NSE4 Question #133: Real Exam Question with Answer & Explanation

The correct answer is A: The traffic is blocked.. In FortiGate NAT/Route mode, if no firewall policy explicitly matches traffic, it is implicitly blocked by the firewall's default deny-all rule.

Submitted by certguy· Apr 18, 2026Firewall Policies and Authentication

Question

In NAT/Route mode when there is no matching firewall policy for traffic to be forwarded by the Firewall, which of the following statements describes the action taken on traffic?

Options

AThe traffic is blocked.
BThe traffic is passed.
CThe traffic is passed and logged.
DThe traffic is blocked and logged.

Explanation

In FortiGate NAT/Route mode, if no firewall policy explicitly matches traffic, it is implicitly blocked by the firewall's default deny-all rule.

Common mistakes.

B. Passing traffic without a matching policy would create a significant security vulnerability, violating the fundamental purpose of a firewall.
C. Traffic is not passed by default without a matching policy, and while logging for denied traffic can be configured, the default action itself is to block, not to pass.
D. While traffic is indeed blocked, it is not necessarily logged by default when implicitly denied; explicit logging settings must be configured for implicit denies.

Concept tested. FortiGate implicit deny policy

Reference. https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/86277/firewall-policies

Topics

#Firewall policies#Implicit deny#Traffic blocking#NAT/Route mode

Community Discussion

No community discussion yet for this question.

Full NSE4 Practice Browse All NSE4 Questions