NSE4_FGT_AD-7.6 Exam Dumps - Fortinet Network Security Expert Questions and Answers

“To perform SSL inspection on traffic flowing through the FortiGate device, you must allow the traffic with a firewall policy and apply an SSL inspection profile to the policy. Note that an SSL inspection profile alone will not trigger a security inspection. You must combine it with other security profiles like Antivirus, Web Filter, Application Control, or IPS.”

“By default, firewall policies are set with the no-inspection SSL profile. Therefore, any encrypted traffic flows through uninspected... For antivirus or IPS control, you should use a deep-inspection profile. ”

“When you use deep inspection, FortiGate impersonates the recipient of the originating SSL session, and then decrypts and inspects the content to find threats and block them . It then re-encrypts the content and sends it to the real recipient. Deep inspection protects from attacks that use HTTPS and other commonly used SSL-encrypted protocols...”

Technical Deep Dive:

The correct answer is D . HTTP and FTP are working because FortiGate can inspect those payloads directly with the antivirus profile. HTTPS is different because the traffic is encrypted. If the firewall policy uses only certificate inspection or another non-decrypting SSL mode, FortiGate can identify certificate/SNI information, but it cannot see the downloaded file contents. Without decrypting the HTTPS session, the antivirus engine never receives the payload to scan, so EICAR or other malware can pass.

Why the other options are wrong:

A is not the issue here. The exhibit shows the antivirus profile and policy are already aligned for proxy-based operation, and the failure is specific to HTTPS visibility.

B is wrong because web filter is not required for antivirus scanning.

C is wrong because firewall policies commonly use ACCEPT with security profiles; the antivirus engine can still block the file after policy match. The study guide explicitly says ACCEPT allows the session and then applies antivirus scanning and other packet-processing features.

To fix it, apply deep-inspection on the firewall policy:

config firewall policy

edit < policy-id >

set ssl-ssh-profile " deep-inspection "

set av-profile " HTTP_AV_Profile "

next

end

On real FortiGate hardware, this also has performance implications. Simple flow handling can often stay on accelerated paths, but full SSL deep inspection forces decryption and content scanning through the inspection engine, increasing CPU/WAD workload.

When the Application sensor receives traffic on that port, the protocol decoder will try to determine if the received data matches the HTTPS traffic In this case it will not match because it is P2P traffic, so this will class as violation and blocked The protocol decoder also try to determine what type of traffic it is, and even if it could not figure out it is P2P traffic, it still count as a violation because even though it does not know what it is, it knows for fact it is not HTTPS

NetAPI: Polls temporary sessions created on the DC when a user logs on or logs off and calls the NetSessionEnum function on Windows. It’s faster than the WinSec and WMI methods; however, it can miss some logon events if a DC is under heavy system load. This is because sessions can be quickly created and purged form RAM, before the agent has a chance to poll and notify FG.

In FortiSASE Secure Internet Access (SIA) agent-based mode, traffic steering and security enforcement rely on components integrated with the FortiClient agent.

Components used in SIA agent-based mode

A. FortiSASE Firewall-as-a-Service (FWaaS)

Correct.

FWaaS is a core security component of FortiSASE.

It enforces firewall policies, security inspection, and access control for agent-based users.

All user traffic tunneled by the agent is inspected by FWaaS.

C. VPN policies

Correct.

In agent-based mode, the FortiClient establishes a secure tunnel to FortiSASE.

VPN policies define:

Authentication

Access control

Traffic steering

These policies are fundamental to agent-based connectivity.

Why the other options are incorrect

B. Proxy auto-configuration (PAC) filePAC files are used in agentless or proxy-based modes, not agent-based SIA.

D. FortiExtenderFortiExtender is a WAN extension device and is unrelated to FortiSASE SIA agent-based architecture.

“By default, you can select only a single interface as the incoming interface and a single interface as the outgoing interface. This is because the option to select multiple interfaces, or any interface in a firewall policy, is disabled on the GUI. However, you can enable the Multiple Interface Policies option on the Feature Visibility page to disable the single interface restriction.”

“You can also specify multiple interfaces, or use the any option, if you configure a firewall policy on the CLI, regardless of the default GUI setting.”

Technical Deep Dive:

The correct answer is D .

The policies are identical except for the incoming interface : one is for Sales and one is for Engineering . FortiGate GUI policy creation normally restricts you to one incoming interface per policy. To consolidate both into a single GUI policy, the administrator must enable Multiple Interface Policies so both port1 and port2 can be selected in the same rule.

Why the others are wrong:

A is not enough, because policy matching also includes the incoming interface , not just the source subnets.

B changes the network design and is unnecessary.

C would work too broadly by matching traffic from any interface, which is not the intended controlled consolidation.

A matching CLI-style concept would be:

config firewall policy

edit < id >

set srcintf " port1 " " port2 "

set dstintf " < server-interface > "

set srcaddr " Sales_Subnet " " Engineering_Subnet "

set dstaddr " < web-server > "

set service " HTTP " " HTTPS "

set action accept

next

end

That preserves a single policy while still being specific about which interfaces are allowed.

In FortiOS 7.6, when FortiGate is integrated with FortiAnalyzer and FortiManager, firewall policies rely on a Universally Unique Identifier (UUID) to ensure proper policy tracking, synchronization, and log correlation across devices.

Why the UUID is required

Every firewall policy in FortiOS has a UUID.

FortiManager uses the UUID to:

Track policies across managed FortiGate devices

Maintain policy consistency during installs and revisions

FortiAnalyzer uses the UUID to:

Correlate logs accurately to the correct firewall policy

Preserve log association even if policy order or policy ID changes

Without a UUID:

Policy-to-log mapping can break

FortiManager cannot reliably manage or synchronize policies

FortiAnalyzer log analysis becomes inconsistent

This is explicitly documented in Fortinet administration and logging architecture references.

Why the other options are incorrect

B. Policy IDPolicy ID can change when policies are moved and is not reliable for long-term correlation across FortiManager and FortiAnalyzer.

C. Sequence IDSequence ID reflects GUI ordering only and has no role in log correlation.

D. Log IDLog ID is generated per log event, not per firewall policy.

From the current HA status, HQ-NGFW-1 is the primary and HQ-NGFW-2 is the secondary.

The administrator then changes these HA parameters:

HQ-NGFW-1: set override disable, set priority 90

HQ-NGFW-2: set override enable, set priority 110

In FGCP (A-P mode), the override (preemption) feature controls whether a higher-priority unit is allowed to take over the primary role.

When override is enabled, the cluster will prefer (and can re-elect) the unit with the highest device priority to become primary (preempting a lower-priority primary when conditions trigger re-election behavior as defined by FGCP).

Here, HQ-NGFW-2 has:

override enabled

higher priority (110) than HQ-NGFW-1 (90)

Therefore, the expected result is that HQ-NGFW-2 becomes the primary.

Why the other options are incorrect:

B is incorrect because it claims HQ-NGFW-2 has lower priority (it is higher: 110 > 90).

C is incorrect because a mismatch in the override setting is not what causes the “configuration out of sync” condition shown in get system ha status (that is about synchronized configuration databases, not a requirement that override values must match to remain in-sync).

D is incorrect because HA settings like override/priority are not synchronized in the way regular configuration objects are; they are device-level HA parameters.

“As previously stated, collector agent-based polling mode has three methods (or options) for collecting login information. The order on the slide from left to right shows most recommend to least recommended:

• WMI ...

• WinSecLog ...

• NetAPI ...”

Technical Deep Dive:

The correct three AD polling methods are WMI, WinSecLog, and NetAPI . These are the collector-agent polling options FortiGate FSSO uses against Windows domain controllers. WMI is generally the most efficient because the DC returns requested login events directly. WinSecLog polls Windows Security Event Logs and is typically more reliable than NetAPI for not missing recorded logons. NetAPI can be faster, but it is more prone to missing events under load because it depends on temporary session information rather than persistent security logs.

Why the other options are wrong:

DNS reverse lookup is not one of the three AD polling methods. DNS is used by FSSO to resolve workstation names to IP addresses and to track IP changes, but it is not itself a polling method for collecting AD logon events. FSSO REST API is also not one of the documented collector-agent AD polling methods in the study guide.

From an operational standpoint, FSSO login collection and workstation verification are separate functions. The collector agent may still rely on DNS and workstation checks after a login is learned, but the actual AD polling methods remain only WMI, WinSecLog, and NetAPI . On a FortiGate, when troubleshooting FSSO behavior, you would typically validate the collector feed and user cache with commands such as:

diagnose debug authd fsso list

diagnose debug authd fsso server-status

Those commands help confirm whether the users gathered by the collector through one of those three polling methods are reaching FortiGate correctly.

“You may need to exempt traffic from SSL inspection if it is causing problems with traffic, or for legal reasons.”

“Performing SSL inspection on a site that is enabled with HTTP Strict Transport Security (HSTS), for example, can cause problems with traffic. Remember, the only way for FortiGate to inspect encrypted traffic is to intercept the certificate coming from the server and generate a temporary one. After FortiGate presents the temporary SSL certificate, browsers that use HSTS refuse to proceed.”

“Laws protecting privacy might be another reason to bypass SSL inspection. For example, in some countries, it is illegal to inspect SSL bank-related traffic. Configuring an exemption for sites is simpler than setting up firewall policies for each individual bank. You can exempt sites based on their web category, such as Finance and Banking...”

“The predefined deep-inspection and custom-deep-inspection profiles exclude some web categories—Finance and Banking, and Health and Wellness—and some FQDN addresses...”

Technical Deep Dive:

The correct answers are B and D .

B is correct because the study guide explicitly says SSL inspection may be bypassed for legal reasons , especially where privacy laws restrict inspection of sensitive categories such as Finance and Banking . The same privacy rationale also explains why Health and Wellness is commonly exempted.

D is correct because some sites break under deep inspection due to HSTS . FortiGate must generate and present a temporary certificate during full SSL inspection, and browsers enforcing HSTS can reject that interception flow. That is why some sites are exempted from deep inspection.

Why the others are wrong:

A is not stated in the guide.

C refers to the separate Reputable websites option, which is a FortiGuard-maintained allowlist feature, not the reason the predefined categories shown in the exhibit are excluded.

From an operational standpoint, this is a classic balance between security visibility and application/legal compatibility . Deep inspection gives FortiGate payload visibility, but it can interfere with pinned-certificate/HSTS behavior and can violate privacy policy for regulated content.