restructured into the NSE certification program effective July 15, 2026 — exam delivery is suspended July 13-15, 2026 for the transition. Active FCP Network Security certifications will be automatically mapped to the corresponding NSE 4 certification.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these FortiGate features deeply, know how to configure them, and apply them in scenario-based questions. These appear across multiple questions and multiple domains.
Tier 2: Should KnowUnderstand these FortiGate features, their key configuration parameters, and how they fit into network security architecture. May appear in 2-5 questions each.
Tier 3: Recognize OnlyKnow what these are at a high level and their role in the FortiGate security ecosystem. Rarely more than 1-2 questions each.
Domain 122% of exam

Deployment and System Configuration

Covers FortiGate initial deployment, network interface types and configuration, system administration settings, firmware management, and high availability. Questions test your ability to choose the right deployment mode, configure administrative access correctly, and understand HA failover behavior.

Key Topics

NAT/Route ModeTransparent ModeNetwork InterfacesVLANsZonesAdministrative AccessFirmware ManagementHigh AvailabilityVDOMsFortiGate Cloud/VMLogging

Must-Know Concepts

  • NAT/Route mode vs Transparent mode: NAT/Route is standard (routing + NAT); Transparent mode is Layer 2 bridging (no NAT, no routing, no interface IPs)
  • Interface types: physical, VLAN sub-interface (802.1Q), aggregate (LACP), loopback, redundant, software switch, hardware switch
  • Zones: logical groupings of interfaces that simplify policy creation — intrazone traffic can be allowed or blocked; interzone traffic requires explicit policies
  • Administrative access: HTTPS, HTTP, SSH, Telnet, PING, FMG-Access per interface. Principle of least privilege — only enable necessary services on each interface
  • Trusted hosts: restrict administrative login source IPs to specific subnets. If configured, only those IPs can log in regardless of correct credentials
  • Firmware upgrade best practices: backup config first, verify image checksum, plan maintenance window, understand that firmware downgrades may not preserve configuration
  • HA Active-Passive: primary handles all traffic, secondary monitors via heartbeat interfaces. Failover when primary fails health checks (link monitoring, session monitoring)
  • HA Active-Active: primary distributes sessions to all HA units using load balancing. All units process traffic. Improves throughput but more complex than active-passive
  • HA heartbeat interfaces: dedicated physical interfaces for heartbeat and session synchronization. Should be direct connections between HA units, not through switches
  • FortiGate initial setup: management IP, default route, DNS, NTP, admin password. Factory reset restores defaults including management IP of 192.168.1.99
  • Logging configuration: log to local disk, FortiAnalyzer, FortiCloud, or syslog server. Log levels: emergency, alert, critical, error, warning, notification, information, debug. Log filtering and reliable logging (TCP-based) vs unreliable (UDP-based)
  • FortiGate cloud deployments: FortiGate-VM available on AWS, Azure, GCP, and other hypervisors. FortiGate CNF (Cloud-Native Firewall) as a managed service. Same FortiOS features but ASIC offloading not available in VM/cloud deployments

Common Exam Traps

Transparent mode does NOT perform NAT or IP routing. FortiGate forwards frames at Layer 2 but still enforces firewall policies — it is not a dumb switch
In Active-Active HA, the primary unit is associated with the cluster virtual MAC addresses and receives all inbound packets. Subordinate units retain their actual MAC addresses. The primary distributes sessions to subordinate units, and packets exiting subordinate units go directly to their destination without passing through the primary
Trusted hosts restrict login SOURCE IPs — if configured incorrectly, you can lock yourself out even with the correct password. Always configure a trusted host that includes your current management IP
VLAN sub-interfaces inherit the physical parent interface's zone unless explicitly assigned to a different zone — this affects which policies are required
Quick Check: Deployment and System Configuration

Question 1 of 3

A network engineer must insert a FortiGate between an existing router and a core switch without changing any IP addressing in the network. The FortiGate should inspect all traffic between the router and switch. Which deployment mode should be used?

Domain 228% of exam

Firewall Policies and Authentication

The largest domain at 28%. Covers firewall policy types, traffic matching logic, all forms of NAT, user authentication methods (local, LDAP, RADIUS), FSSO for identity-based policies, user groups, and traffic shaping policies. This domain tests both conceptual understanding and practical configuration knowledge.

Key Topics

Firewall PoliciesNAT (SNAT/DNAT)Virtual IPsIP PoolsCentral NATUser AuthenticationFSSOLDAPRADIUSUser GroupsTraffic Shaping

Must-Know Concepts

  • Policy matching order: policies are evaluated top-to-bottom, first match wins. Source interface, destination interface, source address, destination address, service — all must match
  • Implicit deny: every policy table ends with an implicit deny-all policy. Traffic not matched by any explicit policy is dropped silently
  • Policy types: IPv4, IPv6, multicast, local (FortiGate-generated traffic), implicit. IPv4 policy is the most common exam topic
  • IP pool types for SNAT — Overload (many-to-one PAT, most common), One-to-one (each internal IP maps to a specific external IP), Fixed Port Range (ranges allocated per source IP), Port Block Allocation (blocks of ports allocated dynamically)
  • VIP (Virtual IP) for DNAT: maps an external IP (and optionally port) to an internal server IP (and optionally port). Must be referenced in a firewall policy as the destination address
  • VIP groups: combine multiple VIPs into a single policy object for simpler policy management
  • Central NAT: separate SNAT/DNAT tables. SNAT policies: original source → translated source. DNAT: done through VIPs referenced in central NAT DNAT policies
  • Authentication methods: local database (user accounts stored on FortiGate), LDAP (bind and search for AD/LDAP credentials), RADIUS (remote authentication with RADIUS server)
  • Firewall active authentication: users see a FortiGate login portal when accessing resources that require authentication. Browser-based (HTTP/HTTPS) or captive portal
  • FSSO passive authentication: FortiGate monitors AD login events and maps IPs to usernames without requiring users to log in again through FortiGate
  • User groups: combine local users, LDAP/RADIUS-retrieved groups, and FSSO groups into a single group object for use in firewall policies
  • Traffic shaping: per-policy shaper (applied to all traffic in a policy), shared shaper (aggregate bandwidth limit across multiple policies), reverse shaper (inbound traffic limit)

Common Exam Traps

VIPs must be placed as the DESTINATION address in the firewall policy, not as a source address. Forgetting to add the VIP to a policy means the VIP mapping is never used
FSSO users do not authenticate through FortiGate — they authenticate to Active Directory. FortiGate passively learns the IP-to-user mapping from AD events
IP pool overload mode performs PAT (Port Address Translation) — multiple internal IPs share one external IP using different source ports. One-to-one mode does NOT translate ports
Policies must have both matching criteria (source/dest/service) and a configured security profile to provide content inspection. A policy with no profiles attached is a simple allow with no inspection
Quick Check: Firewall Policies and Authentication

Question 1 of 3

A firewall administrator creates a policy allowing all traffic from the internal LAN (10.0.0.0/24) to the internet, with SNAT using an IP pool in overload mode. A second policy below it denies traffic from 10.0.0.100 to social media websites. A user at 10.0.0.100 attempts to browse Facebook. Which policy is applied?

Domain 322% of exam

Content Inspection

Covers all security profiles and inspection capabilities: antivirus, web filtering, application control, IPS, DNS filter, and file filter. Also covers SSL/SSH inspection (the prerequisite for inspecting encrypted traffic) and the critical choice between proxy-based and flow-based inspection modes.

Key Topics

AntivirusWeb FilterApplication ControlIPSDNS FilterFile FilterSSL InspectionSSH InspectionProxy ModeFlow ModeFortiGuard

Must-Know Concepts

  • Security profile types: antivirus (file scanning), web filter (URL/category blocking), application control (Layer 7 app identification), IPS (exploit/attack signatures), DNS filter (malicious domain blocking), file filter (block by file type), DLP (data loss prevention — supports both flow and proxy feature-sets in FortiOS 7.6)
  • Profiles must be applied to firewall policies to take effect — creating a profile alone does nothing
  • Proxy-based inspection: buffers full content, supports all UTM features with full file analysis for DLP and AV, higher latency and memory usage
  • Flow-based inspection: streams packets through without buffering, lower latency, most profiles supported in FortiOS 7.6 (including DLP with stream-based scanning), better throughput
  • SSL/TLS inspection: required to inspect HTTPS, SMTPS, IMAPS traffic. Without SSL inspection, encrypted traffic content is invisible to security profiles
  • Certificate inspection: validates SSL certificate only, no content decryption. Does not require CA cert on endpoints
  • Deep/Full SSL inspection: decrypts, inspects, re-encrypts. FortiGate CA certificate must be trusted by endpoints (installed in OS/browser trust store) to avoid SSL warnings
  • SSH inspection: deep inspection of SSH sessions. Can inspect commands, file transfers (SCP/SFTP), and block specific SSH operations
  • Web filter FortiGuard categories: FortiGate queries FortiGuard cloud for URL category. Can allow/monitor/warn/block by category. Local ratings override FortiGuard categories
  • Application control detects apps by DPI signatures even on non-standard ports. Can block, allow, or shape specific applications or categories
  • IPS signatures: detect and block known exploits, vulnerability scanning, and attack patterns. Signatures updated via FortiGuard IPS subscription
  • Botnet C&C protection: blocks connections to known command-and-control servers. Requires FortiGuard subscription and is enabled in antivirus or IPS profiles

Common Exam Traps

Without SSL inspection, AV and IPS cannot inspect HTTPS content — attackers can bypass content inspection by using HTTPS. This is the most important architectural point about content inspection
In FortiOS 7.6, DLP supports both flow and proxy feature-sets. Proxy mode DLP provides deeper analysis with full content buffering. Flow mode DLP uses stream-based scanning — know the trade-offs for the exam
Web filter and application control are COMPLEMENTARY: web filter blocks by URL, application control blocks by app signature. A web filter cannot block a non-HTTP application; application control can
When FortiGuard web filter subscription expires, the FortiGate falls back to local ratings only. The 'allow-unrated' setting determines whether unrated sites are blocked or allowed
Quick Check: Content Inspection

Question 1 of 3

An IPS profile and an antivirus profile are both attached to a firewall policy allowing HTTPS traffic. No SSL inspection profile is applied to the policy. An attacker sends an exploit payload hidden inside an HTTPS session. Will the IPS and AV profiles detect it?

Domain 414% of exam

Routing

Covers all routing capabilities on FortiGate: static routes, policy-based routing (PBR), equal-cost multi-path (ECMP) load balancing, BGP and OSPF dynamic routing, SD-WAN traffic steering, and route monitoring for failover. Questions test routing selection logic and SD-WAN SLA configuration.

Key Topics

Static RoutesPolicy RoutesECMPBGPOSPFSD-WANRoute MonitoringPerformance SLA

Must-Know Concepts

  • Administrative distance: determines preference among routes from different sources. Lower is preferred. Direct (0), Static (10), eBGP (20), OSPF (110), iBGP (200). Multiple static routes to the same destination: lower distance wins
  • Priority: tie-breaker for routes with the same administrative distance. Lower priority value wins
  • ECMP: multiple routes to the same destination with equal distance and priority are installed as equal-cost paths. FortiGate load balances across them. ECMP methods: source-ip-based (default), weight-based, usage-based (spillover), source-dest-ip-based, measured-volume-based
  • Policy routes (PBR): match by source interface, source address, destination address, protocol, TOS. Override routing table. Evaluated BEFORE routing table. Empty match fields = match all
  • SD-WAN: logical interface grouping WAN members. Performance SLA monitors link health (packet loss, latency, jitter) via ping/HTTP/DNS probes. Rules steer traffic to optimal member based on SLA criteria
  • SD-WAN load balancing algorithms: source-ip-based (default, hash on source IP), weight-based (distribute by weight ratio), usage-based/spillover (use primary until bandwidth threshold), source-dest-ip-based (hash on both source and destination IP), measured-volume-based (distribute by bandwidth ratio)
  • BGP: eBGP connects to ISPs (different AS numbers, default admin distance 20). iBGP connects internal routers (same AS, default admin distance 200). BGP neighbors configured with remote-AS, neighbor IP, and local AS
  • OSPF: link-state routing within a single AS. Requires area configuration (area 0 = backbone). FortiGate supports OSPF areas, redistribution, and authentication
  • Route monitoring: monitor a specific IP or route. If monitor fails, static routes with that monitor configured are removed from the routing table, triggering failover to backup routes

Common Exam Traps

Policy routes are evaluated BEFORE the routing table — they override even more specific routing table entries. A policy route with no destination match (empty) matches ALL traffic from the source interface
SD-WAN SLA health checks monitor link health but do NOT automatically steer traffic. SD-WAN rules must explicitly reference the SLA as a criterion for member selection
Administrative distance applies only when comparing routes from DIFFERENT routing sources (static vs OSPF). Within a single source (two static routes to the same destination), priority is the tie-breaker
ECMP in FortiGate does NOT do per-packet load balancing — the default method is source-ip-based, which hashes the source IP to select a path. Other methods include weight-based, usage-based (spillover), source-dest-ip-based, and measured-volume-based
Quick Check: Routing

Question 1 of 3

A FortiGate has two static routes to 0.0.0.0/0: one via ISP1 (192.0.2.1) with distance 10 and priority 0, and one via ISP2 (198.51.100.1) with distance 10 and priority 10. Both WAN interfaces are up. Which route is used for outbound internet traffic?

Domain 514% of exam

VPN

Covers IPsec VPN for site-to-site and remote access (dial-up) configurations, SSL VPN in web mode and tunnel mode for clientless and client-based remote access, and practical VPN troubleshooting. Questions test your knowledge of IKE phases, tunnel parameters, and common VPN failure scenarios.

Key Topics

IPsec VPNIKE Phase 1IKE Phase 2IKEv1IKEv2Route-Based VPNPolicy-Based VPNDial-Up VPNSSL VPNFortiClientSplit Tunneling

Must-Know Concepts

  • IKE Phase 1: establishes the ISAKMP SA for a secure management channel. Parameters: authentication method (PSK or certificates), encryption algorithm, hash/integrity algorithm, DH group, lifetime. IKEv1 modes: main mode (6 messages) or aggressive mode (3 messages, less secure)
  • IKE Phase 2: establishes the IPsec SA for actual data encryption. Parameters: encryption algorithm, hash/integrity, PFS (Perfect Forward Secrecy), proxy IDs (local/remote subnet), lifetime
  • All Phase 1 and Phase 2 parameters must match on both VPN peers — mismatch is the most common cause of VPN failure
  • Route-based IPsec VPN: creates a virtual tunnel interface (VTI). Traffic is routed to the tunnel via static or dynamic routes. Firewall policies use the tunnel interface as source/destination interface
  • Policy-based IPsec VPN: no tunnel interface. Traffic is selected by proxy IDs (local subnet, remote subnet). Policy action is IPsec with tunnel selected. Less flexible than route-based
  • Dial-up VPN (hub-and-spoke): FortiGate acts as hub, accepting incoming IPsec connections from multiple remote clients or FortiGate spokes. IKEv1 aggressive mode or IKEv2 for dial-up
  • SSL VPN web mode: clientless portal on HTTPS. Users browse to FortiGate HTTPS URL and access internal web apps via reverse proxy. No FortiClient needed
  • SSL VPN tunnel mode: FortiClient creates a virtual NIC. User gets an IP from the SSL VPN IP pool. Traffic is routed through the SSL VPN tunnel. Supports split tunneling (only specified subnets go through VPN)
  • SSL VPN firewall policy: traffic from ssl.root (virtual SSL VPN interface) to internal destination. Must be created for users to reach internal resources after connecting
  • VPN troubleshooting commands: diagnose vpn ike gateway list (Phase 1 status), diagnose vpn tunnel list (Phase 2 SAs), diagnose debug application ike -1 (IKE debug), get vpn ssl monitor (SSL VPN sessions)

Common Exam Traps

IKE Phase 1 and Phase 2 parameters MUST match on both ends. Proposals are negotiated — if neither side has a common proposal, phase fails. Check both peers when troubleshooting
SSL VPN requires TWO things: a portal/user group configuration AND a firewall policy from ssl.root to the internal network. A connected SSL VPN user with no firewall policy cannot access anything
Route-based VPN tunnel interfaces must have firewall policies that reference them as source/destination interfaces. The traffic route points to the tunnel interface, but the policy must allow it
Split tunneling in SSL VPN sends only specified subnet traffic through the VPN — other internet traffic goes directly out the user's local internet connection. Without split tunneling, ALL traffic including internet browsing goes through the corporate VPN
Quick Check: VPN

Question 1 of 3

A site-to-site IPsec VPN between two FortiGate devices fails to establish Phase 1. The administrator checks the configuration and confirms the pre-shared keys match. What is the most likely cause of the Phase 1 failure?

Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

Proxy Mode Inspection vs Flow Mode Inspection

Use Proxy Mode Inspection when…

FortiGate buffers the entire file/object before inspecting it. Enables antivirus with full file scanning, DLP, and ICAP. Higher latency and memory usage. Best for environments requiring thorough content inspection.

Use Flow Mode Inspection when…

FortiGate inspects packets as they stream through without buffering. Lower latency and CPU usage. In FortiOS 7.6, most profiles (including DLP) support both modes, but flow mode uses stream-based scanning with less thorough analysis. Best for latency-sensitive traffic (VoIP, video) and high-throughput links.

Exam trap

Proxy mode is NOT always more secure — flow mode uses a different engine that catches threats in the stream. The key trade-off is latency vs thoroughness. In FortiOS 7.6, DLP supports both flow and proxy feature-sets — but proxy mode DLP provides more thorough content analysis with full file buffering.

Central NAT Table vs Per-Policy NAT

Use Central NAT Table when…

NAT is configured in a dedicated SNAT/DNAT policy table separate from firewall policies. More scalable for large deployments. Centralized view of all NAT rules. DNAT policies reference VIPs in the central NAT table.

Use Per-Policy NAT when…

NAT is configured directly within each firewall policy (NAT checkbox + IP pool selection). Simpler for small deployments. Each policy carries its own NAT configuration. Default behavior in most FortiGate configurations.

Exam trap

Central NAT and per-policy NAT are mutually exclusive per VDOM — you use one or the other, not both. Central NAT provides more granular SNAT control with source and destination matching. In per-policy NAT, enabling the NAT checkbox in the policy is sufficient for basic overload NAT.

IPsec VPN (Route-Based) vs IPsec VPN (Policy-Based)

Use IPsec VPN (Route-Based) when…

Uses a virtual tunnel interface (VTI). Traffic is routed to the VTI interface via the routing table. More flexible — supports dynamic routing (OSPF/BGP) over the tunnel. Easier to manage firewall policies (interface-based).

Use IPsec VPN (Policy-Based) when…

No tunnel interface. Traffic selection is defined by firewall policy proxy IDs (local and remote subnet pairs). Less flexible — no dynamic routing. Compatible with some older or non-Fortinet VPN endpoints that require policy-based VPN.

Exam trap

Route-based IPsec is the recommended and most common deployment on FortiGate. Policy-based VPN is needed mainly for interoperability with third-party devices that require specific proxy IDs. Route-based VPN allows ECMP and HA failover more easily.

SSL VPN Web Mode vs SSL VPN Tunnel Mode

Use SSL VPN Web Mode when…

Browser-only access. No client software required. Users access internal web applications through a proxy portal hosted on the FortiGate HTTPS port. Limited to HTTP/HTTPS and a few other protocols with bookmarks.

Use SSL VPN Tunnel Mode when…

Requires FortiClient software. Creates a virtual NIC on the endpoint, providing full network-level access. Supports any IP protocol. Supports split tunneling (only route enterprise subnets through VPN) or full tunneling (all traffic through VPN).

Exam trap

Web mode is a clientless PROXY — the FortiGate fetches web content on the user's behalf. Tunnel mode is a TRUE network tunnel — the endpoint gets an IP from the SSL VPN pool and is routed into the internal network. Tunnel mode requires FortiClient; web mode needs only a browser.

Certificate Inspection (SSL) vs Deep SSL/TLS Inspection

Use Certificate Inspection (SSL) when…

Inspects only the SSL certificate: validates the certificate chain, checks for expiration and revocation, and verifies the SNI. Does NOT decrypt the traffic payload. No content inspection is possible. Does not require importing CA certificate to endpoints.

Use Deep SSL/TLS Inspection when…

FortiGate acts as a man-in-the-middle: decrypts traffic, inspects content (AV, web filter, IPS), then re-encrypts and forwards. Full content inspection is possible. Requires importing FortiGate CA certificate into all endpoint browsers/OS trust stores.

Exam trap

Certificate inspection CANNOT detect malware hidden in HTTPS traffic — it only validates the certificate. Deep inspection IS required for AV and IPS to inspect HTTPS payloads. Without the CA certificate on endpoints, deep inspection generates 'untrusted certificate' browser warnings.

FSSO Collector Agent Mode vs FSSO Agentless Mode

Use FSSO Collector Agent Mode when…

A Windows-based Collector Agent software is installed on a server (not necessarily the DC). Two sub-modes: DC Agent mode (lightweight Fortinet agent on each DC sends logon events to Collector Agent) and Polling mode (Collector Agent polls DCs for logon events via WMI, WinSecLog, or NetAPI without installing agents on DCs). FortiGate receives FSSO events from the Collector Agent. More reliable and scalable for large AD environments.

Use FSSO Agentless Mode when…

FortiGate directly polls Active Directory domain controllers to read login events. No agent software installation required anywhere. Simpler for small deployments but generates more network traffic to DCs. FortiGate must have network access to all DCs.

Exam trap

Collector Agent mode is the traditional FSSO deployment and is more reliable for large or multi-domain environments. Agentless mode is simpler but creates direct polling connections from FortiGate to every DC, which can create scaling issues. Within Collector Agent mode, DC Agent sub-mode installs a lightweight Fortinet agent on each DC, while Polling sub-mode requires no agent on the DC.

Static Route vs Policy Route (PBR)

Use Static Route when…

Matches traffic based on DESTINATION prefix only. Added to the routing table. Administrative distance and priority determine preference when multiple routes exist. Subject to ECMP if multiple equal-cost routes exist.

Use Policy Route (PBR) when…

Matches traffic based on SOURCE address, destination address, protocol, and port. Evaluated BEFORE the routing table. Can override the best routing table entry for specific traffic. Does not use administrative distance.

Exam trap

Policy routes are processed BEFORE the routing table — they take absolute precedence over any static or dynamic route. If you need to send specific traffic (e.g., from a particular subnet) out a specific interface regardless of the routing table, use a policy route. Policy routes do NOT affect the routing table.

FortiGate NAT/Route Mode vs FortiGate Transparent Mode

Use FortiGate NAT/Route Mode when…

FortiGate has IP addresses on each interface and performs routing and NAT between network segments. Requires IP address changes (re-IP) if inserted between existing devices. The standard deployment mode for most installations.

Use FortiGate Transparent Mode when…

FortiGate acts as a Layer 2 bridge — interfaces have no IP addresses (except management). Traffic passes through without any IP addressing changes. No NAT performed. Ideal for inserting a firewall into an existing network without redesigning IP addressing.

Exam trap

In Transparent mode, FortiGate still enforces firewall policies and content inspection — it is NOT just a pass-through switch. The difference is that it operates at Layer 2 without routing or NAT. Static routing options are extremely limited in Transparent mode.

Top Mistakes to Avoid

Forgetting that firewall policies are evaluated TOP-TO-BOTTOM and the first match is applied — placing a broad allow above a specific deny means the deny is never reached
Creating a Virtual IP (VIP) for DNAT but not adding it to a firewall policy as the destination address — the VIP mapping is never triggered without the policy
Configuring IPS and AV profiles on a policy with HTTPS traffic but no SSL inspection profile — encrypted traffic content is invisible to security profiles without SSL inspection
Using deep SSL inspection without importing the FortiGate CA certificate to endpoints — results in 'untrusted certificate' browser errors for all HTTPS traffic
Confusing proxy mode and flow mode — proxy mode buffers full content for deeper analysis, flow mode streams packets (lower latency). In FortiOS 7.6, DLP supports both modes but proxy mode provides more thorough content inspection
Mixing up IKE Phase 1 and Phase 2 troubleshooting commands — diagnose vpn ike gateway list is for Phase 1; diagnose vpn tunnel list is for Phase 2
Configuring SSL VPN tunnel mode but forgetting the firewall policy from ssl.root to the internal network — connected users can't reach any internal resources
Treating policy routes as routing table entries — policy routes bypass the routing table entirely and are matched BEFORE any routing table lookup occurs
Confusing administrative distance (route source preference) with priority (tie-breaker within the same source) — both affect route selection but at different levels
Forgetting that FSSO is passive — users authenticate against Active Directory, not FortiGate. There is no FortiGate login prompt in a correctly functioning FSSO deployment
Assuming FortiGuard features work without internet connectivity or active subscriptions — web filter, AV signatures, and IPS signatures require connectivity to FortiGuard update servers

Exam-Ready Checklist

Can explain all 5 exam domains and their weights: 22% Deployment, 28% Policies/Auth, 22% Content Inspection, 14% Routing, 14% VPN
Know the difference between NAT/Route mode and Transparent mode — when to use each and limitations of Transparent mode
Understand firewall policy matching: top-to-bottom, first match wins, implicit deny at the bottom
Can explain all IP pool types (Overload, One-to-One, Fixed Port Range, Port Block Allocation) and when to use each
Know how Virtual IPs (VIPs) implement DNAT and that VIPs must be referenced in a firewall policy as the destination address
Understand FSSO: passive authentication, Collector Agent vs agentless vs DC Agent modes, and how FortiGate learns IP-to-user mappings
Can explain proxy mode vs flow mode: what each supports, how DLP works in both modes in FortiOS 7.6 (proxy provides deeper analysis), and latency trade-offs
Know SSL inspection types: certificate inspection (no decrypt) vs deep inspection (decrypt/re-encrypt, requires CA cert on endpoints)
Understand why security profiles (AV, IPS, web filter) cannot inspect HTTPS content without SSL inspection
Can explain IPsec IKE Phase 1 and Phase 2 parameters and why they must match on both peers
Know route-based vs policy-based IPsec VPN differences and when policy-based is needed
Understand SSL VPN web mode vs tunnel mode and the two requirements for tunnel mode (FortiClient + ssl.root firewall policy)
Can use key troubleshooting commands: diagnose debug flow, diagnose vpn ike gateway list, diagnose vpn tunnel list, get vpn ssl monitor
Scored 75%+ on at least two full mock exams. Aim for 85%+ to have a comfortable margin on exam day

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions