Fortinet Certified Professional - FortiGate (FCP - FortiGate) Practice Exam
Validates the skills to deploy, configure, and operate FortiGate next-generation firewalls running FortiOS: deployment and system configuration, firewall policies and NAT, authentication and FSSO, SSL and IPsec VPN, security profiles (AntiVirus, Web Filter, Application Control, IPS), routing and SD-WAN, high availability, and logging, monitoring, and diagnostics. Formerly known as NSE 4.
Practice 730 exam-style Fortinet Certified Professional - FortiGate (FCP - FortiGate) questions with full answer explanations, then take timed mock exams that score like the real thing.
Question bank reviewed Jul 2026.
What the Fortinet Certified Professional - FortiGate (FCP - FortiGate) exam covers
- Deployment and system configuration88 questions
- Firewall policies and NAT110 questions
- Authentication and FSSO73 questions
- SSL and IPsec VPN102 questions
- Security profiles (AntiVirus, Web Filter, Application Control, IPS)131 questions
- Routing and SD-WAN95 questions
- High availability58 questions
- Logging, monitoring, and diagnostics73 questions
Free Fortinet Certified Professional - FortiGate (FCP - FortiGate) sample questions
A sample of 10 questions with answers and explanations. Sign up free to practice all 730.
-
An administrator changes the HTTPS administrative access port on a FortiGate interface from the default 443 to 8443. What is the most likely reason for this change?
- APort 443 cannot be used with certificate based GUI login
- BPort 8443 is mandatory for joining a High Availability cluster
- CPort 443 is already used by another service like SSL VPNCorrect
- DPort 443 is reserved solely for FortiGuard licensing traffic
✓ Correct answer: CBoth the administrative GUI and the SSL VPN web portal can default to TCP port 443. When both services need to be reachable on the same interface, an administrator commonly moves one of them, often the GUI, to an alternate port such as 8443, to avoid a port conflict between the two services.
Why the other options are wrong- ACertificate based GUI login works fine on port 443; the port number itself does not affect certificate authentication.
- BHigh Availability cluster formation does not require the administrative HTTPS port to be changed to 8443.
- DPort 443 is not reserved exclusively for FortiGuard traffic; FortiGuard uses its own dedicated services and ports separate from admin GUI access.
-
After connecting to a factory default FortiGate and configuring basic interface addressing, what is typically still required before the device can forward traffic to the internet?
- AEnabling transparent mode on the internet facing interface
- BCreating a software switch containing the internet facing port
- CConfiguring a default route or static route to the gatewayCorrect
- DDisabling administrative access on the internet facing interface
✓ Correct answer: CEven with interfaces addressed, the FortiGate needs a way to know where to send traffic destined for networks it does not have a direct route to. Configuring a default static route, or an equivalent dynamic routing setup, pointing to the upstream gateway is a standard step in initial deployment before internet bound traffic can be forwarded.
Why the other options are wrong- AEnabling transparent mode changes the entire operation mode of the device and is not a routine step for reaching the internet in NAT mode.
- BA software switch merges local ports into one broadcast domain and has no bearing on reaching the internet.
- DDisabling administrative access affects only management of the FortiGate itself, not its ability to route traffic.
-
In a port block allocation IP pool, what does the block size setting control?
- AThe maximum count of VIPs that are allowed to reference the pool
- BThe total number of external addresses that are included in the pool
- CThe number of consecutive ports grouped into each subscriber's blockCorrect
- DThe number of firewall policies that are permitted to reference the pool
✓ Correct answer: CIn a port block allocation pool, the block size setting defines how many consecutive ports are grouped together into a single block that gets assigned to a subscriber at one time. A related setting controls how many such blocks a single subscriber may hold at once. Together these settings balance efficient port usage across many subscribers against giving each subscriber enough ports for their concurrent sessions.
Why the other options are wrong- APort block allocation pools are a source NAT construct and are not referenced by VIP objects, so there is no such limit on VIPs here.
- BThe number of external addresses in the pool is defined by the pool's configured address range, not by the block size setting.
- DAny number of firewall policies can reference the same IP pool object; block size has no bearing on that count.
-
In FSSO DC Agent mode, where must the DC Agent component be installed?
- AOn the FortiGate that will enforce the identity based firewall policies
- BOn a single dedicated Linux server that proxies all domain traffic
- COn every domain controller in the domain that FSSO is monitoringCorrect
- DOn each end user workstation that will be subject to firewall policies
✓ Correct answer: CIn DC Agent mode, a small agent is installed directly on each domain controller in the monitored domain so it can capture logon and logoff events as they occur and pass them to the Collector Agent. This gives near real time visibility into user logons across the whole domain. It does not run on FortiGate, on a separate Linux proxy, or on end user workstations.
Why the other options are wrong- AFortiGate only receives the resulting user-to-IP mapping from the Collector Agent; the DC Agent itself does not run on FortiGate.
- BFSSO does not use a dedicated Linux proxy to capture AD logon events; the agent runs on the Windows domain controllers themselves.
- DEnd user workstations are the systems being identified, not the systems that run the DC Agent software.
-
How does a remote user reach a specific SSL VPN realm instead of the FortiGate's default login page?
- ABy using a dedicated IKE port number assigned to that realm
- BBy connecting through a completely separate physical interface
- CBy installing a realm specific edition of the FortiClient app
- DBy appending the realm's identifier to the SSL VPN login URLCorrect
✓ Correct answer: DEach configured realm is reached through a distinct URL path or query parameter appended to the standard SSL VPN login address, rather than through separate hardware or client software. This lets a single FortiGate interface serve multiple differently branded or configured login experiences purely through URL based routing to the correct realm.
Why the other options are wrong- ARealms are an SSL VPN URL based construct and have no association with IKE ports, which belong to IPsec VPN.
- BRealms do not require a separate physical interface; they are reached via the same interface using a distinct URL.
- CThere is no realm specific edition of FortiClient; realms affect the SSL VPN portal and login page, not the client application.
-
When a remote user connects using SSL VPN tunnel mode, where does the private IP address assigned to their virtual adapter come from?
- AThe static IP address entered locally in FortiClient
- BThe tunnel IP range configured within SSL VPN settingsCorrect
- CThe public IP address block bound to the WAN interface
- DThe DHCP scope configured on the internal LAN interface
✓ Correct answer: BUnder SSL VPN Settings, administrators define an IPv4 (and optionally IPv6) tunnel range specifically for remote clients. When a tunnel mode session is established, the FortiGate leases one of these addresses to the client's virtual adapter, allowing routed communication with permitted internal resources for the duration of the session.
Why the other options are wrong- AThe client does not set its own tunnel address; FortiClient receives it dynamically from the FortiGate.
- CTunnel clients are given private addresses from the tunnel range, not public WAN addresses.
- DSSL VPN clients receive addresses from a dedicated tunnel IP range, not from a LAN DHCP scope.
-
An administrator sets the action for a specific application to Quarantine within an Application Control profile. What happens when FortiGate detects that application's traffic?
- AThe session is dropped and the source address is denied further access for a set timeCorrect
- BThe session is allowed once and flagged for administrator review only
- CThe session is dropped once and no further restriction is placed on the source
- DThe session is redirected to a captive portal for user authentication
✓ Correct answer: AQuarantine denies the matching session and additionally bans the offending source address from the network for a duration the administrator configures, similar in concept to how the IPS quarantine action works. This makes it more restrictive than a simple one-time block.
Why the other options are wrong- BQuarantine does not allow the session through; it denies the traffic outright rather than merely flagging it.
- CThis describes the Block action; Quarantine goes further by also banning the source address for a period of time.
- DApplication Control quarantine does not redirect users to a captive portal; that is a different mechanism entirely.
-
When a FortiGate evaluates its list of configured SD-WAN rules for a new session, in what order are the rules checked?
- AIn order of the strategy type, with Best Quality rules always evaluated first
- BIn order from lowest configured cost value to highest configured cost value
- CIn a randomized order that changes for every new session to balance load
- DFrom the top of the list downward, applying the first rule whose criteria matchCorrect
✓ Correct answer: DSD-WAN rules are evaluated sequentially from the top of the ordered list, and the first rule whose match criteria fit the session is the one applied, similar to firewall policy evaluation, with the implicit rule always remaining last as the catch-all. Rule order is not determined by cost value or strategy type, and it is never randomized per session.
Why the other options are wrong- AStrategy type does not determine evaluation order; rules of any strategy can appear anywhere in the list.
- BCost value is used within the Lowest Cost (SLA) strategy for member ranking, not to order the rule list itself.
- CRule evaluation order is deterministic and based on list position, not randomized per session.
-
Which per member setting is used by the Lowest Cost (SLA) strategy to rank the available members from least to most expensive when more than one member is currently meeting the SLA target?
- APriority, which is used to set a fixed preference order under Manual instead
- BRecovery Time, which is used to confirm a failed link before it is restored
- CCost, which is assigned to each member to represent its relative expenseCorrect
- DWeight, which is used to set traffic ratios under Maximize Bandwidth (SLA) instead
✓ Correct answer: CEach SD-WAN member can be assigned a Cost value, and the Lowest Cost (SLA) strategy uses this value to select the least expensive member among those currently passing the SLA target, switching to a pricier member only if cheaper ones fail. Weight instead governs distribution ratio under Maximize Bandwidth (SLA), Priority governs ordering under Manual, and Recovery Time is unrelated to expense ranking.
Why the other options are wrong- APriority governs the fixed order used by Manual, not cost based ranking.
- BRecovery Time is a health check stability parameter and does not represent expense.
- DWeight governs traffic distribution ratio for Maximize Bandwidth (SLA), not cost ranking here.
-
Which two of the following conditions can trigger an SNMP trap on FortiGate? (Select all that apply.)
- ACPU usage exceeding a configured alert threshold valueCorrect
- BAn interface on the device transitioning to a down stateCorrect
- CA user visiting a site that was blocked by web filtering
- DAn administrator changing the configured system time zone
✓ Correct answer: A, BFortiGate can be configured to send SNMP traps for operational events such as CPU usage crossing a defined threshold or an interface changing to a down state, giving the monitoring station immediate notice without waiting for the next poll. Security filtering actions like a web filter block are recorded in the logs rather than raised through the standard set of SNMP traps.
Why the other options are wrong- CWeb filter block events are recorded in security logs rather than raised as standard SNMP traps.
- DA time zone change is a configuration action, not one of the standard trap conditions.
Fortinet Certified Professional - FortiGate (FCP - FortiGate) practice exam FAQ
How many questions are in the Fortinet Certified Professional - FortiGate (FCP - FortiGate) practice exam on CertGrid?
CertGrid has 730 practice questions for Fortinet Certified Professional - FortiGate (FCP - FortiGate), covering 8 exam domains. The real Fortinet Certified Professional - FortiGate (FCP - FortiGate) exam has about 40 questions.
What is the passing score for Fortinet Certified Professional - FortiGate (FCP - FortiGate)?
The Fortinet Certified Professional - FortiGate (FCP - FortiGate) exam passing score is 700, and you have about 90 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.
Are these official Fortinet Certified Professional - FortiGate (FCP - FortiGate) exam questions?
No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of Fortinet Certified Professional - FortiGate (FCP - FortiGate), with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.
Can I practice Fortinet Certified Professional - FortiGate (FCP - FortiGate) for free?
Yes. You can start practicing Fortinet Certified Professional - FortiGate (FCP - FortiGate) for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.