NSE4_FGT_AD-7.6ブレーン問題集PDF、Fortinet NSE4_FGT_AD-7.6試験問題豪華お試しセット [Q67-Q90]

NSE4_FGT_AD-7.6ブレーン問題集PDF、Fortinet NSE4_FGT_AD-7.6試験問題豪華お試しセット

2026年最新されたNSE4_FGT_AD-7.6サンプル問題は信頼され続けるNSE4_FGT_AD-7.6テストエンジン

Fortinet NSE4_FGT_AD-7.6 認定試験の出題範囲：

トピック	出題範囲
トピック 1	Routing: This domain covers configuring static routes for packet forwarding and implementing SD-WAN to load balance traffic across multiple WAN links.
トピック 2	Content Inspection: This domain addresses inspecting encrypted traffic using certificates, understanding inspection modes and web filtering, configuring application control, deploying antivirus scanning modes, and implementing IPS for threat protection.
トピック 3	VPN: This domain focuses on implementing meshed or partially redundant IPsec VPN topologies for secure connections.
トピック 4	Firewall Policies and Authentication: This domain focuses on creating firewall policies, configuring SNAT and DNAT for address translation, implementing various authentication methods, and deploying FSSO for user identification.
トピック 5	Deployment and System Configuration: This domain covers initial FortiGate setup, logging configuration and troubleshooting, FGCP HA cluster configuration, resource and connectivity diagnostics, FortiGate cloud deployments (CNF and VM), and FortiSASE administration with user onboarding.

質問 # 67
When configuring a FortiGate in a multi-WAN setup, why would an administrator enable session preservation on an interface?

A. To ensure that existing SSL VPN connections remain on the same interface even if route changes occur
B. To improve security by forcing users to authenticate again when the WAN link changes
C. To make sure all sessions without source NAT enabled always use the primary WAN link
D. To allow the FortiGate to dynamically change interfaces for all active sessions when a WAN link fails

正解：A

解説：
Session preservation keeps active sessions, such as SSL VPNs, tied to the original interface to prevent disruption when WAN routes change.

質問 # 68
Refer to the exhibit.

The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity. What must the administrator configure to answer this specific request from the NOC team?

A. Increase the admintimeout value under config system accprofile noc Access.
B. Ensure that all NOC_Access users are assigned the super_admin role to guarantee access.
C. increase the of line value of the override idle Timeout parameter in the NOC_Access admin profile.
D. Move NOC_Access to the top of the list to ensure all profile settings take effect.

正解：C

解説：
In FortiOS 7.6, GUI session inactivity timeout behavior for administrators is controlled by admin profiles, not by general access permissions or profile ordering.
How GUI idle timeout works in FortiOS 7.6
FortiGate has a global admin timeout (admintimeout), but
Admin profiles can override this value using the Override idle timeout setting.
When Override idle timeout is enabled in an admin profile, the timeout value defined inside that profile takes precedence over the global setting.
The exhibit shows that the NOC team logs in using the NOC_Access admin profile. Therefore, to prevent their GUI sessions from disconnecting too quickly during inactivity, the timeout must be adjusted within that specific admin profile.
Why option B is correct
B). Increase the value of the Override Idle Timeout parameter in the NOC_Access admin profile.
This directly controls how long GUI sessions remain active when users assigned to NOC_Access are idle.
It affects only the NOC team, which matches the requirement precisely.
This is the recommended and documented approach in FortiOS 7.6.
Why the other options are incorrect
A). Increase admintimeout under config system accprofileIncorrect. admintimeout is a global admin setting, not configured under accprofile, and it would affect all administrators, not just NOC users.
C). Move NOC_Access to the top of the listIncorrect. Admin profile order has no impact on session timeout behavior.
D). Assign super_admin roleIncorrect and insecure. Super_admin does not control idle timeout and would unnecessarily grant full privileges.

質問 # 69
An administrator has configured a dialup IPsec VPN on FortiGate with add-route enabled. However, the static route is not showing in the routing table. Which two statements about this scenario are correct? (Choose two.)

A. The administrator must ensure phase 2 is successfully established
B. The administrator must use a policy route instead of a static route for add-route to work properly.
C. The administrator must enable a dynamic routing protocol on the dialup interface.
D. The administrator must define the remote network correctly in the phase 2 selectors.

正解：A、D

解説：
With a dialup IPsec VPN on FortiGate, when add-route is enabled, FortiGate will only install the corresponding route when it has enough negotiated information from the tunnel. In FortiOS 7.6, that means the route is tied to the Phase 2 (Quick Mode) selectors and is created dynamically when the IPsec SA is actually up.
B). The administrator must ensure phase 2 is successfully established
This is required. FortiGate does not install the add-route route just because Phase 1 exists or because the configuration is present. The route is added when the tunnel is effectively usable, which requires Phase 2 (IPsec SA) to be up. If Phase 2 is not established, there is no active SA and FortiGate will not inject the related route into the routing table.
So, if the static route is not showing, one correct explanation is that Phase 2 is not up.
C). The administrator must define the remote network correctly in the phase 2 selectors This is also required. For dialup tunnels, FortiGate derives what route to add from the remote subnet(s) defined in the Phase 2 selector (proxy ID). If the remote network in Phase 2 is missing, incorrect, or too broad
/too narrow in a way that prevents negotiation, the tunnel either won't come up (so no route), or the route that would be installed won't match what the administrator expects.
So, another correct explanation is that the Phase 2 remote network is not correctly defined, preventing the correct route from being created.
Why the other options are incorrect
A). Policy route instead of a static route
Add-route does not require policy routes. It is specifically a feature that injects a route (route-table entry) associated with the IPsec tunnel/SA and the Phase 2 selector networks.
D). Enable a dynamic routing protocol
Dynamic routing protocols (OSPF/BGP/RIP) are not required for add-route. Add-route is independent of dynamic routing and works by installing routes locally based on the negotiated selectors.

質問 # 70
An administrator manages a FortiGate model that supports NTurbo.
How does NTurbo enhance performance for flow-based inspection?

A. NTurbo offloads traffic to the content processor.
B. NTurbo creates a special data path to redirect traffic between the IPS engine its ingress and egress interfaces.
C. NTurbo creates two inspection sessions on the FortiGate device.
D. NTurbo buffers the whole file and then sends it to the antivirus engine.

正解：B

解説：
NTurbo creates a special data path to redirect traffic from the ingress interface to the IPS engine, and from the IPS engine to the egress interface.

質問 # 71
Refer to the exhibits. An administrator has observed the performance status outputs on an HA cluster for 55 seconds.

Which FortiGate is the primary?

A. HQ-NGFW-2 with the parameter memory-failover-threshold setting
B. HQ-NGFW-1 with the parameter override setting
C. HQ-NGFW-2 with the parameter priority setting
D. HQ-NGFW-1 with the parameter memory-failover-flip-timeout setting

正解：B

解説：
The HA configuration shows that override is disabled (set override disable), but despite this, HQ- NGFW-1 has the higher priority (200) and is acting as the primary, as indicated by its higher resource usage and uptime. Override allows the device with higher priority to take over as primary, so HQ- NGFW-1 is the primary device.

質問 # 72
A FortiGate administrator is required to reduce the attack surface on the SSL VPN portal.
Which SSL timer can you use to mitigate a denial of service (DoS) attack?

A. SSL VPN idle-timeout
B. SSL VPN dtls-hello-timeout
C. SSL VPN http-request-header-timeout
D. SSL VPN login-timeout

正解：C

解説：
config vpn ssl settings
set http-request-header-timeout <1-60>
end
Timers can also help to mitigate DoS attacks with SSL VPN caused by partial HTTP requests.

質問 # 73
Refer to the exhibit. What can you conclude from the log shown in the exhibit?

A. The IPS scan is paused by the IPS diagnostic command with bypass mode option 5.
B. The IPS socket buffer is full and IPS engine cannot decode a packet.
C. The IPS session scan is paused and reevaluating the packet because of a dirty flag.
D. The IPS socket buffer is full and IPS engine needs more memory to create new sessions.

正解：D

解説：
The log message IPS session scan paused, enter fail open mode indicates that the IPS socket buffer is full, meaning the IPS engine does not have enough memory to process new sessions.
As a result, FortiGate switches to fail-open mode, allowing traffic to pass (or temporarily dropping it) without full IPS scanning.

質問 # 74
Refer to the exhibit, which shows a firewall policy to enable active authentication.

When attempting to access an external website using an active authentication method, the user is not presented with a login prompt.
What is the most likely reason for this situation?

A. No matching user account exists for this user.
B. The Remote-users group must be set up correctly in the FSSO configuration.
C. The Service DNS is required in the firewall policy.
D. The Remote-users group is not added to the Destination.

正解：C

解説：
DNS is usually used by HTTP so that people can use domain names for websites, instead of their IP address. DNS is allowed because it is a base protocol and will most likely be required to initially see proper authentication protocol traffic... However, the DNS service must still be defined in the policy as allowed, in order for it to pass.

質問 # 75
Refer to the exhibit. The NOC team connects to the FortiGate GUI with the NOC_Access admin profile. They request that their GUI sessions do not disconnect too early during inactivity. What must the administrator configure to answer this specific request from the NOC team?

A. Increase the admintimeout value under config system accprofile NOC_Access.
B. Ensure that all NOC_Access users are assigned the super_admin role to guarantee access
C. Increase the offline value of the Override Idle Timeout parameter in the NOC_Access admin profile.
D. Move NOC_Access to the top of the list to ensure all profile settings take effect.

正解：C

解説：
You can override the idle timeout setting per administartor profile using the Override Idle Timeout setting.
You can configure an administrator profile to increase inactivity timeout and facilitate use of the GUI for central monitoring. Then Override Idel Timeout setting allows the admintimeout value, under the config system accprofile, to be overridden per access profile..

質問 # 76
Refer to the exhibit, which shows an SD-WAN zone configuration on the FortiGate GUI.

Based on the exhibit, which statement is true?

A. The d-wan zone contains no member.
B. The underlay zone contains port1 and port2.
C. The virtual-wan-link zone contains no member.
D. The d-wan zone cannot be deleted.

正解：A

解説：
The "d-wan" zone in FortiGate SD-WAN configuration is the default SD-WAN zone created when SD- WAN is enabled. This zone contains all the interfaces assigned to SD-WAN and is essential for the functionality of the SD-WAN feature. The "d-wan" zone cannot be deleted because it is required for SD-WAN operations. Option A is incorrect because the underlay zone does not contain port1.

質問 # 77
Refer to the exhibits, which show the firewall policy and an antivirus profile configuration.

Why is the user unable to receive a block replacement message when downloading an infected file for the first time?

A. The firewall policy performs a full content inspection on the file.
B. The intrusion prevention security profile must be enabled when using flow-based inspection mode.
C. The option to send files to FortiSandbox for inspection is enabled.
D. Flow-based inspection is used, which resets the last packet to the user.

正解：D

解説：
In Flow Based scanning, if a virus is detected, the final packet is dropped making the file unusable tot the end user. FG caches the URL of the file. If the user attempts to download again, rather than scanning the file again, the IPS engine then sends a block message to the user.

質問 # 78
Refer to the exhibits. The exhibits show the application sensor configuration and the Excessive- Bandwidth and Apple filter details.
Based on the configuration, what will happen to Apple FaceTime if there are only a few calls originating or incoming?

A. Apple Face Time will be blocked, based on the Excessive-Bandwidth filter configuration.
B. Apple Face Time will be allowed, based on the Video/Audio category configuration.
C. Apple Face Time will be allowed only if the Apple filter in Application and Filter Overrides is set to Allow.
D. Apple Face Time will be allowed, based on the Apple filter configuration.

正解：D

解説：
Apple FaceTime normally falls under Video/Audio and could be blocked by the Excessive- Bandwidth filter. However, in this configuration, an override is applied under the Apple vendor filter with Monitor action. Overrides take precedence over general filter actions. Therefore, FaceTime will not be blocked; instead, it will be monitored, and since only a few calls are made (not excessive bandwidth usage), it will be allowed based on the Apple filter configuration.

質問 # 79
Refer to the exhibits. The exhibits show a diagram of a FortiGate device connected to the network, as well as the firewall policy and IP pool configuration on the FortiGate device.
Two PCs, PC1 and PC2, are connected behind FortiGate and can access the internet successfully. However, when the administrator adds a third PC to the network (PC3), the PC cannot connect to the internet.
Based on the information shown in the exhibit, which two configuration options can the administrator use to fix the connectivity issue for PC3? (Choose two.)

A. In the IP pool configuration, set typeto overload.
B. In the firewall policy, set match-vipto enableusing CLI.
C. In the system settings, set Multiple Interface Policies to enable.
D. In the IP pool configuration, set endipto 100.65.0.112.

正解：A、D

解説：
The IP pool is configured as One-to-One with a range of only 100.65.0.110-100.65.0.111, which allows NAT for only two internal hosts (PC1 and PC2). When PC3 tries to access the internet, no external IP is available for mapping.
To fix this:
- Change the IP pool type to Overload, allowing multiple internal IPs to share a single external IP.
- Expand the IP pool range by setting endip to 100.65.0.112 (or more) so that additional internal hosts (like PC3) can also be assigned a unique external IP.

質問 # 80
Refer to the exhibits.

The system performance output and default configuration of high memory usage thresholds on a FortiGate device are shown.
Based on the system performance output, what are the two possible outcomes? (Choose two.)

A. FortiGate drops new sessions.
B. Administrators can change the configuration.
C. FortiGate has entered conserve mode.
D. Administrators can access FortiGate only through the console port.

正解：B、C

解説：
From the exhibits:
System performance output
Memory used: 90%
Free memory: ~5%
Default memory thresholds (FortiOS 7.6)
memory-use-threshold-green 82%
memory-use-threshold-red 88%
memory-use-threshold-extreme 89%
Because memory usage (90%) exceeds the extreme threshold (89%), the FortiGate enters conserve mode.
Effects of conserve mode (FortiOS 7.6 - verified)
B . FortiGate has entered conserve mode.
Correct
When memory usage exceeds the red/extreme threshold, FortiGate automatically enters conserve mode.
This is exactly the condition shown in the system performance output.
D . Administrators can change the configuration.
Correct
Even in conserve mode:
Administrators can still log in (GUI, SSH, console)
Configuration changes are allowed
FortiGate does not lock configuration access during conserve mode.
This behavior is explicitly documented in the FortiOS 7.6 Conserve Mode section.
Why the other options are incorrect
A . Administrators can access FortiGate only through the console port.
Incorrect
Network access (GUI/SSH) is still available in conserve mode unless otherwise restricted.
Console-only access is not a conserve-mode requirement.
C . FortiGate drops new sessions.
Incorrect (as a general statement)
FortiGate may drop or bypass new inspection-required sessions depending on fail-open/fail-close settings.
It does not universally drop all new sessions, so this statement is not always true.

質問 # 81
A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode.
Which step is NOT part of the expected process?

A. The user logs into the windows domain.
B. FortiGate determines user identity based on the IP address in the FSSO list.
C. The collector agent forwards login event data to FortiGate.
D. The DC agent sends login event data directly to FortiGate.

正解：C

解説：
In DC Agent Mode, the DC agent sends login event data directly to FortiGate without involving a collector agent.

質問 # 82
You have configured the below commands on a FortiGate.

What would be the impact of this configuration on FortiGate?

A. FortiGate will enable strict RPF on all its interfaces and port1 will be exempted from RPF checks.
B. FortiGate will enable strict RPF on ail its interfaces and port1 will be enable for asymmetric routing.
C. The global configuration will take precedence and FortiGate will enable strict RPF on all interfaces.
D. Port1 will be enabled with flexible RPF, and all other interfaces will be enabled for strict RPF

正解：A

解説：
The global setting enables strict source checking (RPF) on all interfaces by default. The per- interface setting disables the source check on port1, exempting it from strict RPF enforcement.

質問 # 83
Refer to the exhibit.

Why is the Antivirus scan switch grayed out when you are creating a new antivirus profile for FTP?

A. The Feature Set for the profile is Flow-based but it must be Proxy-based
B. None of the inspected protocols are active in this profile.
C. FortiGate. with less than 2 GB RAM. does not support the Antivirus scan feature.
D. Antivirus scan is disabled under System -> Feature visibility

正解：B

解説：
In FortiOS 7.6, the Antivirus scan master switch in an antivirus profile becomes available only after at least one supported protocol is enabled for inspection.
What the exhibit shows
A new antivirus profile named FTP_AV_Profile
Feature set: Flow-based
Antivirus scan switch is grayed out
All Inspected Protocols (HTTP, SMTP, POP3, IMAP, FTP, CIFS) are currently disabled Why the Antivirus scan switch is grayed out In FortiOS antivirus profiles:
The Antivirus scan toggle is a dependent control
It cannot be enabled unless at least one inspected protocol is selected This prevents enabling AV scanning when there is no traffic type to scan This behavior is documented in the FortiOS 7.6 Antivirus Profile configuration section.
Once you enable a protocol (for example, FTP), the Antivirus scan switch becomes active and configurable.
Why option B is correct
B). None of the inspected protocols are active in this profile.
All protocol toggles are OFF
Therefore, FortiGate disables (grays out) the Antivirus scan option
This is expected and correct behavior
Why the other options are incorrect
A). Antivirus scan is disabled under Feature visibilityIncorrect. Feature Visibility controls whether Antivirus appears in the GUI, not whether the scan switch is enabled inside a profile.
C). Feature set must be Proxy-basedIncorrect. Antivirus scanning is supported in both flow-based and proxy- based modes.
D). Less than 2 GB RAM does not support Antivirus scanIncorrect. Memory size affects performance and offloading, not basic AV scan availability.

質問 # 84
A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode. Which step is not part of the expected process?

A. The user logs into the windows domain.
B. FortiGate determines user identity based on the IP address in the FSSO list.
C. The collector agent forwards login event data to FortiGate.
D. The DC agent sends login event data directly to FortiGate.

正解：D

質問 # 85
FortiGate is integrated with FortiAnalyzer and FortiManager.
When creating a firewall policy, which attribute must an administrator include to enhance functionality and enable log recording on FortiAnalyzer and FortiManager?

A. Log ID
B. Policy ID
C. Sequence ID
D. Universally Unique Identifier

正解：D

解説：
In FortiOS 7.6, when FortiGate is integrated with FortiAnalyzer and FortiManager, firewall policies rely on a Universally Unique Identifier (UUID) to ensure proper policy tracking, synchronization, and log correlation across devices.
Why the UUID is required
Every firewall policy in FortiOS has a UUID.
FortiManager uses the UUID to:
Track policies across managed FortiGate devices
Maintain policy consistency during installs and revisions
FortiAnalyzer uses the UUID to:
Correlate logs accurately to the correct firewall policy
Preserve log association even if policy order or policy ID changes
Without a UUID:
Policy-to-log mapping can break
FortiManager cannot reliably manage or synchronize policies
FortiAnalyzer log analysis becomes inconsistent
This is explicitly documented in Fortinet administration and logging architecture references.
Why the other options are incorrect
B). Policy IDPolicy ID can change when policies are moved and is not reliable for long-term correlation across FortiManager and FortiAnalyzer.
C). Sequence IDSequence ID reflects GUI ordering only and has no role in log correlation.
D). Log IDLog ID is generated per log event, not per firewall policy.

質問 # 86
Refer to the exhibit.
A RADIUS server configuration is shown.

An administrator added a configuration for a new RADIUS server While configuring, the administrator enabled Include in every user group What is the impact of enabling Include in every user group in a RADIUS configuration?

A. This option places all users into every RADIUS user group, including groups that are used for the LDAP server on FortiGate.
B. This option places the RADIUS server, and all users who can authenticate against that server, into every FortiGate user group.
C. This option places the RADIUS server, and all users who can authenticate against that server, into every RADIUS group.
D. This option places all FortiGate users and groups required to authenticate into the RADIUS server, which, in this case, is FortiAuthenticator.

正解：B

解説：
Based on the FortiOS 7.6 Authentication and User Group documentation, the correct answer is A.
Meaning of "Include in every user group" (FortiOS 7.6)
When configuring a RADIUS server on FortiGate, enabling Include in every user group has a very specific and documented effect:
The configured RADIUS server object is automatically added to all FortiGate user groups.
As a result, any user who successfully authenticates against that RADIUS server becomes a valid member of every FortiGate user group, unless additional group filtering (such as RADIUS attributes) is applied.
This simplifies configuration when the same external authentication source must be accepted across multiple firewall policies that reference different user groups.
This behavior is explicitly described in the FortiOS 7.6 Administrator Guide under RADIUS authentication servers and user groups.
Why Option A is Correct
FortiGate user groups can include:
Local users
LDAP servers
RADIUS servers
Enabling Include in every user group causes FortiGate to:
Insert the RADIUS server into all existing and future FortiGate user groups Therefore, all users authenticating via this RADIUS server are implicitly allowed in every FortiGate user group.
This is exactly what option A describes.
Why the Other Options Are Incorrect
B: FortiGate does not push users or groups into the RADIUS server. Authentication is always initiated by FortiGate toward RADIUS.
C: FortiGate does not manage or modify RADIUS-side group definitions.
D: LDAP and RADIUS user groups are separate authentication mechanisms; this setting does not merge or affect LDAP groups.

質問 # 87
Refer to the exhibit. The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.

An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.
What are two solutions for satisfying the requirement? (Choose two.)

A. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
B. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
C. Set the Freeware and Software Downloads category Action to Warning.
D. Configure a separate firewall policy with action Deny and an FQDN address object for*.download.com as destination address.

正解：A、B

解説：
You can create a web rating override to change the website category to someone that is blocked in the web filter profile You can enable the URL Filter in the Web Filter Profile and block the website.

質問 # 88
A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode.
Which step is NOT part of the expected process?

A. The user logs into the windows domain.
B. FortiGate determines user identity based on the IP address in the FSSO list.
C. The collector agent forwards login event data to FortiGate.
D. The DC agent sends login event data directly to FortiGate.

正解：D

解説：
In DC Agent mode, the DC agent installed on the Domain Controller captures the logon events (e.g., Event ID 4624) in real-time. It then pushes this information to the Collector Agent. The Collector Agent, which runs as a service on a dedicated machine, is responsible for consolidating this information and then forwarding it to the FortiGate firewall. The FortiGate receives this data and uses the user's IP address to apply appropriate security policies.

質問 # 89
Refer to the exhibit.

Based on this partial configuration, what are the two possible outcomes when FortiGate enters conserve mode? (Choose two.)