Practice NSE7 Advanced Threat Protection questions with full explanations on every answer.
Start practicing
Advanced Threat Protection — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is deploying FortiGate with Advanced Threat Protection (ATP) and wants to block advanced malware that uses encrypted C2 communications. Which security profile should be configured to perform SSL inspection and detect malicious traffic?
2A network administrator notices that several endpoints are infected with ransomware despite having FortiGate ATP enabled. The logs show that the files were downloaded over HTTPS, and the antivirus profile did not detect them. What is the most likely reason?
3A security engineer is troubleshooting a scenario where FortiGate is not blocking a known malicious URL categorized as 'Malware'. The web filtering profile is configured with 'monitor all' for the Malware category. What change should be made to block the URL?
4A company wants to detect and block phishing emails that contain malicious links. Which FortiGate security profile should be used?
5A FortiGate administrator receives alerts about a device communicating with a known botnet C2 server. The traffic is encrypted with TLS. Which ATP feature is most effective to block this communication?
6Which TWO features are part of FortiGate's Advanced Threat Protection (ATP) suite?
7Which THREE actions should be taken to optimize FortiGate ATP performance while maintaining security?
8Refer to the exhibit. An administrator notices that some malware files are not being detected by FortiGate. The antivirus profile uses flow-based scanning with FortiSandbox disabled. What is the most likely reason for missed detections?
9Refer to the exhibit. A user reports that accessing a legitimate HTTPS website is blocked. The FortiGate logs show that the connection was denied by the antivirus profile. What is the most likely cause?
10A large enterprise uses FortiGate as their perimeter firewall with ATP features enabled. They have a mix of internal users and remote VPN users. Recently, several remote users reported that their machines became infected with ransomware after connecting to the VPN. The IT team suspects that the ransomware entered through the VPN tunnel. The FortiGate has an antivirus profile applied to the VPN policy with SSL inspection enabled for all traffic. However, the logs show that no malware was detected. Upon investigation, the team finds that the remote users' machines are not managed by the company and do not have any endpoint protection. The ransomware was delivered via a spear-phishing email that the users opened on their remote machines. The email traffic passed through the VPN tunnel to the corporate mail server first, then back to the user. The FortiGate antivirus profile is configured to scan SMTP traffic but the email was sent from an external source to the corporate mail server, and the mail server uses STARTTLS to receive emails. The FortiGate does not perform SSL inspection on the SMTP traffic because the SMTP service is not included in the SSL inspection profile. What action should the administrator take to prevent this in the future?
11Drag and drop the steps to configure OSPF on a FortiGate firewall into the correct order.
12Match each FortiGate security profile to its category.
13A network admin configures FortiGate to submit files to FortiSandbox for analysis. After submission, the FortiGate logs show that files are being sent but no verdict is returned. The FortiSandbox is reachable and licensed. What is the most likely cause?
14An organization wants to protect against unknown malware by using machine learning on FortiGate. Which antivirus setting should be enabled to achieve this?
15A FortiGate administrator wants to block a custom protocol anomaly where a client sends an HTTP request with a malformed header containing a null byte. Which advanced IPS feature should be used?
16What is the primary purpose of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus features?
17An organization uses FortiMail and wants to validate that incoming emails are from legitimate senders by checking the sender's domain against a published policy. Which two email authentication mechanisms can FortiMail use? (Choose two.)
18A FortiGate admin runs 'diagnose ips anomaly list' and sees many 'tcp_src_session' events from a single internal IP. The admin suspects a scanning attack. What action should be taken to block this traffic without affecting legitimate traffic?
19What is the primary function of FortiDeceptor in a network security architecture?
20An administrator configures an automation stitch on FortiGate to automatically block an IP address when a specific IPS signature triggers. What must be configured as the trigger and action?
21You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?
22A company uses FortiWeb as a reverse proxy for their web application. They want to protect against SQL injection attacks. Which FortiWeb feature should be configured?
23What is the role of FortiGuard Outbreak Prevention in FortiGate's security suite?
24An organization deploys FortiEDR to protect endpoints. Which component is responsible for collecting and sending telemetry data to the FortiEDR management console?
25Which TWO of the following are required for FortiGate to successfully obtain file verdicts from FortiSandbox? (Choose two.)
26A security administrator wants to implement automated threat response using FortiGate automation stitches. Which THREE components are mandatory when creating an automation stitch? (Choose three.)
27Which TWO email authentication mechanisms does FortiMail support to verify sender identity and reduce spoofing? (Choose two.)
28A FortiGate administrator configures an antivirus profile with the machine learning engine enabled and applies it to a policy inspecting HTTP traffic. After deployment, the admin notices that some files are being allowed that should have been detected. What is the MOST likely cause?
29An administrator runs the following CLI output: 'diagnose sys session filter dport 443' and sees 'proto=6 proto_state=01 duration=3600 expire=3599'. Which statement BEST describes the session?
30A company wants to protect its internal users from malicious files attached to emails. Which FortiGate feature should be configured to inspect SMTP traffic for malware?
31An administrator configures a FortiGate to integrate with FortiSandbox for inline scanning. The policy has an antivirus profile with FortiSandbox enabled. What condition must be met for files to be submitted to FortiSandbox?
32A FortiGate admin sees the following log: 'Action=blocked, Service=HTTP, Application=Outbreak, File=invoice.doc, ThreatScore=95'. What is the MOST likely explanation for this block?
33Which FortiGate security feature can reconstruct files to remove potentially malicious content while preserving the file's usability?
34An administrator needs to deploy a honeypot solution to detect and deceive attackers inside the network. Which Fortinet product is BEST suited for this purpose?
35A FortiGate administrator configures a custom IPS signature with the pattern 'attack' in the HTTP request URI. After applying the signature, no alerts are generated even though the traffic matches. What is the MOST likely cause?
36Which technology uses DMARC reports to help administrators identify unauthorized use of their email domain?
37An administrator wants to create an automation stitch that sends a webhook notification when an IPS attack is detected. Which trigger and action should be used?
38A FortiGate is configured with a WAF profile to protect a web server. The administrator notices that SQL injection attacks are still reaching the server despite the WAF being enabled. What is the MOST likely reason?
39An administrator runs 'diagnose ips anomaly http' and sees many entries with 'type=SQLi' and 'score=0'. What does a score of 0 indicate?
40An administrator wants to configure FortiGate to automatically block a source IP when a high-severity IPS event is detected. Which TWO components must be configured? (Choose two.)
41A FortiGate administrator is troubleshooting why files are not being submitted to FortiSandbox for analysis. Which THREE conditions must be met for file submission to work? (Choose three.)
42An organization wants to implement email authentication to prevent spoofing. Which TWO standards should they configure? (Choose two.)
43A FortiGate administrator notices that files submitted to FortiSandbox are receiving verdicts but the firewall is not automatically blocking the detected malware. The FortiSandbox integration is configured under Security Fabric > External Connectors. What additional configuration is required to enforce blocking based on FortiSandbox verdicts?
44Which FortiClient ATP feature provides protection against zero-day malware by monitoring process behavior and blocking suspicious activities at the endpoint?
45A security administrator wants to block email spoofing attacks against their organization's domain. They configure SPF, DKIM, and DMARC records. Which protocol authenticates the domain of the email sender by verifying the email's signature against a public key published in DNS?
46You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?
47An organization wants to deploy a web application firewall (WAF) to protect a public-facing web application. They are evaluating FortiGate versus FortiWeb. Which of the following is a key advantage of using FortiWeb over FortiGate for WAF functionality?
48A FortiGate administrator wants to implement Content Disarm and Reconstruction (CDR) for email attachments. Which security profile must be configured to enable CDR?
49During a security incident, the SOC team receives an alert from FortiSIEM about a user accessing a known malicious IP. The team wants to automatically block the IP on the FortiGate. Which FortiGate feature can be used to create an automated response based on a threat intelligence feed?
50Which Fortinet product is designed specifically to detect and deceive attackers by creating decoy systems and luring them away from real assets?
51An administrator wants to configure FortiGate to use the machine learning engine for advanced antivirus detection. Which setting must be enabled in the antivirus profile?
52A network administrator is troubleshooting a FortiGate IPS sensor that is not generating alerts for a custom signature they created. The custom signature uses the pattern 'malicious. The signature is enabled and applied to a firewall policy. What is the MOST likely cause of the issue?
53Which FortiMail advanced feature allows the administrator to rewrite URLs in email bodies to redirect users to a safe scanning service when they click on a link?
54What is the primary purpose of FortiGuard Outbreak Prevention service?
55An administrator is configuring FortiGate automation stitches to respond to a detected brute-force attack against an internal web server. The trigger is set to 'Event' with a condition matching repeated failed login attempts. Which TWO actions are appropriate to mitigate the attack? (Choose two.)
56A security engineer wants to implement advanced threat protection for email using FortiMail. Which THREE features should be enabled to provide comprehensive protection against sophisticated email threats? (Choose three.)
57An administrator is investigating a security incident where a workstation is communicating with a known command and control (C2) server. The FortiGate has IPS enabled but did not block the traffic. Which TWO configuration issues could explain why the IPS did not detect the C2 communication? (Choose two.)
58An administrator configures FortiSandbox inline scanning for HTTP traffic. They notice that files uploaded via HTTP are being scanned but no verdict is being returned, causing delays. What is the MOST likely cause?
59A network administrator wants to block known malicious IP addresses using threat intelligence feeds on FortiGate. Which feature should they use?
60An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?
61A company is deploying FortiClient ATP to protect endpoints. They want to block ransomware behavior in real time. Which FortiClient feature should be enabled?
62An administrator configures FortiSandbox to quarantine files that are rated 'malicious'. They notice that some files are being quarantined even though the verdict is 'clean'. What could explain this?
63Which FortiGate feature can automatically block traffic from an IP address that is detected as malicious by FortiSandbox?
64A FortiGate administrator configures an antivirus profile with Machine Learning (ML) engine enabled. The ML engine is not detecting any threats, even though new unknown malware is present. What is the MOST likely reason?
65An organization wants to prevent zero-day attacks by using Content Disarm and Reconstruction (CDR) on email attachments. Which Fortinet product provides this capability?
66An administrator configures a WAF profile on FortiGate to protect a web application. They notice that SQL injection attacks are not being blocked. What is the MOST likely reason?
67An administrator wants to detect lateral movement and early stages of an attack using decoy systems that mimic production assets. Which Fortinet product should they deploy?
68Which Fortinet product provides endpoint detection and response (EDR) capabilities, including automated threat containment?
69An administrator configures email authentication (SPF, DKIM, DMARC) on FortiMail. They find that legitimate emails are being marked as spam by FortiMail. The SPF check passes but DKIM fails. What could be the issue?
70An administrator needs to enable automation stitches to automatically block a malicious IP address detected by FortiSandbox. Which two components are required? (Choose two.)
71An administrator is configuring FortiMail to improve email security. Which three of the following features are part of FortiMail's advanced threat protection? (Choose three.)
72A FortiGate administrator wants to detect and block protocol anomalies as part of advanced IPS. Which three options are available in FortiGate's custom IPS signatures? (Choose three.)
73A network administrator has configured FortiGate to send files to FortiSandbox for analysis. However, files are not being submitted. The administrator checks the FortiGate configuration and sees that the FortiSandbox server IP is correctly entered. What is the most likely cause of the issue?
74An administrator wants to prevent users from downloading known malicious files from the internet. The administrator has enabled FortiGuard Outbreak Prevention and applied an antivirus profile to the outbound policy. However, some malicious files are still reaching users. What configuration step is most likely missing?
75A security analyst is investigating a phishing email that bypassed email security. The email's headers show SPF=pass, DKIM=pass, but DMARC=quarantine. The email was delivered to the inbox. What is the most likely reason DMARC did not block or quarantine the email?
76What is the primary function of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus profile?
77An administrator wants to create an automation stitch that automatically blocks an IP address when a high-severity IPS alert is triggered. The administrator creates a trigger for 'IPS event' and an action of 'Add to Blocked IPs'. However, the action fails to execute. Which of the following is the most likely cause?
78A FortiGate administrator notices that traffic classified as 'unknown' by the antivirus is being allowed. The administrator wants to ensure that such files are submitted to FortiSandbox for analysis and blocked until a verdict is received. Which configuration is required?
79A company uses FortiGate as a web application firewall (WAF) to protect a public web server. The security team wants to block SQL injection attacks. Which WAF signature category should the administrator enable?
80What is the purpose of FortiDeceptor in an enterprise security architecture?
81An administrator wants to use FortiGate to automatically block traffic if FortiEDR detects a threat on an endpoint. Which feature should the administrator configure?
82A FortiGate administrator receives a report that a user downloaded a malicious PDF file. The antivirus profile has machine learning engine enabled, CDR enabled, and FortiSandbox integration. However, the file was allowed. The log shows: 'file=malicious.pdf, action=allow, ml_score=85, cd_result=clean, sandbox=not_submitted'. What is the most likely reason the file was not submitted to FortiSandbox?
83What is the primary benefit of using FortiClient with ATP features in conjunction with FortiGate?
84An administrator needs to create a custom IPS signature to detect a specific exploit that sends a unique string 'EXPLOIT_2024' in the HTTP User-Agent header. Which IPS signature syntax should the administrator use?
85A company receives a threat intelligence feed that lists several IP addresses as malicious. The administrator wants to automatically block traffic from these IPs on FortiGate. Which TWO methods can achieve this? (Choose two.)
86A security team is configuring FortiMail for email security. They want to ensure that incoming emails are authenticated using SPF, DKIM, and DMARC, and that emails failing authentication are quarantined. Which THREE settings must be configured in FortiMail? (Choose three.)
87An administrator is troubleshooting why a custom IPS signature for protocol anomaly detection is not triggering. The signature is designed to detect abnormal DNS query lengths. Which TWO steps should the administrator take to verify the signature is working? (Choose two.)
88A network admin notices that files submitted to FortiSandbox from FortiGate are not being analyzed. The FortiGate has a valid FortiSandbox license and the device is reachable. What configuration step is most likely missing?
89An organization wants to prevent users from downloading malicious files from the internet. Which FortiGate security profile should be applied to the outbound firewall policy to block files based on their hash if they have been identified as malicious by FortiSandbox?
90A FortiGate admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?
91A security admin notices that FortiClient ATP is not blocking threats on a managed endpoint. The FortiClient is registered with FortiGate and the ATP feature is enabled in the FortiClient profile. What is the most likely cause?
92An organization wants to protect against zero-day malware by using FortiGate's outbreak prevention feature. Which configuration is required to enable outbreak prevention in the antivirus profile?
93An admin configures Content Disarm and Reconstruction (CDR) on FortiGate to protect against malicious macros in Office documents. After applying the CDR profile to a firewall policy, users complain that documents are not being delivered. What is the most likely cause?
94Which FortiGate IPS feature allows administrators to create rules that detect network traffic patterns deviating from normal protocol behavior?
95An admin wants to create a custom IPS signature to detect a specific exploit that sends a string 'EXPLOIT' in the HTTP Host header. Which signature syntax is correct?
96A company uses FortiWeb to protect its web application. They want to block SQL injection attempts. Which FortiWeb feature should be configured to inspect HTTP requests for malicious SQL patterns?
97An organization uses FortiGate's WAF feature (not FortiWeb) to protect a web server. The admin configures an inline WAF profile but notices that the WAF is not inspecting traffic. What is the most likely cause?
98What does FortiGuard Outbreak Prevention use to protect against newly discovered malware outbreaks before traditional signatures are available?
99An admin receives an email from FortiMail regarding a message that was rejected due to SPF failure. What does this indicate about the email?
100A security analyst wants to use automation stitches on FortiGate to automatically block IP addresses that trigger an IPS signature for 'SSH Brute Force'. Which two components are required to create this automation stitch? (Choose two.)
101An organization wants to implement multiple layers of defense against advanced persistent threats. Which three Fortinet solutions would be most effective in an ATP strategy? (Choose three.)
102A network admin is troubleshooting why FortiGate's antivirus is not detecting a known malware sample. The sample is detected by other scanners. Which two checks should the admin perform? (Choose two.)
103An administrator wants to block a zero-day malware outbreak detected by FortiGuard. Which feature should be configured to automatically block the threat across all enabled FortiGate devices?
104A FortiGate admin configures an automation stitch to send an email alert when a high-severity IPS event occurs. The trigger is 'IPS Event' and the action is 'Email'. After testing, no email is sent despite events being logged. What is the most likely cause?
105When configuring FortiGate with FortiSandbox integration, an administrator wants to block files that are rated 'High Risk' by the sandbox. Which setting must be enabled in the antivirus profile to automatically quarantine these files?
106An administrator sees the following log entry: 'id=13593 msg="CDR: File attachment sanitized"' Which feature generated this log?
107Which Fortinet product is specifically designed to deploy decoys and lures to detect lateral movement and early-stage attacks inside the network?
108A company uses FortiMail and wants to ensure that incoming emails are authenticated using SPF, DKIM, and DMARC. Which profile should the administrator configure to enforce these checks?
109A FortiGate administrator runs the following CLI command: 'diagnose ips anomaly log' The output shows numerous 'tcp_syn_flood' events from a single source IP. To mitigate this, the administrator wants to block the source IP automatically. Which feature should be used?
110Which Fortinet solution collects and correlates security events from multiple sources to provide a unified view of threats across the network?
111A network admin wants to use FortiClient's advanced threat protection features to detect ransomware behavior on endpoints. Which FortiClient feature should be enabled?
112Which feature on FortiGate uses machine learning to detect never-before-seen malware based on file characteristics?
113An administrator configures a WAF profile on FortiGate to protect a web application. However, the administrator notices that SQL injection attacks are not being blocked. What should the administrator check first?
114A FortiGate is configured to submit files to FortiSandbox. The administrator notices that files are being submitted but no verdicts are returned. Which two conditions could cause this?
115An organization uses FortiWeb to protect its web applications. The security team wants to block requests that contain a specific custom pattern in the URL. Which feature should be used?
116Which FortiGate security feature removes potentially malicious active content from files (e.g., macros, scripts) before delivering them to end users?
117An administrator wants to integrate FortiGate with an external threat intelligence feed to block known malicious IP addresses automatically. Which object should be used to consume the feed?
118A FortiGate administrator is troubleshooting why a custom IPS signature is not triggering on traffic matching the pattern. Which TWO checks should be performed?
119A company wants to use FortiMail to implement email authentication to prevent spoofing. Which THREE mechanisms should be configured in FortiMail's Authentication Profile?
120An administrator wants to create an automation stitch that responds to a high-severity IPS event by blocking the attacker IP. Which THREE components are required to build this automation stitch?
121A network admin notices that files submitted to FortiSandbox are not being analyzed. The FortiGate is configured to send files to FortiSandbox. What is the MOST likely cause?
122An admin wants to block malicious files detected by FortiSandbox at the FortiGate level. Which configuration is required on the FortiGate to automatically block files based on FortiSandbox verdict?
123Which FortiClient feature is specifically designed to prevent the execution of unknown malware by analyzing behavior in real-time?
124A company uses an advanced antivirus profile with machine learning engine enabled. After a recent outbreak, several files that were previously undetected are now flagged. How does the outbreak prevention feature help in this situation?
125An admin wants to ensure that office documents (e.g., Word, Excel) downloaded from the internet are safe before users open them. Which feature should be used to remove potentially malicious macros and active content?
126An IPS administrator wants to detect a new custom attack that sends malformed HTTP headers. The attack pattern is a specific sequence of bytes that is not covered by existing signatures. What is the BEST way to detect this attack on FortiGate?
127A FortiGate is configured with an IPS sensor that has protocol anomaly detection enabled. The admin notices that legitimate VoIP traffic (SIP) is being blocked. Which action should the admin take to reduce false positives?
128An organization wants to protect a public-facing web application against SQL injection and cross-site scripting (XSS) attacks. They have a FortiGate and a FortiWeb. What is the BEST deployment approach?
129An email security administrator wants to prevent attackers from spoofing the company's domain. Which email authentication mechanism should be configured to allow receiving servers to verify that emails claiming to be from the domain are sent from authorized mail servers?
130A company uses FortiMail to protect email. They set up DMARC with a policy of 'quarantine' for emails failing SPF and DKIM checks. However, legitimate emails from a third-party service are being quarantined. What should the admin do?
131Which Fortinet product is designed to deploy decoy systems to lure attackers and detect lateral movement within the network?
132An organization wants to implement a solution that can detect and automatically respond to threats across multiple Fortinet security products. Which product should they use?
133A security analyst wants to use automation stitches on FortiGate to automatically block an IP address when a critical severity event is logged. Which TWO components are essential to create this automation stitch? (Choose two.)
134An organization is deploying FortiEDR to enhance endpoint protection. Which THREE capabilities does FortiEDR provide? (Choose three.)
135A FortiGate administrator wants to use threat intelligence feeds to block known malicious IP addresses. Which TWO steps are required to accomplish this? (Choose two.)
136A network administrator wants to ensure that files downloaded from the internet are analyzed by FortiSandbox before being delivered to the client. The FortiGate is configured with a FortiSandbox connection and an antivirus profile. Which setting must be enabled in the antivirus profile to submit files to FortiSandbox?
137What is the primary purpose of Content Disarm and Reconstruction (CDR) in advanced antivirus protection?
138An administrator configures a custom IPS signature to detect traffic to a specific malicious domain. Which syntax is correct for a custom IPS signature in FortiGate?
139A company uses FortiMail for email security. They want to prevent email spoofing by verifying that incoming emails originate from authorized servers. Which email authentication method should be configured on FortiMail to check the sending server's IP against a published SPF record?
140A security analyst notices repeated failed login attempts from a specific IP address to the FortiGate management interface. The administrator wants to automatically blacklist the IP after 3 failed attempts within 60 seconds. Which feature should be configured?
141An administrator configures an automation stitch to respond to a high severity event. The trigger is 'event' and the action is 'CLI script'. What must be defined for the action to execute properly?
142Which of the following best describes the function of FortiDeceptor in an enterprise network?
143A FortiGate is configured with an antivirus profile that has the machine learning engine enabled. An administrator notices that some files are being detected by the ML engine but the verdict is 'probably clean'. What does this verdict indicate?
144What is the primary difference between using a Web Application Firewall (WAF) on FortiGate versus using FortiWeb?
145An administrator wants to automatically block a file that FortiSandbox has determined to be malicious. The FortiGate is configured with an antivirus profile that includes FortiSandbox submission. Which verdict action should be set to 'block' in the antivirus profile to achieve this?
146A FortiGate administrator runs 'diagnose ips anomaly list' and sees many entries with 'protocol anomaly - tcp_port_scan'. The administrator wants to reduce false positives. Which action should be taken in the IPS sensor configuration?
147A company wants to receive threat intelligence feeds from external sources to enhance their FortiGate's protection. Which method should be used to integrate external threat feeds into FortiGate?
148An administrator needs to configure advanced email security on FortiMail to protect against phishing and spoofing. Which THREE features should be enabled to achieve comprehensive email authentication?
149A FortiGate administrator wants to use automation stitches to respond to a detected threat. The trigger is 'event' and the action is to quarantine the source IP. Which TWO actions can be used in FortiGate automation stitches to achieve IP quarantine?
150A company has deployed FortiClient with advanced threat protection (ATP) features. Which TWO capabilities does FortiClient ATP provide beyond basic antivirus?
151A network administrator notices that FortiGate is not blocking a known malicious file that was submitted to FortiSandbox and received a 'malicious' verdict. The firewall policy includes a FortiSandbox inline scan profile. What is the MOST likely cause?
152An administrator runs 'diagnose ips anomaly list' and sees many 'data_leak' events from a specific internal IP address. The IPS sensor has the default pre-defined signatures enabled. What additional step should the administrator take to block this specific anomaly?
153A FortiGate administrator wants to ensure that files in email attachments are disarmed before delivery. Which security feature should be configured in the antivirus profile?
154An administrator is configuring a firewall policy for web traffic to a critical web application. They want to protect against SQL injection and cross-site scripting. Which security profile should they apply?
155You receive an alert from FortiSandbox that a file has been rated 'highly malicious'. The FortiGate has the FortiSandbox inline scanning enabled with the action 'block malicious'. However, the file is still being downloaded by users. What is the most likely reason?
156An administrator is deploying FortiClient with ATP features. They want to ensure that if a process is detected as malicious by the FortiClient machine learning engine, the endpoint is isolated from the network. Which configuration should they use?
157An administrator wants to secure email traffic by ensuring that incoming emails are verified against the sender's domain SPF record. Which email authentication method provides this verification?
158A FortiGate administrator is troubleshooting an issue where a legitimate application is being blocked by the IPS. The administrator wants to ensure the application works while maintaining protection for other traffic. What is the best action?
159An administrator configured FortiGate to forward suspected malicious files to FortiSandbox. They set the action to 'block' for malicious verdicts. Some files are being blocked, but others with a 'clean' verdict are allowed. However, they notice that some files that should have been sent to FortiSandbox are not being forwarded. Which reason is MOST likely?
160Which feature in FortiMail provides an additional layer of protection by analyzing the behavior of email attachments in a sandbox environment?
161An administrator is configuring FortiDeceptor to detect threats within the network. Which TWO statements about FortiDeceptor are correct?
162An administrator is configuring automation stitches to respond to a detected ransomware outbreak. Which THREE components are essential for an automation stitch?
163An administrator wants to protect against zero-day malware that has not yet been discovered by signature-based detection. Which TWO technologies can help mitigate such threats?
164An administrator is configuring FortiMail to be more secure against advanced email threats. Which THREE features should they enable to protect against email-based phishing attacks?
165An administrator is investigating an alert from FortiEDR indicating a suspicious process on an endpoint. The administrator wants to gather more context. Which TWO sources can provide threat intelligence to enrich the investigation?
166A security administrator is configuring FortiSandbox integration to automatically block malicious files detected in email attachments. Which TWO actions are required to achieve this integration?
167A network security team is evaluating options for web application security. They need to protect a critical web application from SQL injection and cross-site scripting (XSS) attacks, and they require granular control over HTTP request parameters. Which THREE factors should influence their decision between using FortiGate's WAF profiles versus deploying a dedicated FortiWeb appliance?
168An organization wants to implement email authentication to prevent spoofing and phishing attacks. They use FortiMail as their email security gateway. Which THREE mechanisms should they configure to achieve comprehensive email authentication?
169An administrator is configuring FortiGate automation stitches to respond to a detected ransomware outbreak. The trigger is a high severity event from FortiSandbox. Which TWO actions can be used in an automation stitch to contain the threat?
The Advanced Threat Protection domain covers the key concepts tested in this area of the NSE7 exam blueprint published by Fortinet. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all NSE7 domains — no account required.
The Courseiva NSE7 question bank contains 169 questions in the Advanced Threat Protection domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Advanced Threat Protection domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included