Fortinet NSE4_FGT_AD-7.6 Exam: Anyone Else Almost Got Burned by These Questions?

[zorablue]

Studying for the NSE4_FGT_AD-7.6 exam and hit a question that looked simple until it wasn't.


Here's the scenario:

Question 1: FSSO Workstation Verification

FSSO is configured with a Collector Agent. A user logs in, but FortiGate skips the user-based policy entirely. The Collector Agent shows the login as successful. What's the most likely cause?

• Workstation verification is enabled by default in some deployments
• FortiGate pings the endpoint to confirm the user session is active
• If the workstation blocks ICMP, FortiGate silently drops the user match
• Fix: disable workstation verification or permit ICMP from FortiGate to endpoints

---

Question 2: SD-WAN Rule Matching Order

You have two SD-WAN rules. Rule 1 matches by destination address. Rule 2 matches by application. Traffic hits Rule 1 but you expected Rule 2 to apply. Why?

• SD-WAN rules match top-down, first match wins
• Application-based rules require traffic to be identified first, which takes a few packets
• Early packets often match an address-based rule before the application is recognized
• Fix: place application rules above address rules, or use the "best quality" strategy carefully

---

Question 3: Application Control Log Behavior

Application Control is enabled in a firewall policy, but application traffic shows no logs. IPS logging is active. What's missing?

• Application Control has its own logging toggle, separate from IPS
• "All Sessions" logging must be enabled under the Application Control profile
• Without it, only blocked applications generate log entries

The actual answer comes down to workstation verification:

• By default, FSSO uses DC Agent mode, which sends login events to the Collector Agent
• If workstation verification is enabled, the FortiGate pings the workstation to confirm the user is still active
• If the workstation blocks ICMP, the FortiGate marks the session as unverified and skips the user-based policy entirely
• Fix: disable workstation verification, or allow ICMP from the FortiGate to the endpoint

The tricky part is that FSSO looks functional in the logs. The Collector Agent shows the login. But the policy still doesn't match because of that silent verification failure.


I've been using CertBoosters' NSE4_FGT_AD-7.6 Exam Questions to prep, and their scenario-based questions are close to this style. Worth a look if you want material that goes beyond straightforward config recall.


Have you run into similar FSSO traps in your studies or on the actual exam?

 

[BangChii]

"Haha, almost got burned too! I'm taking NSE4 right now and I can attest that those ad-7.6 questions are sneaky tricky. I found that making a diagram of the FortiGate config on the question helped me visualize the setup and identify the correct config. Has anyone else used this method to tackle those questions?"

 

[zorablue]

"Haha, almost got burned too! I'm taking NSE4 right now and I can attest that those ad-7.6 questions are sneaky tricky. I found that making a diagram of the FortiGate config on the question helped me visualize the setup and identify the correct config. Has anyone else used this method to tackle those questions?"