[2026年02月] ベストFortinet NSE 4学習ガイドはNSE4_FGT_AD-7.6試験問題集
NSE4_FGT_AD-7.6認定ガイド問題と解答トレーニング
質問 # 26
Refer to the exhibits. A web filter profile configuration and firewall policy configuration are shown.
You are trying to access www.facebook.com, but you are redirected to a FortiGuard web filtering block page.
Based on the exhibits, what is the possible cause of the issue?


- A. The web filter profile feature set is configured incorrectly.
- B. For www.facebook.com, the URL filter action is incorrect.
- C. The firewall policy inspection mode is incorrect.
- D. The web rating override configuration is incorrect.
正解:D
解説:
The web filter profile shows a URL filter override for www.facebook.com with action Monitor, which should allow access. However, the block page shows FortiGuard categorizing www.facebook.com as Malicious Websites and blocking it. This indicates that the web rating override configuration is incorrect (the override is not applied properly), so FortiGuard's default category action takes precedence and blocks the site.
質問 # 27
A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
- A. Use the VPN wizard to create an IPsec template for a redundant IPsec VPN tunnel.
- B. Enable Dead Peer Detection.
- C. In the phase1-interface, enable npu-offload to detect a dead tunnel.
- D. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
正解:B、D
解説:
Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel → This ensures that the primary tunnel is always preferred, and the secondary is only used when the primary route is unavailable.
Enable Dead Peer Detection → DPD allows FortiGate to quickly detect when the primary tunnel is down, enabling faster failover to the backup tunnel.
質問 # 28
An administrator manages a FortiGate model that supports NTurbo.
How does NTurbo acceleration enhance antivirus performance?
- A. For proxy-based inspection, NTurbo buffers the whole file and then sends it to the antivirus engine.
- B. For flow-based inspection, NTurbo establishes a dedicated data path to redirect traffic between the IPS engine and FortiGate ingress and egress interfaces.
- C. For proxy-based inspection, NTurbo offloads traffic to the content processor.
- D. For flow-based inspection, NTurbo creates two inspection sessions on the FortiGate device.
正解:B
解説:
With flow-based inspection, NTurbo improves antivirus performance by establishing a dedicated fast data path that redirects traffic between the IPS engine and the FortiGate ingress/egress interfaces. This reduces CPU overhead, allowing antivirus scanning to happen at higher throughput without requiring full proxy-based buffering.
質問 # 29
You have configured an application control profile, set peer-to-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, your peer-to-peer traffic on known ports is passing through the FortiGate without being blocked. What FortiGate settings should you check to resolve this issue?
- A. FortiGuard category ratings
- B. Replacement Messages for UDP-based Applications
- C. Application and Filter Overrides
- D. Network Protocol Enforcement
正解:D
解説:
Network Protocol Enforcement settings control how FortiGate inspects and enforces protocols on traffic, including peer-to-peer applications on known ports. If not properly enabled, peer-to-peer traffic may bypass blocking despite the application control profile.
質問 # 30
Refer to the exhibits. An administrator configured the Web Filter Profile to block access to all social networking sites except Facebook. However, when users try to access Facebook.com, they are redirected to a FortiGuard web filtering block page.
Based on the exhibits, which configuration change must the administrator make to allow Facebook while blocking all other social networking sites?

- A. Set the Action as Exempt for www.facebook.com in the Static URL Filter.
- B. Change the Feature set of Web Filter Profile as Proxy-based.
- C. Set the Social Networking action as warning in the FortiGuard Category Based Filter.
- D. Change the type as Simple in the Static URL Filter section.
正解:A
解説:
The FortiGuard category filter is blocking Social Networking, which includes Facebook. Although a static URL filter entry for www.facebook.com exists, its action is set to Monitor, so it does not override the category block. To allow Facebook while blocking other social networking sites, the action for www.facebook.com in the Static URL Filter must be set to Exempt. This explicitly bypasses category filtering for that URL.
質問 # 31
Refer to the exhibit. What can you conclude from the log shown in the exhibit?
- A. The IPS socket buffer is full and IPS engine needs more memory to create new sessions.
- B. The IPS scan is paused by the IPS diagnostic command with bypass mode option 5.
- C. The IPS socket buffer is full and IPS engine cannot decode a packet.
- D. The IPS session scan is paused and reevaluating the packet because of a dirty flag.
正解:A
解説:
The log message IPS session scan paused, enter fail open mode indicates that the IPS socket buffer is full, meaning the IPS engine does not have enough memory to process new sessions.
As a result, FortiGate switches to fail-open mode, allowing traffic to pass (or temporarily dropping it) without full IPS scanning.
質問 # 32
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, as well as the IP pool configuration and firewall policy objects.
The WAN (port1) interface has the IP address 10.200.1.1/24. The LAN (port3) interface has the IPaddress 10.0.1.254/24.
Which IP address will be used to source NAT (SNAT) the traffic, if the user on Local-Client (10.0.1.10) pings the IP address of Remote-FortiGate (10.200.3.1)?


- A. 10.200.1.1
- B. 10.200.1.99
- C. 10.200.1.149
- D. 10.200.1.49
正解:B
解説:
All_TCP doesn't include ICMP. So you would match rule ID 2, in which uses IP Poop remote 1.
質問 # 33
You have configured the FortiGate device for FSSO. A user is successful in log-in to windows, but their access to the internet is denied.
What should the administrator check first?
- A. Whether the user is assigned to the correct AD group.
- B. The FortiGate firewall policy settings for SSL decryption.
- C. The FortiGate FSSO active users list for user's IP address.
- D. The windows event viewer for failed login attempts.
正解:C
解説:
Checking the active users list verifies if FortiGate correctly associates the user with their IP address, ensuring proper policy enforcement for internet access.
質問 # 34
Refer to the exhibit. A network administrator is troubleshooting an IPsec tunnel between two FortiGate devices. The administrator has determined that phase 1 status is up, but phase 2 fails to come up.
Based on the phase 2 configuration shown in the exhibit, which two configuration changes will bring phase 2 up? (Choose two.)
- A. On HQ-NGFW, enable Diffie-Hellman Group 2.
- B. On HQ-NGFW. set Encryption to AES256.
- C. On BR1-FGT, set Remote Address to 10.0.11.0/255.255.255.0.
- D. On BR1-FGT, set Seconds to 43200.
正解:C、D
解説:
The key lifetime (Seconds) must match on both sides; BR1-FGT is set to 14400, so setting it to
43200 matches HQ-NGFW.
The remote address on BR1-FGT should match the HQ-NGFW's local subnet (10.0.11.0/24), but it is currently set incorrectly as 172.20.1.0/24. Changing it to 10.0.11.0/255.255.255.0 will align the Phase 2 selectors.
質問 # 35
You want to ensure that an SSL VPN user's authenticated session does not remain active after they disconnect from the VPN.
Which configuration will ensure this?
- A. Configure the firewall authentication session timeout to be lower than the SSL VPN session timeout.
- B. Manually clear active firewall authentication sessions after a user disconnects.
- C. Enable settings to force the firewall authentication session to end when the SSL VPN session ends
- D. Increase the SSL VPN idle timeout to reduce the chance of early disconnections.
正解:C
解説:
To ensure that an authenticated SSL VPN user session does not persist after disconnecting, you must enable the setting that forces the firewall authentication session to end when the SSL VPN session ends. This ensures that once the VPN disconnects, the associated firewall authentication state is immediately cleared, preventing unintended access.
質問 # 36
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, and the firewall configuration.
An administrator created a Deny policy with default settings to deny Webserver access for Remote-User2.
The policy should work such that Remote-User1 must be able to access the Webserver while preventing Remote-User2 from accessing the Webserver.
Which additional configuration can the administrator add to a deny firewall policy, beyond the default behavior, to block Remote-User2 from accessing the Webserver?
- A. Set the Destination address as Webserver in the Deny policy.
- B. Disable match-vip in the Allow_access policy
- C. Configure a One-to-One IP Pool object in a new policy.
- D. Set the Destination address as Deny_IP in the Allow_access policy.
正解:A
解説:
To block Remote-User2's access to the Webserver, the deny policy must explicitly specify the Webserver as the destination address; otherwise, it denies traffic to all destinations, which is not the desired behavior.
質問 # 37
You have configured the below commands on a FortiGate.
What would be the impact of this configuration on FortiGate?
- A. FortiGate will enable strict RPF on ail its interfaces and port1 will be enable for asymmetric routing.
- B. Port1 will be enabled with flexible RPF, and all other interfaces will be enabled for strict RPF
- C. The global configuration will take precedence and FortiGate will enable strict RPF on all interfaces.
- D. FortiGate will enable strict RPF on all its interfaces and port1 will be exempted from RPF checks.
正解:D
解説:
The global setting enables strict source checking (RPF) on all interfaces by default. The per- interface setting disables the source check on port1, exempting it from strict RPF enforcement.
質問 # 38
Refer to the exhibit. The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.
What are two solutions for satisfying the requirement? (Choose two.)
- A. Set the Freeware and Software Downloads category Action to Warning.
- B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
- C. Configure a separate firewall policy with action Deny and an FQDN address object for*.download.com as destination address.
- D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
正解:C、D
解説:
Creating a static URL filter to block download.com specifically allows blocking that site without affecting the entire category.
Using a separate firewall policy with a Deny action for an FQDN address object matching download.com can also block the site while allowing others in the same category.
質問 # 39
Refer to the exhibits. An administrator configured the Web Filter Profile to block access to all social networking sites except Facebook. However, when users try to access Facebook.com, they are redirected to a FortiGuard web filtering block page.
Based on the exhibits, which configuration change must the administrator make to allow Facebook while blocking all other social networking sites?
- A. Set the Action as Exempt for www.facebook.com
in the Static URL Filter. - B. Change the Feature set of Web Filter Profile as Proxy-based.
- C. Set the Social Networking action as warning in the FortiGuard Category Based Filter.
- D. Change the type as Simple in the Static URL Filter section.
正解:A
質問 # 40
Refer to the exhibit. In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output shown in the exhibit.
What should the administrator do next, to troubleshoot the problem?
- A. Capture the traffic using an external sniffer connected to port1.
- B. Run a sniffer on the web server.
- C. Execute a debug flow.
- D. Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10".
正解:C
解説:
The sniffer output shows that packets from the web client are reaching the FortiGate and being forwarded to the web server, but there is no indication that the web server is responding. To troubleshoot this issue, executing a debug flow will help analyze the traffic path and pinpoint where the problem might be occurring, such as a possible issue in firewall policy or route settings that is causing the server not to respond correctly.
質問 # 41
Refer to the exhibit. An administrator has created a new firewall address to use as the destination for a static route. Why is the administrator not able to select the new address in the Destination field of the new static route?
- A. In the new firewall address, Routing configuration must be enabled.
- B. In the new static route, the administrator must select Named Address.
- C. In the new firewall address, the FQDN address must first beresolved.
- D. In the new static route, the administrator must first set the interface to port2.
正解:A
解説:
To use an FQDN-based address object as a destination in a static route, the "Routing configuration" option must be enabled in the firewall address settings. Without this, the address cannot be selected for routing.
質問 # 42
Refer to the exhibit. Why is the Antivirus scan switch grayed out when you are creating a new antivirus profile for FTP?
- A. None of the inspected protocols are active in this profile.
- B. The Feature Set for the profile is Flow-based but it must be Proxy-based.
- C. Antivirus scan is disabled under System -> Feature visibility.
- D. FortiGate, with less than 2 GB RAM, does not support the Antivirus scan feature.
正解:A
解説:
The Antivirus scan switch is grayed out because none of the inspected protocols (HTTP, SMTP, POP3, IMAP, FTP, CIFS) have been enabled in the new antivirus profile. Until at least one protocol is turned on, FortiGate does not allow activation of the antivirus scan.
質問 # 43
Which two statements are true regarding FortiGate HA configuration synchronization? (Choose two.)
- A. Incremental configuration synchronization can occur only from changes made on the primary FortiGate device.
- B. Checksums of devices will be different from each other because some configuration items are not synced to other HA members.
- C. Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster.
- D. Checksums of devices are compared against each other to ensure configurations are the same.
正解:C、D
解説:
After the initial synchronization is complete, whenever a change is made to the configuration of an HA cluster device (primary or secondary), incremental synchronization sends the same configuration change to all other cluster devices over the HA heartbeat link.
質問 # 44
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, and the firewall policies, VIP, and IP pool configurations on the FortiGate device.
The WAN (port2) interface has the IP address 100.65.0.101/24.
The LAN (port4) interface has the IP address 10.0.11.254/24.
The first firewall policy has NAT enabled using the IP pool. The second firewall policy is configured with a VIP as the destination address.
Which IP address will be used to source NAT (SNAT) the internet traffic coming from a workstation with the IP address 10.0.11.50?



- A. 10.0.11.254
- B. 100.65.0.200
- C. 100.65.0.101
- D. 100.65.0.102
正解:D
解説:
Traffic from the workstation 10.0.11.50 going to the internet matches the Internet(1) policy (LAN
→ WAN) which has NAT enabled and is configured to use the IP Pool. The IP pool specifies the external address 100.65.0.102.
FortiGate will perform source NAT (SNAT) on the outbound traffic, translating the source IP of the workstation to 100.65.0.102.
質問 # 45
Refer to the exhibit, which shows a firewall policy to enable active authentication.
When attempting to access an external website using an active authentication method, the user is not presented with a login prompt.
What is the most likely reason for this situation?
- A. The Service DNS is required in the firewall policy.
- B. No matching user account exists for this user.
- C. The Remote-users group is not added to the Destination.
- D. The Remote-users group must be set up correctly in the FSSO configuration.
正解:A
解説:
For active authentication (such as captive portal) to trigger, the FortiGate must intercept the user's initial web request. This requires DNS traffic to pass through the FortiGate so it can redirect the request to the login page. If the firewall policy does not include the DNS service, the user's browser resolves domains directly, and the authentication portal is never triggered.
質問 # 46
Refer to the exhibit. The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity. What must the administrator configure to answer this specific request from the NOC team?
- A. Ensure that all NOC_Access users are assigned the super_admin role to guarantee access
- B. Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.
- C. Move NOC_Access to the top of the list to ensure all profile settings take effect.
- D. Increase the admintimeout value under config system accprofile NOC_Access.
正解:D
解説:
The admintimeout setting in the admin access profile controls the inactivity timeout for GUI sessions. Increasing this value will extend the session duration before automatic disconnection.
質問 # 47
......
ベストFortinet NSE4_FGT_AD-7.6学習ガイドと問題集は2026年に更新されました:https://jp.fast2test.com/NSE4_FGT_AD-7.6-premium-file.html
NSE4_FGT_AD-7.6認定お試しPDF最新NSE4_FGT_AD-7.6問題集:https://drive.google.com/open?id=1oWsgVKV18d2tJ2evGHvsNUFnB43vqUD1