Fortinet

NSE 4

Fortinet Network Security Expert 4 – FortiGate Infrastructure

Professional NSE4_FGT-7.4 Content Available

Master FortiGate infrastructure, VPN, SD-WAN, and security profiles with Fortinet's core professional exam.

Practice NSE 4 Questions Study Notes Exam Topics
Exam Code
NSE4_FGT-7.4
Duration
105 minutes
Questions
60
Passing Score
70% or above
Validity
2 years
Exam Cost
Varies by region (check Pearson VUE)
Overview

About NSE 4

The Fortinet NSE 4 – FortiGate Infrastructure exam (NSE4_FGT-7.4) is the core professional-level certification in the Fortinet Network Security Expert programme. It validates the ability to deploy, administer, and troubleshoot FortiGate next-generation firewalls in enterprise environments running FortiOS 7.4. The NSE 4 covers the complete FortiGate operational lifecycle — from virtual domains (VDOMs) and high availability clustering through firewall policy and NAT, IPsec and SSL VPN, SD-WAN with performance SLAs, and the full suite of FortiOS security profiles including antivirus, IPS, web filtering, and application control. Achieving NSE 4 is a prerequisite for higher NSE levels (NSE 5 – FortiManager/FortiAnalyzer, NSE 6, NSE 7) and is recognised by enterprise customers and managed security service providers worldwide as the benchmark for FortiGate expertise.

Prerequisites
NSE 1, NSE 2, and NSE 3 (recommended) Basic networking knowledge (TCP/IP, routing, firewalling) Recommended hands-on experience with FortiGate
Exam Domains

What you need to know

6 domains, 75 objectives. Click a domain to expand its topics.

🏗️
FortiGate Infrastructure & Administration
FortiOS architecture, VDOMs, administrative access, HA clustering, and firmware management.
20%
  • Describe the FortiOS software and hardware architecture (NP and CP ASICs, kernel modules)
  • Configure VDOMs (virtual domains) to create separate firewall instances on one physical device
  • Describe VDOM modes (NAT mode, transparent mode) and inter-VDOM links
  • Configure administrative accounts (local, LDAP, RADIUS, PKI) with appropriate profiles
  • Configure administrative access per interface (HTTPS, SSH, PING, SNMP, FMG-access)
  • Configure system settings (hostname, NTP, DNS, time zone, idle timeout)
  • Configure FGCP high availability in active-passive mode (heartbeat interfaces, priority, override)
  • Configure FGCP high availability in active-active mode with session pickup
  • Describe HA failover behaviour, override, and management IP access
  • Perform FortiOS firmware upgrade and verify upgrade path using the compatibility matrix
  • Manage configuration backups and restores (full backup, VDOM-specific)
  • Configure FortiGuard subscription services (AV, IPS, web filtering, application control)
  • Monitor system resources using the GUI dashboard and CLI diagnose commands
🔒
Firewall Policies & NAT
Security policies, policy routes, implicit deny, NAT, VIPs, IP pools, and DNAT.
25%
  • Describe FortiGate security policy architecture (interface-based, zone-based, VDOM-based)
  • Configure IPv4 security policies (source/destination interface, address, service, schedule, action)
  • Understand policy ordering and the implicit deny-all at the bottom of the policy table
  • Configure policy routes to override the routing table for specific traffic flows
  • Configure source NAT using IP pools (overload, one-to-one, fixed port range, port block allocation)
  • Configure destination NAT using Virtual IPs (VIPs) for port forwarding and full static NAT
  • Configure central NAT for centralised source NAT and DNAT management
  • Configure session helpers for protocols requiring ALG (FTP, SIP, TFTP, H.323)
  • Implement local-in policy to restrict management traffic to the FortiGate itself
  • Describe the deny action types (deny, reset, deny with ICMP)
  • Configure policy with application and user-based matching using NGFW policy mode
  • Verify policy hits and traffic using the FortiGate policy hit counters and traffic logs
  • Troubleshoot policy issues with diagnose debug flow and sniffer packet
🔐
SSL & IPsec VPN
IPsec VPN policy-based and route-based, IKEv1/v2, SSL-VPN web and tunnel mode, FortiClient.
20%
  • Describe IPsec VPN fundamentals (IKE, ISAKMP, SA, ESP, AH, NAT-T)
  • Configure a route-based IPsec VPN using the VPN wizard and manual configuration
  • Configure a policy-based IPsec VPN and understand the differences from route-based
  • Configure IKEv1 (main mode and aggressive mode) and IKEv2 parameters
  • Configure Phase 1 (IKE) and Phase 2 (IPsec) proposal settings (encryption, hash, DH group)
  • Configure IPsec tunnel monitoring with dead peer detection (DPD) and auto-negotiate
  • Configure SSL-VPN in web mode for clientless browser-based access
  • Configure SSL-VPN in tunnel mode with FortiClient for full network access
  • Configure SSL-VPN realms, portals, and bookmarks for access control
  • Configure two-factor authentication (FortiToken) for SSL-VPN and admin access
  • Configure client certificate authentication for SSL-VPN
  • Troubleshoot IPsec VPN issues (IKE failures, Phase 2 mismatches, routing issues)
  • Troubleshoot SSL-VPN connectivity using event logs and diagnose commands
  • Describe FortiClient endpoint integration (EMS, compliance, ZTNA basics)
🌐
Routing & SD-WAN
Static routing, OSPF, BGP, SD-WAN performance SLAs, load balancing, and SD-WAN rules.
15%
  • Configure static routes with administrative distance and priority for path preference
  • Configure default routes and floating static routes for failover
  • Configure policy routes to steer traffic based on source, destination, and service
  • Configure OSPF on FortiGate (areas, neighbours, redistribution, authentication)
  • Configure BGP on FortiGate (eBGP neighbours, route filtering, AS-path prepending)
  • Describe SD-WAN architecture and the benefits over traditional WAN routing
  • Configure SD-WAN members (interfaces) and SD-WAN zones
  • Configure SD-WAN performance SLA probes (ping, TCP echo, HTTP) with thresholds
  • Configure SD-WAN rules to steer traffic by application, user, or destination
  • Configure SD-WAN load balancing algorithms (volume, session, spillover, latency)
  • Monitor SD-WAN link health and failover using the GUI and CLI
  • Configure BGP over SD-WAN for overlay routing with ISP diversity
  • Verify routing and SD-WAN decisions (get router info routing-table, diagnose sys sdwan)
🛡️
Security Profiles
Antivirus, IPS, web filter, application control, DNS filter, and email filter profiles.
15%
  • Describe the FortiGuard security subscription and update mechanisms
  • Configure antivirus profiles (file type inspection, flow vs proxy mode, FortiSandbox cloud)
  • Configure IPS sensor profiles with signature selection, severity filtering, and custom signatures
  • Configure IPS overrides and exceptions for legitimate traffic
  • Configure web filter profiles (FortiGuard categories, URL override, safe search, video filter)
  • Configure application control profiles using application signatures and categories
  • Configure DNS filter profiles to block malicious domains and redirect DNS queries
  • Configure email filter profiles (spam detection, FortiGuard Email Filter, DNSBL)
  • Apply security profiles to security policies in proxy mode and flow mode
  • Describe SSL/SSH inspection profiles and their impact on security profile visibility
  • Configure deep inspection (full SSL inspection) and certificate inspection modes
  • Configure a custom IPS signature for application-specific threat detection
  • Interpret security profile logs in FortiView and raw traffic logs
📊
Logging & Monitoring
FortiAnalyzer integration, local logging, syslog, SNMP, and FortiView dashboard.
5%
  • Configure local logging to disk and memory with appropriate log severity levels
  • Configure log forwarding to FortiAnalyzer for centralised log management
  • Configure syslog forwarding to an external SIEM or log server
  • Configure SNMP v1/v2c/v3 for network management system integration
  • Use the FortiView dashboard for real-time traffic visibility and top-talker analysis
  • Interpret traffic logs, event logs, and security logs in the FortiGate GUI
  • Configure alert email notifications for critical events (HA failover, login failure, high CPU)
  • Use diagnose debug flow filter and enable debug commands for packet-level troubleshooting
  • Verify FortiAnalyzer connectivity and log transmission status
Resources

Study & Practice

Practice NSE 4 Questions Official NSE 4 Exam Page Fortinet Training Institute FortiOS 7.4 Administration Guide Schedule your exam via Pearson VUE