Refer to the exhibit. The administrator configured SD-WAN rules and set the FortiGate traffic log page to display SD-WAN- specific columns: SD-WAN Quality and SD-WAN Rule Name FortiGate allows the traffic according to policy ID 1 placed at the top. This is the policy that allows SD-WAN traffic. Despite these settings, the traffic logs do not show the name of the SD-WAN rule used to steer those traffic flows What could be the reason?
Correct Answer: D
In FortiOS 7.6, SD-WAN steering decisions are recorded in traffic logs only when traffic matches an explicit SD-WAN rule (SD-WAN service rule). When no configured SD-WAN rule matches a session, FortiGate uses the implicit (default) SD-WAN rule/behavior to select a member (often resulting in load-balancing or default selection based on the configured SD-WAN algorithm). In the exhibit, traffic is permitted by firewall policy ID 1, and the Destination Interface alternates between port1 and port2, but SD-WAN Rule Name remains empty. This is consistent with the sessions being forwarded by the implicit SD-WAN rule, which does not populate a named rule in the log columns. Why the other options are not correct: A: SD-WAN rule name logging is not a "delayed display" behavior requiring refresh; it is populated per- session when an explicit rule matches. B: Application Control is not required for SD-WAN rule name to appear. Rule name logging depends on SD- WAN rule match, not on whether Application Control is enabled. C: Feature visibility affects GUI display options, but the exhibit already shows the SD-WAN columns enabled; the issue is that no explicit SD-WAN rule is being hit.
NSE4_FGT_AD-7.6 Exam Question 12
Refer to the exhibits. You have implemented the application sensor and the corresponding firewall policy as shown in the exhibits. Which two factors can you observe from these configurations? (Choose two.)
Correct Answer: A,B
From the exhibits: The Application Control sensor has these key settings: Application and Filter Overrides Priority 1: Excessive-Bandwidth (Type: Filter) with Action Block Priority 2: Google (Type: Filter) with Action Monitor Category actions shown include Social Media set to Block (this category includes Facebook). The firewall policy is using: Flow-based inspection Application control enabled (profile: default) Deep inspection enabled (helps identify applications inside HTTPS) Logging enabled FortiOS applies Application Control as follows (top-down within the Application Control profile): Overrides are evaluated by priority (highest priority first). The first matching override determines the action (block/monitor/allow) for that traffic. Category-based actions apply to applications that fall into those categories unless an override matches first. Why A is correct A). YouTube access is blocked based on Excessive-Bandwidth Application and Filter override settings. The profile explicitly blocks the Excessive-Bandwidth behavior filter at the highest override priority. When YouTube traffic is detected as matching the Excessive-Bandwidth behavior, FortiGate will apply the Block action due to the override. Because this is a priority override, it is enforced before lower-priority entries. Why B is correct B). Facebook access is blocked based on the category filter settings. The Application Sensor shows Social Media configured with a Block action. Facebook is categorized under Social Media, so it will be blocked when matched by Application Control. Why C is not correct C). Facebook access is allowed but you cannot play Facebook videos... Since the Social Media category is set to Block, Facebook would be blocked at the category level (not merely video playback). Why D is not correct D). YouTube search is allowed based on the Google override... The Google override action is Monitor, not Allow. "Monitor" logs/detects but does not override a block condition to "allow" traffic. Also, YouTube traffic is not guaranteed to be treated as "Google" in a way that would permit it, and any matching block condition (such as Excessive-Bandwidth) would still take precedence.
NSE4_FGT_AD-7.6 Exam Question 13
When configuring firewall policies which of the following is true regarding the policy ID? (Choose two.)
Correct Answer: B,C
Comprehensive and Detailed 150 to 200 words of Explanation From Exact Extract of FortiOS 7.6 documents: According to the FortiOS 7.6 Administration Guide, the firewall policy ID is a unique numerical identifier assigned to each policy for internal database tracking and management purposes. It is important to distinguish the policy ID from the policy sequence. While the FortiGate processes traffic based on a top-down approach (the sequence), the policy ID itself does not determine the order of execution (Statement A is incorrect). In FortiOS, once a policy is committed to the configuration, the policy ID cannot be modified (Statement B). If an administrator needs to change a policy ID, they must either delete and recreate the policy or use the clone command in the CLI to copy the settings to a new ID. Furthermore, the CLI provides a specific shortcut for policy creation: you can create a policy with ID 0 (Statement C). When the command edit 0 is used within the config firewall policy context, the FortiOS kernel automatically assigns the next available integer as the policy ID. This is a standard practice for efficient configuration via the command line. Statement D is incorrect because, while every policy must have an ID, the GUI automatically generates this value without requiring the user to manually provide or even see it during the initial creation process.
NSE4_FGT_AD-7.6 Exam Question 14
Refer to the exhibits. The system performance output and default configuration of high memory usage thresholds on a FortiGate device are shown. Based on the system performance output, what are the two possible outcomes? (Choose two.)
Correct Answer: B,D
From the exhibits: System performance output Memory used: 90% Free memory: ~5% Default memory thresholds (FortiOS 7.6) memory-use-threshold-green 82% memory-use-threshold-red 88% memory-use-threshold-extreme 89% Because memory usage (90%) exceeds the extreme threshold (89%), the FortiGate enters conserve mode. Effects of conserve mode (FortiOS 7.6 - verified) B). FortiGate has entered conserve mode. Correct When memory usage exceeds the red/extreme threshold, FortiGate automatically enters conserve mode. This is exactly the condition shown in the system performance output. D). Administrators can change the configuration. Correct Even in conserve mode: Administrators can still log in (GUI, SSH, console) Configuration changes are allowed FortiGate does not lock configuration access during conserve mode. This behavior is explicitly documented in the FortiOS 7.6 Conserve Mode section. Why the other options are incorrect A). Administrators can access FortiGate only through the console port. Incorrect Network access (GUI/SSH) is still available in conserve mode unless otherwise restricted. Console-only access is not a conserve-mode requirement. C). FortiGate drops new sessions. Incorrect (as a general statement) FortiGate may drop or bypass new inspection-required sessions depending on fail-open/fail-close settings. It does not universally drop all new sessions, so this statement is not always true.
NSE4_FGT_AD-7.6 Exam Question 15
What are two features of collector agent advanced mode? (Choose two.)
Correct Answer: B,D
"Also, advanced mode supports nested or inherited groups; that is, users can be members of subgroups that belong to monitored parent groups." "In advanced mode, you can configure FortiGate as an LDAP client and configure the group filters on FortiGate. You can also configure group filters on the collector agent." Collector Agent Advanced Mode provides deeper integration between FortiGate, LDAP, and Active Directory, compared to standard mode. Key features of Collector Agent Advanced Mode B). FortiGate can be configured as an LDAP client and group filters can be configured on FortiGate. Correct In advanced mode: FortiGate directly queries LDAP/AD User group filters are configured on FortiGate, not only on the Collector Agent This allows more flexible and scalable user/group-based policies D). Advanced mode supports nested or inherited groups. Correct Advanced mode supports: Nested AD groups Inherited group memberships This is one of the primary reasons advanced mode is used in complex AD environments Why the other options are incorrect A). Security profiles only to user groups Incorrect. Security profiles can be applied to users or groups, depending on policy configuration. C). Uses NetBIOS Domain\Username format Incorrect. NetBIOS naming is associated with standard mode Advanced mode typically uses LDAP DN-based identification
