CertGrid
Security Study Guide

Fortinet Certified Professional - FortiGate (FCP - FortiGate) Study Guide

The FCP - FortiGate certification (formerly NSE 4) validates the ability to deploy, configure, and operate FortiGate next-generation firewalls running FortiOS. It is aimed at network and security professionals who administer FortiGate day to day, covering system setup, firewall policy and NAT, authentication and FSSO, SSL and IPsec VPN, security profiles, routing and SD-WAN, high availability, and logging and diagnostics.

Reviewed Jul 2026.

Domain 1: Deployment and system configuration

Key concepts you must know · 88 practice questions

Domain 2: Firewall policies and NAT

Key concepts you must know · 110 practice questions

Domain 3: Authentication and FSSO

Key concepts you must know · 73 practice questions

Domain 4: SSL and IPsec VPN

Key concepts you must know · 102 practice questions

Domain 5: Security profiles (AntiVirus, Web Filter, Application Control, IPS)

Key concepts you must know · 131 practice questions

Domain 6: Routing and SD-WAN

Key concepts you must know · 95 practice questions

Domain 7: High availability

Key concepts you must know · 58 practice questions

Domain 8: Logging, monitoring, and diagnostics

Key concepts you must know · 73 practice questions

Fortinet Certified Professional - FortiGate (FCP - FortiGate) exam tips

Study guide FAQ

What is the difference between route-based and policy-based IPsec VPN on FortiGate?

Route-based (interface mode) IPsec creates a virtual tunnel interface that participates in the routing table, uses standard accept firewall policies, and supports dynamic routing and ADVPN. Policy-based IPsec has no tunnel interface and instead uses the special IPsec policy action to trigger encryption, so it cannot run dynamic routing over the tunnel.

How do FSSO DC Agent mode and polling mode differ?

DC Agent mode installs an agent on every monitored domain controller that pushes logon and logoff events to the Collector Agent in near real time. Polling mode installs no agent on the DC and instead periodically reads the domain controller's security event log, which is simpler to deploy but can lag behind actual logon activity.

In what order does FortiGate evaluate firewall policies?

FortiGate checks policies top-to-bottom and applies the first policy that matches the traffic. Traffic that matches no policy is dropped by the implicit deny rule at the bottom, whose logging is off by default. Because order determines the match, more specific policies should be placed above broader ones.

What is the relationship between administrative distance and priority in FortiGate routing?

Administrative distance chooses between different routing sources and the lower value wins. Priority is a FortiGate-specific tiebreaker used only among routes that already share the same administrative distance, where the numerically lower priority value is installed into the FIB while the other route stays in the RIB as a standby.