Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsNSE7DomainsAdvanced Threat Protection
NSE7Free — No Signup

Advanced Threat Protection

Practice NSE7 Advanced Threat Protection questions with full explanations on every answer.

169questions

Start practicing

Advanced Threat Protection — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

NSE7 Domains

Advanced Networking and SD-WANAdvanced VPN and Zero TrustEnterprise Firewall and VDOMsAdvanced Threat ProtectionTroubleshooting and Diagnostics

Practice Advanced Threat Protection questions

10Q20Q30Q50Q

All NSE7 Advanced Threat Protection questions (169)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is deploying FortiGate with Advanced Threat Protection (ATP) and wants to block advanced malware that uses encrypted C2 communications. Which security profile should be configured to perform SSL inspection and detect malicious traffic?

2

A network administrator notices that several endpoints are infected with ransomware despite having FortiGate ATP enabled. The logs show that the files were downloaded over HTTPS, and the antivirus profile did not detect them. What is the most likely reason?

3

A security engineer is troubleshooting a scenario where FortiGate is not blocking a known malicious URL categorized as 'Malware'. The web filtering profile is configured with 'monitor all' for the Malware category. What change should be made to block the URL?

4

A company wants to detect and block phishing emails that contain malicious links. Which FortiGate security profile should be used?

5

A FortiGate administrator receives alerts about a device communicating with a known botnet C2 server. The traffic is encrypted with TLS. Which ATP feature is most effective to block this communication?

6

Which TWO features are part of FortiGate's Advanced Threat Protection (ATP) suite?

7

Which THREE actions should be taken to optimize FortiGate ATP performance while maintaining security?

8

Refer to the exhibit. An administrator notices that some malware files are not being detected by FortiGate. The antivirus profile uses flow-based scanning with FortiSandbox disabled. What is the most likely reason for missed detections?

9

Refer to the exhibit. A user reports that accessing a legitimate HTTPS website is blocked. The FortiGate logs show that the connection was denied by the antivirus profile. What is the most likely cause?

10

A large enterprise uses FortiGate as their perimeter firewall with ATP features enabled. They have a mix of internal users and remote VPN users. Recently, several remote users reported that their machines became infected with ransomware after connecting to the VPN. The IT team suspects that the ransomware entered through the VPN tunnel. The FortiGate has an antivirus profile applied to the VPN policy with SSL inspection enabled for all traffic. However, the logs show that no malware was detected. Upon investigation, the team finds that the remote users' machines are not managed by the company and do not have any endpoint protection. The ransomware was delivered via a spear-phishing email that the users opened on their remote machines. The email traffic passed through the VPN tunnel to the corporate mail server first, then back to the user. The FortiGate antivirus profile is configured to scan SMTP traffic but the email was sent from an external source to the corporate mail server, and the mail server uses STARTTLS to receive emails. The FortiGate does not perform SSL inspection on the SMTP traffic because the SMTP service is not included in the SSL inspection profile. What action should the administrator take to prevent this in the future?

11

Drag and drop the steps to configure OSPF on a FortiGate firewall into the correct order.

12

Match each FortiGate security profile to its category.

13

A network admin configures FortiGate to submit files to FortiSandbox for analysis. After submission, the FortiGate logs show that files are being sent but no verdict is returned. The FortiSandbox is reachable and licensed. What is the most likely cause?

14

An organization wants to protect against unknown malware by using machine learning on FortiGate. Which antivirus setting should be enabled to achieve this?

15

A FortiGate administrator wants to block a custom protocol anomaly where a client sends an HTTP request with a malformed header containing a null byte. Which advanced IPS feature should be used?

16

What is the primary purpose of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus features?

17

An organization uses FortiMail and wants to validate that incoming emails are from legitimate senders by checking the sender's domain against a published policy. Which two email authentication mechanisms can FortiMail use? (Choose two.)

18

A FortiGate admin runs 'diagnose ips anomaly list' and sees many 'tcp_src_session' events from a single internal IP. The admin suspects a scanning attack. What action should be taken to block this traffic without affecting legitimate traffic?

19

What is the primary function of FortiDeceptor in a network security architecture?

20

An administrator configures an automation stitch on FortiGate to automatically block an IP address when a specific IPS signature triggers. What must be configured as the trigger and action?

21

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

22

A company uses FortiWeb as a reverse proxy for their web application. They want to protect against SQL injection attacks. Which FortiWeb feature should be configured?

23

What is the role of FortiGuard Outbreak Prevention in FortiGate's security suite?

24

An organization deploys FortiEDR to protect endpoints. Which component is responsible for collecting and sending telemetry data to the FortiEDR management console?

25

Which TWO of the following are required for FortiGate to successfully obtain file verdicts from FortiSandbox? (Choose two.)

26

A security administrator wants to implement automated threat response using FortiGate automation stitches. Which THREE components are mandatory when creating an automation stitch? (Choose three.)

27

Which TWO email authentication mechanisms does FortiMail support to verify sender identity and reduce spoofing? (Choose two.)

28

A FortiGate administrator configures an antivirus profile with the machine learning engine enabled and applies it to a policy inspecting HTTP traffic. After deployment, the admin notices that some files are being allowed that should have been detected. What is the MOST likely cause?

29

An administrator runs the following CLI output: 'diagnose sys session filter dport 443' and sees 'proto=6 proto_state=01 duration=3600 expire=3599'. Which statement BEST describes the session?

30

A company wants to protect its internal users from malicious files attached to emails. Which FortiGate feature should be configured to inspect SMTP traffic for malware?

31

An administrator configures a FortiGate to integrate with FortiSandbox for inline scanning. The policy has an antivirus profile with FortiSandbox enabled. What condition must be met for files to be submitted to FortiSandbox?

32

A FortiGate admin sees the following log: 'Action=blocked, Service=HTTP, Application=Outbreak, File=invoice.doc, ThreatScore=95'. What is the MOST likely explanation for this block?

33

Which FortiGate security feature can reconstruct files to remove potentially malicious content while preserving the file's usability?

34

An administrator needs to deploy a honeypot solution to detect and deceive attackers inside the network. Which Fortinet product is BEST suited for this purpose?

35

A FortiGate administrator configures a custom IPS signature with the pattern 'attack' in the HTTP request URI. After applying the signature, no alerts are generated even though the traffic matches. What is the MOST likely cause?

36

Which technology uses DMARC reports to help administrators identify unauthorized use of their email domain?

37

An administrator wants to create an automation stitch that sends a webhook notification when an IPS attack is detected. Which trigger and action should be used?

38

A FortiGate is configured with a WAF profile to protect a web server. The administrator notices that SQL injection attacks are still reaching the server despite the WAF being enabled. What is the MOST likely reason?

39

An administrator runs 'diagnose ips anomaly http' and sees many entries with 'type=SQLi' and 'score=0'. What does a score of 0 indicate?

40

An administrator wants to configure FortiGate to automatically block a source IP when a high-severity IPS event is detected. Which TWO components must be configured? (Choose two.)

41

A FortiGate administrator is troubleshooting why files are not being submitted to FortiSandbox for analysis. Which THREE conditions must be met for file submission to work? (Choose three.)

42

An organization wants to implement email authentication to prevent spoofing. Which TWO standards should they configure? (Choose two.)

43

A FortiGate administrator notices that files submitted to FortiSandbox are receiving verdicts but the firewall is not automatically blocking the detected malware. The FortiSandbox integration is configured under Security Fabric > External Connectors. What additional configuration is required to enforce blocking based on FortiSandbox verdicts?

44

Which FortiClient ATP feature provides protection against zero-day malware by monitoring process behavior and blocking suspicious activities at the endpoint?

45

A security administrator wants to block email spoofing attacks against their organization's domain. They configure SPF, DKIM, and DMARC records. Which protocol authenticates the domain of the email sender by verifying the email's signature against a public key published in DNS?

46

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

47

An organization wants to deploy a web application firewall (WAF) to protect a public-facing web application. They are evaluating FortiGate versus FortiWeb. Which of the following is a key advantage of using FortiWeb over FortiGate for WAF functionality?

48

A FortiGate administrator wants to implement Content Disarm and Reconstruction (CDR) for email attachments. Which security profile must be configured to enable CDR?

49

During a security incident, the SOC team receives an alert from FortiSIEM about a user accessing a known malicious IP. The team wants to automatically block the IP on the FortiGate. Which FortiGate feature can be used to create an automated response based on a threat intelligence feed?

50

Which Fortinet product is designed specifically to detect and deceive attackers by creating decoy systems and luring them away from real assets?

51

An administrator wants to configure FortiGate to use the machine learning engine for advanced antivirus detection. Which setting must be enabled in the antivirus profile?

52

A network administrator is troubleshooting a FortiGate IPS sensor that is not generating alerts for a custom signature they created. The custom signature uses the pattern 'malicious. The signature is enabled and applied to a firewall policy. What is the MOST likely cause of the issue?

53

Which FortiMail advanced feature allows the administrator to rewrite URLs in email bodies to redirect users to a safe scanning service when they click on a link?

54

What is the primary purpose of FortiGuard Outbreak Prevention service?

55

An administrator is configuring FortiGate automation stitches to respond to a detected brute-force attack against an internal web server. The trigger is set to 'Event' with a condition matching repeated failed login attempts. Which TWO actions are appropriate to mitigate the attack? (Choose two.)

56

A security engineer wants to implement advanced threat protection for email using FortiMail. Which THREE features should be enabled to provide comprehensive protection against sophisticated email threats? (Choose three.)

57

An administrator is investigating a security incident where a workstation is communicating with a known command and control (C2) server. The FortiGate has IPS enabled but did not block the traffic. Which TWO configuration issues could explain why the IPS did not detect the C2 communication? (Choose two.)

58

An administrator configures FortiSandbox inline scanning for HTTP traffic. They notice that files uploaded via HTTP are being scanned but no verdict is being returned, causing delays. What is the MOST likely cause?

59

A network administrator wants to block known malicious IP addresses using threat intelligence feeds on FortiGate. Which feature should they use?

60

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

61

A company is deploying FortiClient ATP to protect endpoints. They want to block ransomware behavior in real time. Which FortiClient feature should be enabled?

62

An administrator configures FortiSandbox to quarantine files that are rated 'malicious'. They notice that some files are being quarantined even though the verdict is 'clean'. What could explain this?

63

Which FortiGate feature can automatically block traffic from an IP address that is detected as malicious by FortiSandbox?

64

A FortiGate administrator configures an antivirus profile with Machine Learning (ML) engine enabled. The ML engine is not detecting any threats, even though new unknown malware is present. What is the MOST likely reason?

65

An organization wants to prevent zero-day attacks by using Content Disarm and Reconstruction (CDR) on email attachments. Which Fortinet product provides this capability?

66

An administrator configures a WAF profile on FortiGate to protect a web application. They notice that SQL injection attacks are not being blocked. What is the MOST likely reason?

67

An administrator wants to detect lateral movement and early stages of an attack using decoy systems that mimic production assets. Which Fortinet product should they deploy?

68

Which Fortinet product provides endpoint detection and response (EDR) capabilities, including automated threat containment?

69

An administrator configures email authentication (SPF, DKIM, DMARC) on FortiMail. They find that legitimate emails are being marked as spam by FortiMail. The SPF check passes but DKIM fails. What could be the issue?

70

An administrator needs to enable automation stitches to automatically block a malicious IP address detected by FortiSandbox. Which two components are required? (Choose two.)

71

An administrator is configuring FortiMail to improve email security. Which three of the following features are part of FortiMail's advanced threat protection? (Choose three.)

72

A FortiGate administrator wants to detect and block protocol anomalies as part of advanced IPS. Which three options are available in FortiGate's custom IPS signatures? (Choose three.)

73

A network administrator has configured FortiGate to send files to FortiSandbox for analysis. However, files are not being submitted. The administrator checks the FortiGate configuration and sees that the FortiSandbox server IP is correctly entered. What is the most likely cause of the issue?

74

An administrator wants to prevent users from downloading known malicious files from the internet. The administrator has enabled FortiGuard Outbreak Prevention and applied an antivirus profile to the outbound policy. However, some malicious files are still reaching users. What configuration step is most likely missing?

75

A security analyst is investigating a phishing email that bypassed email security. The email's headers show SPF=pass, DKIM=pass, but DMARC=quarantine. The email was delivered to the inbox. What is the most likely reason DMARC did not block or quarantine the email?

76

What is the primary function of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus profile?

77

An administrator wants to create an automation stitch that automatically blocks an IP address when a high-severity IPS alert is triggered. The administrator creates a trigger for 'IPS event' and an action of 'Add to Blocked IPs'. However, the action fails to execute. Which of the following is the most likely cause?

78

A FortiGate administrator notices that traffic classified as 'unknown' by the antivirus is being allowed. The administrator wants to ensure that such files are submitted to FortiSandbox for analysis and blocked until a verdict is received. Which configuration is required?

79

A company uses FortiGate as a web application firewall (WAF) to protect a public web server. The security team wants to block SQL injection attacks. Which WAF signature category should the administrator enable?

80

What is the purpose of FortiDeceptor in an enterprise security architecture?

81

An administrator wants to use FortiGate to automatically block traffic if FortiEDR detects a threat on an endpoint. Which feature should the administrator configure?

82

A FortiGate administrator receives a report that a user downloaded a malicious PDF file. The antivirus profile has machine learning engine enabled, CDR enabled, and FortiSandbox integration. However, the file was allowed. The log shows: 'file=malicious.pdf, action=allow, ml_score=85, cd_result=clean, sandbox=not_submitted'. What is the most likely reason the file was not submitted to FortiSandbox?

83

What is the primary benefit of using FortiClient with ATP features in conjunction with FortiGate?

84

An administrator needs to create a custom IPS signature to detect a specific exploit that sends a unique string 'EXPLOIT_2024' in the HTTP User-Agent header. Which IPS signature syntax should the administrator use?

85

A company receives a threat intelligence feed that lists several IP addresses as malicious. The administrator wants to automatically block traffic from these IPs on FortiGate. Which TWO methods can achieve this? (Choose two.)

86

A security team is configuring FortiMail for email security. They want to ensure that incoming emails are authenticated using SPF, DKIM, and DMARC, and that emails failing authentication are quarantined. Which THREE settings must be configured in FortiMail? (Choose three.)

87

An administrator is troubleshooting why a custom IPS signature for protocol anomaly detection is not triggering. The signature is designed to detect abnormal DNS query lengths. Which TWO steps should the administrator take to verify the signature is working? (Choose two.)

88

A network admin notices that files submitted to FortiSandbox from FortiGate are not being analyzed. The FortiGate has a valid FortiSandbox license and the device is reachable. What configuration step is most likely missing?

89

An organization wants to prevent users from downloading malicious files from the internet. Which FortiGate security profile should be applied to the outbound firewall policy to block files based on their hash if they have been identified as malicious by FortiSandbox?

90

A FortiGate admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

91

A security admin notices that FortiClient ATP is not blocking threats on a managed endpoint. The FortiClient is registered with FortiGate and the ATP feature is enabled in the FortiClient profile. What is the most likely cause?

92

An organization wants to protect against zero-day malware by using FortiGate's outbreak prevention feature. Which configuration is required to enable outbreak prevention in the antivirus profile?

93

An admin configures Content Disarm and Reconstruction (CDR) on FortiGate to protect against malicious macros in Office documents. After applying the CDR profile to a firewall policy, users complain that documents are not being delivered. What is the most likely cause?

94

Which FortiGate IPS feature allows administrators to create rules that detect network traffic patterns deviating from normal protocol behavior?

95

An admin wants to create a custom IPS signature to detect a specific exploit that sends a string 'EXPLOIT' in the HTTP Host header. Which signature syntax is correct?

96

A company uses FortiWeb to protect its web application. They want to block SQL injection attempts. Which FortiWeb feature should be configured to inspect HTTP requests for malicious SQL patterns?

97

An organization uses FortiGate's WAF feature (not FortiWeb) to protect a web server. The admin configures an inline WAF profile but notices that the WAF is not inspecting traffic. What is the most likely cause?

98

What does FortiGuard Outbreak Prevention use to protect against newly discovered malware outbreaks before traditional signatures are available?

99

An admin receives an email from FortiMail regarding a message that was rejected due to SPF failure. What does this indicate about the email?

100

A security analyst wants to use automation stitches on FortiGate to automatically block IP addresses that trigger an IPS signature for 'SSH Brute Force'. Which two components are required to create this automation stitch? (Choose two.)

101

An organization wants to implement multiple layers of defense against advanced persistent threats. Which three Fortinet solutions would be most effective in an ATP strategy? (Choose three.)

102

A network admin is troubleshooting why FortiGate's antivirus is not detecting a known malware sample. The sample is detected by other scanners. Which two checks should the admin perform? (Choose two.)

103

An administrator wants to block a zero-day malware outbreak detected by FortiGuard. Which feature should be configured to automatically block the threat across all enabled FortiGate devices?

104

A FortiGate admin configures an automation stitch to send an email alert when a high-severity IPS event occurs. The trigger is 'IPS Event' and the action is 'Email'. After testing, no email is sent despite events being logged. What is the most likely cause?

105

When configuring FortiGate with FortiSandbox integration, an administrator wants to block files that are rated 'High Risk' by the sandbox. Which setting must be enabled in the antivirus profile to automatically quarantine these files?

106

An administrator sees the following log entry: 'id=13593 msg="CDR: File attachment sanitized"' Which feature generated this log?

107

Which Fortinet product is specifically designed to deploy decoys and lures to detect lateral movement and early-stage attacks inside the network?

108

A company uses FortiMail and wants to ensure that incoming emails are authenticated using SPF, DKIM, and DMARC. Which profile should the administrator configure to enforce these checks?

109

A FortiGate administrator runs the following CLI command: 'diagnose ips anomaly log' The output shows numerous 'tcp_syn_flood' events from a single source IP. To mitigate this, the administrator wants to block the source IP automatically. Which feature should be used?

110

Which Fortinet solution collects and correlates security events from multiple sources to provide a unified view of threats across the network?

111

A network admin wants to use FortiClient's advanced threat protection features to detect ransomware behavior on endpoints. Which FortiClient feature should be enabled?

112

Which feature on FortiGate uses machine learning to detect never-before-seen malware based on file characteristics?

113

An administrator configures a WAF profile on FortiGate to protect a web application. However, the administrator notices that SQL injection attacks are not being blocked. What should the administrator check first?

114

A FortiGate is configured to submit files to FortiSandbox. The administrator notices that files are being submitted but no verdicts are returned. Which two conditions could cause this?

115

An organization uses FortiWeb to protect its web applications. The security team wants to block requests that contain a specific custom pattern in the URL. Which feature should be used?

116

Which FortiGate security feature removes potentially malicious active content from files (e.g., macros, scripts) before delivering them to end users?

117

An administrator wants to integrate FortiGate with an external threat intelligence feed to block known malicious IP addresses automatically. Which object should be used to consume the feed?

118

A FortiGate administrator is troubleshooting why a custom IPS signature is not triggering on traffic matching the pattern. Which TWO checks should be performed?

119

A company wants to use FortiMail to implement email authentication to prevent spoofing. Which THREE mechanisms should be configured in FortiMail's Authentication Profile?

120

An administrator wants to create an automation stitch that responds to a high-severity IPS event by blocking the attacker IP. Which THREE components are required to build this automation stitch?

121

A network admin notices that files submitted to FortiSandbox are not being analyzed. The FortiGate is configured to send files to FortiSandbox. What is the MOST likely cause?

122

An admin wants to block malicious files detected by FortiSandbox at the FortiGate level. Which configuration is required on the FortiGate to automatically block files based on FortiSandbox verdict?

123

Which FortiClient feature is specifically designed to prevent the execution of unknown malware by analyzing behavior in real-time?

124

A company uses an advanced antivirus profile with machine learning engine enabled. After a recent outbreak, several files that were previously undetected are now flagged. How does the outbreak prevention feature help in this situation?

125

An admin wants to ensure that office documents (e.g., Word, Excel) downloaded from the internet are safe before users open them. Which feature should be used to remove potentially malicious macros and active content?

126

An IPS administrator wants to detect a new custom attack that sends malformed HTTP headers. The attack pattern is a specific sequence of bytes that is not covered by existing signatures. What is the BEST way to detect this attack on FortiGate?

127

A FortiGate is configured with an IPS sensor that has protocol anomaly detection enabled. The admin notices that legitimate VoIP traffic (SIP) is being blocked. Which action should the admin take to reduce false positives?

128

An organization wants to protect a public-facing web application against SQL injection and cross-site scripting (XSS) attacks. They have a FortiGate and a FortiWeb. What is the BEST deployment approach?

129

An email security administrator wants to prevent attackers from spoofing the company's domain. Which email authentication mechanism should be configured to allow receiving servers to verify that emails claiming to be from the domain are sent from authorized mail servers?

130

A company uses FortiMail to protect email. They set up DMARC with a policy of 'quarantine' for emails failing SPF and DKIM checks. However, legitimate emails from a third-party service are being quarantined. What should the admin do?

131

Which Fortinet product is designed to deploy decoy systems to lure attackers and detect lateral movement within the network?

132

An organization wants to implement a solution that can detect and automatically respond to threats across multiple Fortinet security products. Which product should they use?

133

A security analyst wants to use automation stitches on FortiGate to automatically block an IP address when a critical severity event is logged. Which TWO components are essential to create this automation stitch? (Choose two.)

134

An organization is deploying FortiEDR to enhance endpoint protection. Which THREE capabilities does FortiEDR provide? (Choose three.)

135

A FortiGate administrator wants to use threat intelligence feeds to block known malicious IP addresses. Which TWO steps are required to accomplish this? (Choose two.)

136

A network administrator wants to ensure that files downloaded from the internet are analyzed by FortiSandbox before being delivered to the client. The FortiGate is configured with a FortiSandbox connection and an antivirus profile. Which setting must be enabled in the antivirus profile to submit files to FortiSandbox?

137

What is the primary purpose of Content Disarm and Reconstruction (CDR) in advanced antivirus protection?

138

An administrator configures a custom IPS signature to detect traffic to a specific malicious domain. Which syntax is correct for a custom IPS signature in FortiGate?

139

A company uses FortiMail for email security. They want to prevent email spoofing by verifying that incoming emails originate from authorized servers. Which email authentication method should be configured on FortiMail to check the sending server's IP against a published SPF record?

140

A security analyst notices repeated failed login attempts from a specific IP address to the FortiGate management interface. The administrator wants to automatically blacklist the IP after 3 failed attempts within 60 seconds. Which feature should be configured?

141

An administrator configures an automation stitch to respond to a high severity event. The trigger is 'event' and the action is 'CLI script'. What must be defined for the action to execute properly?

142

Which of the following best describes the function of FortiDeceptor in an enterprise network?

143

A FortiGate is configured with an antivirus profile that has the machine learning engine enabled. An administrator notices that some files are being detected by the ML engine but the verdict is 'probably clean'. What does this verdict indicate?

144

What is the primary difference between using a Web Application Firewall (WAF) on FortiGate versus using FortiWeb?

145

An administrator wants to automatically block a file that FortiSandbox has determined to be malicious. The FortiGate is configured with an antivirus profile that includes FortiSandbox submission. Which verdict action should be set to 'block' in the antivirus profile to achieve this?

146

A FortiGate administrator runs 'diagnose ips anomaly list' and sees many entries with 'protocol anomaly - tcp_port_scan'. The administrator wants to reduce false positives. Which action should be taken in the IPS sensor configuration?

147

A company wants to receive threat intelligence feeds from external sources to enhance their FortiGate's protection. Which method should be used to integrate external threat feeds into FortiGate?

148

An administrator needs to configure advanced email security on FortiMail to protect against phishing and spoofing. Which THREE features should be enabled to achieve comprehensive email authentication?

149

A FortiGate administrator wants to use automation stitches to respond to a detected threat. The trigger is 'event' and the action is to quarantine the source IP. Which TWO actions can be used in FortiGate automation stitches to achieve IP quarantine?

150

A company has deployed FortiClient with advanced threat protection (ATP) features. Which TWO capabilities does FortiClient ATP provide beyond basic antivirus?

151

A network administrator notices that FortiGate is not blocking a known malicious file that was submitted to FortiSandbox and received a 'malicious' verdict. The firewall policy includes a FortiSandbox inline scan profile. What is the MOST likely cause?

152

An administrator runs 'diagnose ips anomaly list' and sees many 'data_leak' events from a specific internal IP address. The IPS sensor has the default pre-defined signatures enabled. What additional step should the administrator take to block this specific anomaly?

153

A FortiGate administrator wants to ensure that files in email attachments are disarmed before delivery. Which security feature should be configured in the antivirus profile?

154

An administrator is configuring a firewall policy for web traffic to a critical web application. They want to protect against SQL injection and cross-site scripting. Which security profile should they apply?

155

You receive an alert from FortiSandbox that a file has been rated 'highly malicious'. The FortiGate has the FortiSandbox inline scanning enabled with the action 'block malicious'. However, the file is still being downloaded by users. What is the most likely reason?

156

An administrator is deploying FortiClient with ATP features. They want to ensure that if a process is detected as malicious by the FortiClient machine learning engine, the endpoint is isolated from the network. Which configuration should they use?

157

An administrator wants to secure email traffic by ensuring that incoming emails are verified against the sender's domain SPF record. Which email authentication method provides this verification?

158

A FortiGate administrator is troubleshooting an issue where a legitimate application is being blocked by the IPS. The administrator wants to ensure the application works while maintaining protection for other traffic. What is the best action?

159

An administrator configured FortiGate to forward suspected malicious files to FortiSandbox. They set the action to 'block' for malicious verdicts. Some files are being blocked, but others with a 'clean' verdict are allowed. However, they notice that some files that should have been sent to FortiSandbox are not being forwarded. Which reason is MOST likely?

160

Which feature in FortiMail provides an additional layer of protection by analyzing the behavior of email attachments in a sandbox environment?

161

An administrator is configuring FortiDeceptor to detect threats within the network. Which TWO statements about FortiDeceptor are correct?

162

An administrator is configuring automation stitches to respond to a detected ransomware outbreak. Which THREE components are essential for an automation stitch?

163

An administrator wants to protect against zero-day malware that has not yet been discovered by signature-based detection. Which TWO technologies can help mitigate such threats?

164

An administrator is configuring FortiMail to be more secure against advanced email threats. Which THREE features should they enable to protect against email-based phishing attacks?

165

An administrator is investigating an alert from FortiEDR indicating a suspicious process on an endpoint. The administrator wants to gather more context. Which TWO sources can provide threat intelligence to enrich the investigation?

166

A security administrator is configuring FortiSandbox integration to automatically block malicious files detected in email attachments. Which TWO actions are required to achieve this integration?

167

A network security team is evaluating options for web application security. They need to protect a critical web application from SQL injection and cross-site scripting (XSS) attacks, and they require granular control over HTTP request parameters. Which THREE factors should influence their decision between using FortiGate's WAF profiles versus deploying a dedicated FortiWeb appliance?

168

An organization wants to implement email authentication to prevent spoofing and phishing attacks. They use FortiMail as their email security gateway. Which THREE mechanisms should they configure to achieve comprehensive email authentication?

169

An administrator is configuring FortiGate automation stitches to respond to a detected ransomware outbreak. The trigger is a high severity event from FortiSandbox. Which TWO actions can be used in an automation stitch to contain the threat?

Practice all 169 Advanced Threat Protection questions

Other NSE7 exam domains

Advanced Networking and SD-WANAdvanced VPN and Zero TrustEnterprise Firewall and VDOMsTroubleshooting and Diagnostics

Frequently asked questions

What does the Advanced Threat Protection domain cover on the NSE7 exam?

The Advanced Threat Protection domain covers the key concepts tested in this area of the NSE7 exam blueprint published by Fortinet. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all NSE7 domains — no account required.

How many Advanced Threat Protection questions are in the NSE7 question bank?

The Courseiva NSE7 question bank contains 169 questions in the Advanced Threat Protection domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Advanced Threat Protection for NSE7?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Advanced Threat Protection questions for NSE7?

Yes — the session launcher on this page draws questions exclusively from the Advanced Threat Protection domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your NSE7 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide