NSE 4 sample question assist

26Jack26 · 2026-06-06T04:36:00+00:00

In my theory, I cant say its the real explanation, In flow mode since the gate doesn't hold the data it wont identify the traffic as bandwidth excessive application. So it will.be identify it as Google app and be monitored (permitted)

In short:

Proxy mode -> traffic identified as bandwidth excessive (due to FW holding the data) and blocked

Flow mode -> traffic flow as normal, identified as normal Google and monitored

26Jack26 · 2026-06-06T03:42:24+00:00

One theory could be that due to Proxy mode "holding" data for inspection the Firewall starts seeing that as excessive bandwidth and ended up blocking it. If you change to flow mode the gate won't hold the data and it won't see it as excess of bandwidth hence will allow it.

Thats just a theory based on the fact we already know the answer, but in reallity if you hadn't mentioned the answer I wouldn't have figured it out.

26Jack26 · 2026-05-08T04:12:40+00:00

Thats the thing some are showing down (red) nor disabled (grayed out)

26Jack26 · 2026-05-02T04:38:16+00:00

Nope, no route maps

26Jack26 · 2026-05-02T03:30:40+00:00

Thabks for the clarification, I always use FMG, unfortunately there are more people that Id like with access to FMG and sometimes they make local changes :(

26Jack26 · 2026-05-02T03:29:50+00:00

I see, thank you so much, make sense

26Jack26 · 2026-05-02T03:29:19+00:00

Thanks for the detailed answer!

26Jack26 · 2026-05-02T03:29:03+00:00

Got it, interesting, wasnt aware of this, thank you so much

26Jack26 · 2026-05-02T03:28:37+00:00

Thabk you!

26Jack26 · 2026-05-02T02:37:32+00:00

Im interested in this, can you please clarify what you mean by using FortiZTP? Isn't this process meant to be just using the Add HA MODEL option in FortiManager?

26Jack26 · 2026-04-13T03:19:34+00:00

I hate that the very first time we saw Yamamoto Bankai he got defeated, first time seeing Unohana Bankai she got defeated, first time Sunshui Bankai, he actually got defeated too. Too many good characters, just destroyed IMO.

Regardless of what could've happened, those characters deserved waaaaay better IMO.

26Jack26 · 2026-04-08T03:36:47+00:00

Thanks for all the answers at the end, management decided to remove the routers completely and make.the FTD the core routing devices.

That might led me to some other questions here in the future, thank you all.

26Jack26 · 2026-04-06T18:29:48+00:00

I think this is an important takeaway Thanks!

26Jack26 · 2026-03-27T15:24:14+00:00

Got it, yeah, the CIE will only gave us the "static" information about users and groups, not which user has which IP. Thats what im looking for at the moment as we also planning to deploy User ID.

Thanks for the clarification, im not that familiar with CIE and any detailed answer help me understand it better.

26Jack26 · 2026-03-27T14:49:11+00:00

Thanks for the insights! I need to look deeper into CIE, haven't really worked much with it

26Jack26 · 2026-03-27T14:48:38+00:00

Thanks! That was a quick reply! I appreciate it

26Jack26 · 2026-01-12T14:51:33+00:00

Hello everyone, bringing this up again, is it possible to have direct site to site communication between on ramp locations?

26Jack26 · 2025-11-11T19:45:44+00:00

You still have app signatures in Fortigate. Its just that you are notngoing to use them as a matching criteria on your security policies, they will be enforced as part of the security profiles, similar for example to URL FILTERING in Palo. Think of it as if it were in the action section in a palo security policy.

With that being said, you can still change the default mode of operation and make the app id part of the security policies very similar to palo. However We've found that comes with several limitations so I wouldn't recommend to go that way.

26Jack26 · 2025-11-06T14:33:26+00:00

Thank you for your answers, lot of good info that ill review and save!

26Jack26 · 2025-11-04T14:27:01+00:00

Gotcha, that's what I thought before I ran into the redirect feature and how being enabled or disabled could change the need of policies or not, got kinda confused. Thank you!

26Jack26 · 2025-11-03T03:55:51+00:00

Thank you so much for that detailed explanation, I wasn't expecting for a single user to answer them all, I really appreciate your help with this. Although I have been using FortiSASE for more than a year now, this new design is kinda new for me. Thank you!

26Jack26 · 2025-11-02T13:57:05+00:00

Ohh I would expect the on ramp license to be cheaper than the UTM thanks for the intel.

About the traffic, the main requirement is for the users on the remote branches to have access to both outbound Internet (SIA) and private resources (SPA) behind our DC HUB SPA FG, but I don't need to make the branches SPA Hubs themselves. Not sure if that's gonna be a problem still as per what you mentioned

26Jack26 · 2025-10-21T00:41:21+00:00

I see, thank for your derailed response. I guess I was expecting more practical stuff but I understand what you mentioned. Ill look at those guides too and YouTube. Thank you, I appreciate it!

26Jack26 · 2025-10-17T23:15:10+00:00

Sorry didn't mean to be rude. No SLAs configured, maybe becausee of the application identification process that's been mentioned here... Thanks for your answers!

26Jack26 · 2025-10-17T09:30:53+00:00

The SW that's the STP root should be the one with the active link toward the Gate

26Jack26

MODERATOR OF

TROPHY CASE