NSE 4 prep, Fortinet Network Security Expert Level 4 with ARIA
Here is the thing most candidates find out too late: NSE 4 is not one exam. It is two. You need to pass both NSE4_FGT-7.4 FortiGate Security and NSE4_FGT-7.4 FortiGate Infrastructure to earn the NSE 4 Network Security Professional designation. Engineers who sit and pass the first exam sometimes spend weeks wondering why their certification status has not updated. The answer is that they are halfway done. NSE 1, NSE 2, and NSE 3 are free self-paced online courses that Fortinet makes available to anyone. They do not appear on most job requirements and they are not proctored. NSE 4 is where Fortinet's track turns serious: it is the first commercially proctored level, it is held at Pearson VUE, and it signals real FortiGate operating competency to employers. I prep you across both exams with a single adaptive evaluation, a roadmap that covers Security and Infrastructure domains in sequence, and a pass guarantee tied to five measurable conditions.
Exam at a glance
| Detail | Value |
|---|---|
| Provider | Fortinet |
| Exam codes | NSE4_FGT-7.4 FortiGate Security + NSE4_FGT-7.4 FortiGate Infrastructure (both required) |
| Full designation | Fortinet Certified Professional - Network Security (FCP) / NSE 4 Network Security Professional |
| FortiOS version | FortiOS 7.4 |
| Duration | 105 minutes per exam |
| Question count | 60 questions per exam |
| Question format | Multiple choice, multiple select |
| Passing score | Not published by Fortinet |
| Exam fee | Approximately $400 USD per exam; often bundled via authorized training partners; included free with authorized Fortinet training courses |
| Validity | 2 years |
| Delivery | Pearson VUE |
| Prerequisites | None formal; NSE 1-3 online courses recommended by Fortinet |
| Retake policy | 14-day wait after a failed attempt |
What the two exams test
NSE 4 splits cleanly along two lines: Security covers the firewall and inspection policy stack, and Infrastructure covers routing, VPN, high availability, and SD-WAN. Both exams run on FortiOS 7.4. The split matters for prep sequencing because the Security exam is a natural starting point for engineers with general security backgrounds, while the Infrastructure exam rewards candidates who already understand routing protocols and site-to-site VPN design.
FortiGate Security exam domains
Firewall Policies. Policy types in FortiOS 7.4, the difference between NGFW policy mode and profile-based mode, IPv4 and IPv6 policy configuration, policy lookup order, and the implicit deny behavior at the bottom of every policy table. This is foundational: nearly every other Security domain topic depends on understanding how policies are evaluated.
Security Profiles. Antivirus scanning, web filtering categories, application control signatures, intrusion prevention (IPS) sensor configuration, and SSL/SSH inspection profiles. The key detail here is how profiles attach to policies and interact with each other. An SSL inspection profile that is not assigned to a firewall policy does nothing, and candidates who do not understand that attachment model lose points on scenario questions.
Authentication. Local user accounts, LDAP and RADIUS integration with FortiGate, firewall authentication prompts in policies, SSL VPN authentication with certificate and password methods, and FSSO (Fortinet Single Sign-On) for domain-joined environments. FSSO in particular generates a disproportionate share of exam questions relative to how often it is deeply understood in the field.
Logging and Monitoring. FortiAnalyzer integration for centralized logging, local disk logging on the FortiGate, log filter configuration, and FortiCloud logging as an alternative to on-premise FortiAnalyzer. Log visibility questions tend to be straightforward once you understand where logs are stored and how filters are applied.
FortiGate Infrastructure exam domains
Routing. Static route configuration, OSPF and BGP on FortiGate (including redistribution), equal-cost multi-path (ECMP) behavior, and policy-based routing for traffic steering outside the normal routing table. FortiGate's routing is largely standard but has FortiOS-specific CLI patterns that trip candidates used to Cisco or Juniper syntax.
VPN. IPSec site-to-site tunnels using IKEv1 and IKEv2, SSL VPN in web mode versus tunnel mode (and when to use each), and ADVPN (auto-discovery VPN) for hub-and-spoke topologies where spoke-to-spoke traffic should not always traverse the hub. ADVPN is the most architecture-heavy topic on the Infrastructure exam.
High Availability. Active-passive and active-active HA cluster configuration, session synchronization between cluster members, failover behavior and timing, and virtual clustering for environments with multiple VDOMs. HA synchronization behavior is tested in scenario format frequently.
SD-WAN. FortiGate SD-WAN member interface configuration, performance SLA probes to measure link health, SD-WAN rules for traffic steering, and traffic shaping policies. The interaction between SD-WAN and the routing table is a reliable source of exam traps.
Common exam traps
NGFW mode versus profile-based mode cannot coexist
In NGFW mode, application control and web filtering are applied directly inside the security policy without separate profile objects. In profile-based mode, you create profile objects and attach them to policies. FortiOS cannot run both modes simultaneously: switching modes removes the other mode's configuration. Exam questions describe a scenario where a feature "is not available" and the answer is usually that the wrong operational mode is configured. Knowing which features live in which mode is not optional.
SSL inspection requires distributing the CA certificate
When SSL forward proxy inspection is enabled on a FortiGate policy, the firewall performs a man-in-the-middle on HTTPS sessions and re-signs content with its own CA certificate. If the FortiGate's CA is not trusted by client browsers, every HTTPS site throws a certificate error. Candidates who enable SSL inspection without distributing the CA cert through Group Policy or MDM see widespread browser warnings and misdiagnose it as a network attack or a misconfigured site. The exam tests this scenario directly.
FSSO agent misconfiguration versus a FortiGate bug
FSSO works by having domain controllers report login events to the FSSO Collector Agent, which then sends user-to-IP mappings to FortiGate. When FSSO stops working, the failure almost always lives in the agent configuration or the domain controller connection, not in FortiGate itself. Exam scenarios that describe FSSO "not functioning" typically point to a collector agent issue. Candidates who jump to FortiGate firewall policy changes as the fix get the wrong answer.
ADVPN shortcut behavior and hub routing
In a standard IPSec hub-and-spoke deployment, all spoke-to-spoke traffic routes through the hub. ADVPN changes this: after the first packet between two spokes travels through the hub, FortiGate signals both spokes to build a direct IPSec tunnel, and subsequent traffic takes the shortcut. The exam tests this behavior in latency and bandwidth scenario questions. If a question asks why branch office traffic is slow on a hub-and-spoke network and offers ADVPN as a solution, the reasoning is that the hub is adding RTT to every packet, not just the first one.
SD-WAN, static routes, and policy evaluation order
SD-WAN members must have corresponding routes in the FortiGate routing table. The SD-WAN rule engine sits above the routing table in the packet processing order, but the routing table still governs which interface the return traffic uses. Engineers who configure SD-WAN members without understanding this layering end up with asymmetric routing or unpredictable steering. This is consistently reported as a source of confusion on r/fortinet and the Fortinet community forums, and it appears on the Infrastructure exam in scenario format.
How I prepare you for NSE 4
ARIA runs your NSE 4 prep across both exams without treating them as disconnected events.
My CAT evaluation covers Security and Infrastructure domains together. The output is a domain-by-domain skill estimate that lets me sequence your roadmap intelligently. If your baseline shows strong security fundamentals but weak routing and VPN knowledge, your roadmap front-loads the Security exam and uses that window to build Infrastructure domain coverage in parallel. If you come in with prior FortiGate administration experience, the evaluation will surface where your knowledge is shallow rather than assuming a clean slate.
Typical timelines. For engineers who have administered FortiGate firewalls in a production environment, six to ten weeks per exam is realistic. For candidates coming from a different firewall platform (Palo Alto, Check Point, Cisco ASA), add four to eight weeks to account for FortiOS-specific concepts and CLI patterns. For someone new to enterprise firewalls, fourteen to eighteen weeks across both exams is a reasonable baseline.
The daily task engine tracks your position in the roadmap, your error backlog, and your readiness decay. On NSE 4, the engine surfaces FortiOS configuration scenarios heavily because policy mode selection and security profile attachment are the concepts that decay fastest without active reinforcement. Every missed question is tagged by domain and returned in a different scenario context until the pattern sticks.
Practice sessions include SSL inspection scenarios, FSSO troubleshooting, HA failover walkthroughs, and ADVPN design questions. The demo test unlocks at 60 readiness, the gauntlet at 80. Both run in single-pass mode to match the Pearson VUE exam experience.
Pass guarantee
The pass guarantee is a database function with five mechanical conditions, not a marketing claim. Full conditions here.
Related certifications
- NSE 7 covers the advanced Fortinet specialist track. NSE 4 is the entry point; NSE 7 is where the architecture and enterprise design depth lives.
- PCNSA is the Palo Alto Networks Certified Network Security Administrator. If you are evaluating firewall vendor certifications, PCNSA and NSE 4 are the natural comparison points.
- Security+ is a foundational vendor-neutral security certification. Engineers who want to establish broad security credibility before or alongside a vendor-specific firewall cert often pair the two.
- CCNA (200-301) is worth considering for engineers who want stronger routing fundamentals before sitting the NSE 4 Infrastructure exam. The BGP and OSPF topics on NSE 4 Infrastructure are more manageable with solid CCNA routing knowledge behind them.
Start your NSE 4 roadmap
Start your NSE 4 roadmap with ARIA at claudelab.me
The 15-minute CAT evaluation tells you which of the two exam domains you are actually ready for and where the roadmap needs to start. Both exams are required, and the evaluation is free. The sooner I know your baseline, the tighter I can make your schedule.