(2025)NSE4_FGT_AD-7.6問題集と練習テスト(100問題)
ガイド(2025年最新)リアルなFortinet NSE4_FGT_AD-7.6試験問題
質問 # 31
Refer to the exhibit. Which two statements about the FortiGuard connection are true? (Choose two.)
- A. FortiGate is using the default port for FortiGuard communication.
- B. You can configure unreliable protocols to communicate with FortiGuard Server.
- C. FortiGate identified the FortiGuard Server using DNS lookup.
- D. The weight increases as the number of failed packets rises.
正解:C、D
解説:
FortiGate identified the FortiGuard Server using DNS lookup → The server is shown with a private IP (10.0.1.241), which indicates FortiGate resolved it via DNS or explicit override rather than using default FortiGuard anycast servers.
The weight value reflects server reliability. It decreases with good performance and increases as packet loss or failures rise, meaning higher weight indicates more failures.
質問 # 32
Refer to the exhibits. An administrator configured the Web Filter Profile to block access to all social networking sites except Facebook. However, when users try to access Facebook.com, they are redirected to a FortiGuard web filtering block page.
Based on the exhibits, which configuration change must the administrator make to allow Facebook while blocking all other social networking sites?

- A. Set the Social Networking action as warning in the FortiGuard Category Based Filter.
- B. Change the Feature set of Web Filter Profile as Proxy-based.
- C. Change the type as Simple in the Static URL Filter section.
- D. Set the Action as Exempt for www.facebook.com in the Static URL Filter.
正解:D
解説:
The FortiGuard category filter is blocking Social Networking, which includes Facebook. Although a static URL filter entry for www.facebook.com exists, its action is set to Monitor, so it does not override the category block. To allow Facebook while blocking other social networking sites, the action for www.facebook.com in the Static URL Filter must be set to Exempt. This explicitly bypasses category filtering for that URL.
質問 # 33
Refer to the exhibit. The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.
What are two solutions for satisfying the requirement? (Choose two.)
- A. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
- B. Set the Freeware and Software Downloads category Action to Warning.
- C. Configure a web override rating for download.com and select Malicious Websites as the subcategory.
- D. Configure a separate firewall policy with action Deny and an FQDN address object for*.download.com as destination address.
正解:A、D
解説:
Creating a static URL filter to block download.com specifically allows blocking that site without affecting the entire category.
Using a separate firewall policy with a Deny action for an FQDN address object matching download.com can also block the site while allowing others in the same category.
質問 # 34
You are encountering connectivity problems caused by intermediate devices blocking IPsec traffic.
In which two ways can you effectively resolve the problem? (Choose two.)
- A. You can turn on fragmentation to fix large certificate negotiation problems.
- B. You can use SSL VPN tunnel mode to prevent problems with blocked ESP and UDP ports (500 or 4500).
- C. You should use the protocol IKEv2.
- D. You can configure a hub-and-spoke topology with SSL VPN tunnels to bypass blocked UDP ports.
正解:B、C
解説:
Using SSL VPN tunnel mode avoids issues with blocked ESP (IP protocol 50) and UDP ports (500/4500), since SSL VPN uses HTTPS (TCP 443), which is usually allowed.
Switching to IKEv2 helps with NAT traversal and firewall compatibility because it supports UDP encapsulation on port 4500 and is more robust than IKEv1.
質問 # 35
What are two features of the NGFW profile-based mode? (Choose two.)
- A. NGFW profile-based mode must require the use of central source NAT policy.
- B. NGFW profile-based mode can only be applied globally and not on individual VDOMs.
- C. NGFW profile-based mode supports applying applications and web filtering profiles in a firewall policy.
- D. NGFW profile-based mode policies support both flow inspection and proxy inspection.
正解:C、D
解説:
NGFW (Next Generation Firewall) profile-based mode in FortiGate allows policies to use both flow- based and proxy-based inspection modes, providing flexibility depending on security and performance requirements. Additionally, profile-based mode supports applying applications and web filtering profiles directly in a firewall policy, allowing granular control over the traffic.
質問 # 36
A new administrator is configuring FSSO authentication on FortiGate using DC Agent Mode.
Which step is NOT part of the expected process?
- A. FortiGate determines user identity based on the IP address in the FSSO list.
- B. The user logs into the windows domain.
- C. The DC agent sends login event data directly to FortiGate.
- D. The collector agent forwards login event data to FortiGate.
正解:D
解説:
In DC Agent Mode, the DC agent sends login event data directly to FortiGate without involving a collector agent.
質問 # 37
What are two features of FortiGate FSSO agentless polling mode? (Choose two.)
- A. FortiGate directs the collector agent to use a remote LDAP server.
- B. FortiGate does not support workstation check.
- C. FortiGate uses the AD server as the collector agent.
- D. FortiGate uses the SMB protocol to read the event viewer logs from the DCs.
正解:C、D
解説:
FortiGate uses the SMB protocol to read the event viewer logs from the DCs → In agentless polling mode, FortiGate connects directly to the AD domain controllers using SMB to collect logon events.
FortiGate uses the AD server as the collector agent → There is no external FSSO collector; instead, the FortiGate itself polls the AD servers, effectively treating them as the source of logon information.
質問 # 38
Refer to the exhibit. Which two statements are true about the routing entries in this database table? (Choose two.)
- A. The port2 interface is marked as inactive.
- B. The default route on port2 is marked as the standby route.
- C. All of the entries in the routing database table are installed in the FortiGate routing table.
- D. Both default routes have different administrative distances.
正解:B、D
解説:
The routing table in the exhibit shows two default routes (0.0.0.0/0) with different administrative distances:
The default route through port2 has an administrative distance of 20. The default route through port1 has an administrative distance of 10. Administrative distance determines the priority of the route; a lower value is preferred. Here, the route through port1 with an administrative distance of
10 is the preferred route. The route through port2 with an administrative distance of 20 acts as a standby or backup route. If the primary route (port1) fails or is unavailable, traffic will then be routed through port2. Regarding the statement that the port2 interface is marked as inactive, there is no indication in the routing table that port2 is inactive. Similarly, all the routes displayed are not necessarily installed in the FortiGate routing table, as the table could include both active and backup routes.
質問 # 39
A network administrator has enabled full SSL inspection and web filtering on FortiGate. When visiting any HTTPS websites, the browser reports certificate warning errors. When visiting HTTP websites, the browser does not report errors.
What is the reason for the certificate warning errors?
- A. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
- B. The browser does not trust the certificate used by FortiGate for SSL inspection.
- C. The option invalid SSL certificates is set to allow on the SSL/SSH inspection profile
- D. The matching firewall policy is set to proxy inspection mode.
正解:B
解説:
When full SSL inspection is enabled, FortiGate decrypts and re-signs HTTPS traffic using its own SSL inspection certificate. If the FortiGate CA certificate is not imported and trusted by the client's browser or OS, the browser sees it as untrusted and displays certificate warning errors. HTTP traffic is unaffected since it does not use certificates.
質問 # 40
Refer to the exhibits. An administrator wants to add HQ-ISFW-2 in the Security Fabric. HQ-ISFW-
2 is in the same subnet as HQ-ISFW. After configuring the Security Fabric settings on HQ-ISFW-
2, the status stays Pending.
What can be the two possible reasons? (Choose two.)
- A. Management IP must be set to 10.0.13.254.
- B. Upstream FortiGate IP must be set to 10.0.11.254.
- C. SAML Single Sign-On must be set to Manual.
- D. HQ-ISFW-2 must be authorized on HQ-ISFW.
正解:B、D
解説:
The Upstream FortiGate IP should match the IP address of the Fabric Root interface, which is
10.0.11.254, not 10.0.13.254.
The new device (HQ-ISFW-2) must be authorized on the Fabric Root (HQ-ISFW) before it can join the Security Fabric, otherwise the status remains pending.
質問 # 41
Which two statements are true regarding FortiGate HA configuration synchronization? (Choose two.)
- A. Checksums of devices will be different from each other because some configuration items are not synced to other HA members.
- B. Checksums of devices are compared against each other to ensure configurations are the same.
- C. Incremental configuration synchronization can occur from changes made on any FortiGate device within the HA cluster.
- D. Incremental configuration synchronization can occur only from changes made on the primary FortiGate device.
正解:B、C
解説:
After the initial synchronization is complete, whenever a change is made to the configuration of an HA cluster device (primary or secondary), incremental synchronization sends the same configuration change to all other cluster devices over the HA heartbeat link.
質問 # 42
What is the primary FortiGate election process when the HA override setting is enabled?
- A. Connected monitored ports > HA uptime > Priority > FortiGate serial number
- B. Connected monitored ports > Priority > System uptime > FortiGate serial number
- C. Connected monitored ports > Priority > HA uptime > FortiGate serial number
- D. Connected monitored ports > System uptime > Priority > FortiGate serial number
正解:C
解説:
When HA override is enabled, FortiGate uses the following election order: number of connected monitored ports, then device priority, followed by HA uptime, and finally FortiGate serial number as a tiebreaker.
質問 # 43
An administrator needs to analyze and resolve port conflicts between SSL VPN and HTTPS administrative access on the same interface.
In which two ways can this be done? (Choose two.)
- A. Keep port 443 for both SSL VPN and HTTPS administrative access on the same interface without any problems.
- B. Disable SSL VPN if HTTPS administrative access is using port 443 on any interface.
- C. Run SSL VPN on one interface using port 443 and enable HTTPS administrative access on a different interface, also using port 443.
- D. Change the port number for either the SSL VPN service or the HTTPS administrative service if both are on the same interface.
正解:C、D
解説:
You can keep port 443 for SSL VPN on one interface and also use port 443 for HTTPS admin access on a different interface. Since the services are bound to different interfaces, no conflict occurs.
If both SSL VPN and HTTPS admin access are required on the same interface, you must change the port number for one of the services to avoid a port conflict.
質問 # 44
Refer to the exhibit. What can you conclude from the log shown in the exhibit?
- A. The IPS session scan is paused and reevaluating the packet because of a dirty flag.
- B. The IPS scan is paused by the IPS diagnostic command with bypass mode option 5.
- C. The IPS socket buffer is full and IPS engine cannot decode a packet.
- D. The IPS socket buffer is full and IPS engine needs more memory to create new sessions.
正解:D
解説:
The log message IPS session scan paused, enter fail open mode indicates that the IPS socket buffer is full, meaning the IPS engine does not have enough memory to process new sessions.
As a result, FortiGate switches to fail-open mode, allowing traffic to pass (or temporarily dropping it) without full IPS scanning.
質問 # 45
You want to ensure that an SSL VPN user's authenticated session does not remain active after they disconnect from the VPN.
Which configuration will ensure this?
- A. Enable settings to force the firewall authentication session to end when the SSL VPN session ends
- B. Increase the SSL VPN idle timeout to reduce the chance of early disconnections.
- C. Configure the firewall authentication session timeout to be lower than the SSL VPN session timeout.
- D. Manually clear active firewall authentication sessions after a user disconnects.
正解:A
解説:
To ensure that an authenticated SSL VPN user session does not persist after disconnecting, you must enable the setting that forces the firewall authentication session to end when the SSL VPN session ends. This ensures that once the VPN disconnects, the associated firewall authentication state is immediately cleared, preventing unintended access.
質問 # 46
Refer to the exhibit. In the network shown in the exhibit, the web client cannot connect to the HTTP web server. The administrator runs the FortiGate built-in sniffer and gets the output shown in the exhibit.
What should the administrator do next, to troubleshoot the problem?
- A. Execute a debug flow.
- B. Capture the traffic using an external sniffer connected to port1.
- C. Run a sniffer on the web server.
- D. Execute another sniffer on FortiGate, this time with the filter "host 10.0.1.10".
正解:A
解説:
The sniffer output shows that packets from the web client are reaching the FortiGate and being forwarded to the web server, but there is no indication that the web server is responding. To troubleshoot this issue, executing a debug flow will help analyze the traffic path and pinpoint where the problem might be occurring, such as a possible issue in firewall policy or route settings that is causing the server not to respond correctly.
質問 # 47
......
NSE4_FGT_AD-7.6試験問題集パスできる2025年最新の認証された試験問題:https://www.passtest.jp/Fortinet/NSE4_FGT_AD-7.6-shiken.html
NSE4_FGT_AD-7.6試験問題リアルな最新問題PDF:https://drive.google.com/open?id=1oLSostdvn1I2wFHkX-bMSlEERa_tdZAV