Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Advanced Threat Protection practice sets

NSE7 Advanced Threat Protection • Complete Question Bank

NSE7 Advanced Threat Protection — All Questions With Answers

Complete NSE7 Advanced Threat Protection question bank — all 0 questions with answers and detailed explanations.

169
Questions
Free
No signup
Certifications/NSE7/Practice Test/Advanced Threat Protection/All Questions
Question 1easymultiple choice
Read the full Advanced Threat Protection explanation →

A company is deploying FortiGate with Advanced Threat Protection (ATP) and wants to block advanced malware that uses encrypted C2 communications. Which security profile should be configured to perform SSL inspection and detect malicious traffic?

Question 2mediummultiple choice
Read the full Advanced Threat Protection explanation →

A network administrator notices that several endpoints are infected with ransomware despite having FortiGate ATP enabled. The logs show that the files were downloaded over HTTPS, and the antivirus profile did not detect them. What is the most likely reason?

Question 3hardmultiple choice
Read the full Advanced Threat Protection explanation →

A security engineer is troubleshooting a scenario where FortiGate is not blocking a known malicious URL categorized as 'Malware'. The web filtering profile is configured with 'monitor all' for the Malware category. What change should be made to block the URL?

Question 4easymultiple choice
Read the full Advanced Threat Protection explanation →

A company wants to detect and block phishing emails that contain malicious links. Which FortiGate security profile should be used?

Question 5mediummultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator receives alerts about a device communicating with a known botnet C2 server. The traffic is encrypted with TLS. Which ATP feature is most effective to block this communication?

Question 6mediummulti select
Read the full Advanced Threat Protection explanation →

Which TWO features are part of FortiGate's Advanced Threat Protection (ATP) suite?

Question 7hardmulti select
Read the full Advanced Threat Protection explanation →

Which THREE actions should be taken to optimize FortiGate ATP performance while maintaining security?

Question 8hardmultiple choice
Read the full Advanced Threat Protection explanation →

Refer to the exhibit. An administrator notices that some malware files are not being detected by FortiGate. The antivirus profile uses flow-based scanning with FortiSandbox disabled. What is the most likely reason for missed detections?

Exhibit

Refer to the exhibit.

config antivirus profile
    edit "default"
        set comment "Default antivirus"
        config http
            set options scan
            set av-scan mode=flow-based
            set fortisandbox inline-scan disable
            set quarantine enable
        end
        config ftp
            set options scan
            set av-scan mode=flow-based
            set fortisandbox inline-scan disable
            set quarantine enable
        end
        config smb
            set options scan
            set av-scan mode=flow-based
            set fortisandbox inline-scan disable
            set quarantine enable
        end
    next
end
Question 9mediummultiple choice
Read the full Advanced Threat Protection explanation →

Refer to the exhibit. A user reports that accessing a legitimate HTTPS website is blocked. The FortiGate logs show that the connection was denied by the antivirus profile. What is the most likely cause?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "Web Access"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "10.0.1.0/24"
        set dstaddr "10.0.2.0/24"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set utm-status enable
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection"
        set av-profile "default"
        set ips-profile "default"
        set application-list "default"
    next
end
Question 10hardmultiple choice
Read the full VPN explanation →

A large enterprise uses FortiGate as their perimeter firewall with ATP features enabled. They have a mix of internal users and remote VPN users. Recently, several remote users reported that their machines became infected with ransomware after connecting to the VPN. The IT team suspects that the ransomware entered through the VPN tunnel. The FortiGate has an antivirus profile applied to the VPN policy with SSL inspection enabled for all traffic. However, the logs show that no malware was detected. Upon investigation, the team finds that the remote users' machines are not managed by the company and do not have any endpoint protection. The ransomware was delivered via a spear-phishing email that the users opened on their remote machines. The email traffic passed through the VPN tunnel to the corporate mail server first, then back to the user. The FortiGate antivirus profile is configured to scan SMTP traffic but the email was sent from an external source to the corporate mail server, and the mail server uses STARTTLS to receive emails. The FortiGate does not perform SSL inspection on the SMTP traffic because the SMTP service is not included in the SSL inspection profile. What action should the administrator take to prevent this in the future?

Question 11mediumdrag order
Review the full OSPF breakdown →

Drag and drop the steps to configure OSPF on a FortiGate firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 12mediummatching
Read the full Advanced Threat Protection explanation →

Match each FortiGate security profile to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Malware protection

URL and content filtering

DNS-based threat protection

Application visibility and control

Intrusion prevention

Question 13mediummultiple choice
Read the full Advanced Threat Protection explanation →

A network admin configures FortiGate to submit files to FortiSandbox for analysis. After submission, the FortiGate logs show that files are being sent but no verdict is returned. The FortiSandbox is reachable and licensed. What is the most likely cause?

Question 14mediummultiple choice
Read the full Advanced Threat Protection explanation →

An organization wants to protect against unknown malware by using machine learning on FortiGate. Which antivirus setting should be enabled to achieve this?

Question 15hardmultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator wants to block a custom protocol anomaly where a client sends an HTTP request with a malformed header containing a null byte. Which advanced IPS feature should be used?

Question 16easymultiple choice
Read the full Advanced Threat Protection explanation →

What is the primary purpose of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus features?

Question 17mediummulti select
Read the full Advanced Threat Protection explanation →

An organization uses FortiMail and wants to validate that incoming emails are from legitimate senders by checking the sender's domain against a published policy. Which two email authentication mechanisms can FortiMail use? (Choose two.)

Question 18hardmultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate admin runs 'diagnose ips anomaly list' and sees many 'tcp_src_session' events from a single internal IP. The admin suspects a scanning attack. What action should be taken to block this traffic without affecting legitimate traffic?

Question 19easymultiple choice
Read the full Advanced Threat Protection explanation →

What is the primary function of FortiDeceptor in a network security architecture?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

An administrator configures an automation stitch on FortiGate to automatically block an IP address when a specific IPS signature triggers. What must be configured as the trigger and action?

Question 21hardmultiple choice
Read the full Advanced Threat Protection explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

Question 22mediummultiple choice
Read the full Advanced Threat Protection explanation →

A company uses FortiWeb as a reverse proxy for their web application. They want to protect against SQL injection attacks. Which FortiWeb feature should be configured?

Question 23easymultiple choice
Read the full Advanced Threat Protection explanation →

What is the role of FortiGuard Outbreak Prevention in FortiGate's security suite?

Question 24mediummultiple choice
Read the full network assurance explanation →

An organization deploys FortiEDR to protect endpoints. Which component is responsible for collecting and sending telemetry data to the FortiEDR management console?

Question 25mediummulti select
Read the full Advanced Threat Protection explanation →

Which TWO of the following are required for FortiGate to successfully obtain file verdicts from FortiSandbox? (Choose two.)

Question 26hardmulti select
Read the full Advanced Threat Protection explanation →

A security administrator wants to implement automated threat response using FortiGate automation stitches. Which THREE components are mandatory when creating an automation stitch? (Choose three.)

Question 27mediummulti select
Read the full Advanced Threat Protection explanation →

Which TWO email authentication mechanisms does FortiMail support to verify sender identity and reduce spoofing? (Choose two.)

Question 28mediummultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator configures an antivirus profile with the machine learning engine enabled and applies it to a policy inspecting HTTP traffic. After deployment, the admin notices that some files are being allowed that should have been detected. What is the MOST likely cause?

Question 29hardmultiple choice
Read the full Advanced Threat Protection explanation →

An administrator runs the following CLI output: 'diagnose sys session filter dport 443' and sees 'proto=6 proto_state=01 duration=3600 expire=3599'. Which statement BEST describes the session?

Question 30easymultiple choice
Read the full Advanced Threat Protection explanation →

A company wants to protect its internal users from malicious files attached to emails. Which FortiGate feature should be configured to inspect SMTP traffic for malware?

Question 31mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator configures a FortiGate to integrate with FortiSandbox for inline scanning. The policy has an antivirus profile with FortiSandbox enabled. What condition must be met for files to be submitted to FortiSandbox?

Question 32hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate admin sees the following log: 'Action=blocked, Service=HTTP, Application=Outbreak, File=invoice.doc, ThreatScore=95'. What is the MOST likely explanation for this block?

Question 33easymultiple choice
Read the full Advanced Threat Protection explanation →

Which FortiGate security feature can reconstruct files to remove potentially malicious content while preserving the file's usability?

Question 34mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator needs to deploy a honeypot solution to detect and deceive attackers inside the network. Which Fortinet product is BEST suited for this purpose?

Question 35hardmultiple choice
Read the full NAT/PAT explanation →

A FortiGate administrator configures a custom IPS signature with the pattern 'attack' in the HTTP request URI. After applying the signature, no alerts are generated even though the traffic matches. What is the MOST likely cause?

Question 36easymultiple choice
Read the full Advanced Threat Protection explanation →

Which technology uses DMARC reports to help administrators identify unauthorized use of their email domain?

Question 37mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator wants to create an automation stitch that sends a webhook notification when an IPS attack is detected. Which trigger and action should be used?

Question 38mediummultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate is configured with a WAF profile to protect a web server. The administrator notices that SQL injection attacks are still reaching the server despite the WAF being enabled. What is the MOST likely reason?

Question 39hardmultiple choice
Read the full Advanced Threat Protection explanation →

An administrator runs 'diagnose ips anomaly http' and sees many entries with 'type=SQLi' and 'score=0'. What does a score of 0 indicate?

Question 40mediummulti select
Read the full Advanced Threat Protection explanation →

An administrator wants to configure FortiGate to automatically block a source IP when a high-severity IPS event is detected. Which TWO components must be configured? (Choose two.)

Question 41hardmulti select
Read the full Advanced Threat Protection explanation →

A FortiGate administrator is troubleshooting why files are not being submitted to FortiSandbox for analysis. Which THREE conditions must be met for file submission to work? (Choose three.)

Question 42mediummulti select
Read the full Advanced Threat Protection explanation →

An organization wants to implement email authentication to prevent spoofing. Which TWO standards should they configure? (Choose two.)

Question 43mediummultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator notices that files submitted to FortiSandbox are receiving verdicts but the firewall is not automatically blocking the detected malware. The FortiSandbox integration is configured under Security Fabric > External Connectors. What additional configuration is required to enforce blocking based on FortiSandbox verdicts?

Question 44easymultiple choice
Read the full Advanced Threat Protection explanation →

Which FortiClient ATP feature provides protection against zero-day malware by monitoring process behavior and blocking suspicious activities at the endpoint?

Question 45mediummultiple choice
Read the full DNS explanation →

A security administrator wants to block email spoofing attacks against their organization's domain. They configure SPF, DKIM, and DMARC records. Which protocol authenticates the domain of the email sender by verifying the email's signature against a public key published in DNS?

Question 46hardmultiple choice
Read the full Advanced Threat Protection explanation →

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

Question 47mediummultiple choice
Read the full Advanced Threat Protection explanation →

An organization wants to deploy a web application firewall (WAF) to protect a public-facing web application. They are evaluating FortiGate versus FortiWeb. Which of the following is a key advantage of using FortiWeb over FortiGate for WAF functionality?

Question 48mediummultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator wants to implement Content Disarm and Reconstruction (CDR) for email attachments. Which security profile must be configured to enable CDR?

Question 49hardmultiple choice
Read the full Advanced Threat Protection explanation →

During a security incident, the SOC team receives an alert from FortiSIEM about a user accessing a known malicious IP. The team wants to automatically block the IP on the FortiGate. Which FortiGate feature can be used to create an automated response based on a threat intelligence feed?

Question 50easymultiple choice
Read the full Advanced Threat Protection explanation →

Which Fortinet product is designed specifically to detect and deceive attackers by creating decoy systems and luring them away from real assets?

Question 51mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator wants to configure FortiGate to use the machine learning engine for advanced antivirus detection. Which setting must be enabled in the antivirus profile?

Question 52hardmultiple choice
Read the full NAT/PAT explanation →

A network administrator is troubleshooting a FortiGate IPS sensor that is not generating alerts for a custom signature they created. The custom signature uses the pattern 'malicious. The signature is enabled and applied to a firewall policy. What is the MOST likely cause of the issue?

Question 53mediummultiple choice
Read the full Advanced Threat Protection explanation →

Which FortiMail advanced feature allows the administrator to rewrite URLs in email bodies to redirect users to a safe scanning service when they click on a link?

Question 54easymultiple choice
Read the full Advanced Threat Protection explanation →

What is the primary purpose of FortiGuard Outbreak Prevention service?

Question 55mediummulti select
Read the full Advanced Threat Protection explanation →

An administrator is configuring FortiGate automation stitches to respond to a detected brute-force attack against an internal web server. The trigger is set to 'Event' with a condition matching repeated failed login attempts. Which TWO actions are appropriate to mitigate the attack? (Choose two.)

Question 56hardmulti select
Read the full Advanced Threat Protection explanation →

A security engineer wants to implement advanced threat protection for email using FortiMail. Which THREE features should be enabled to provide comprehensive protection against sophisticated email threats? (Choose three.)

Question 57mediummulti select
Read the full Advanced Threat Protection explanation →

An administrator is investigating a security incident where a workstation is communicating with a known command and control (C2) server. The FortiGate has IPS enabled but did not block the traffic. Which TWO configuration issues could explain why the IPS did not detect the C2 communication? (Choose two.)

Question 58mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator configures FortiSandbox inline scanning for HTTP traffic. They notice that files uploaded via HTTP are being scanned but no verdict is being returned, causing delays. What is the MOST likely cause?

Question 59easymultiple choice
Read the full Advanced Threat Protection explanation →

A network administrator wants to block known malicious IP addresses using threat intelligence feeds on FortiGate. Which feature should they use?

Question 60hardmultiple choice
Read the full Advanced Threat Protection explanation →

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

Question 61mediummultiple choice
Read the full Advanced Threat Protection explanation →

A company is deploying FortiClient ATP to protect endpoints. They want to block ransomware behavior in real time. Which FortiClient feature should be enabled?

Question 62hardmultiple choice
Read the full Advanced Threat Protection explanation →

An administrator configures FortiSandbox to quarantine files that are rated 'malicious'. They notice that some files are being quarantined even though the verdict is 'clean'. What could explain this?

Question 63easymultiple choice
Read the full Advanced Threat Protection explanation →

Which FortiGate feature can automatically block traffic from an IP address that is detected as malicious by FortiSandbox?

Question 64mediummultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator configures an antivirus profile with Machine Learning (ML) engine enabled. The ML engine is not detecting any threats, even though new unknown malware is present. What is the MOST likely reason?

Question 65mediummultiple choice
Read the full Advanced Threat Protection explanation →

An organization wants to prevent zero-day attacks by using Content Disarm and Reconstruction (CDR) on email attachments. Which Fortinet product provides this capability?

Question 66hardmultiple choice
Read the full Advanced Threat Protection explanation →

An administrator configures a WAF profile on FortiGate to protect a web application. They notice that SQL injection attacks are not being blocked. What is the MOST likely reason?

Question 67mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator wants to detect lateral movement and early stages of an attack using decoy systems that mimic production assets. Which Fortinet product should they deploy?

Question 68easymultiple choice
Read the full Advanced Threat Protection explanation →

Which Fortinet product provides endpoint detection and response (EDR) capabilities, including automated threat containment?

Question 69hardmultiple choice
Read the full Advanced Threat Protection explanation →

An administrator configures email authentication (SPF, DKIM, DMARC) on FortiMail. They find that legitimate emails are being marked as spam by FortiMail. The SPF check passes but DKIM fails. What could be the issue?

Question 70mediummulti select
Read the full Advanced Threat Protection explanation →

An administrator needs to enable automation stitches to automatically block a malicious IP address detected by FortiSandbox. Which two components are required? (Choose two.)

Question 71hardmulti select
Read the full Advanced Threat Protection explanation →

An administrator is configuring FortiMail to improve email security. Which three of the following features are part of FortiMail's advanced threat protection? (Choose three.)

Question 72mediummulti select
Read the full NAT/PAT explanation →

A FortiGate administrator wants to detect and block protocol anomalies as part of advanced IPS. Which three options are available in FortiGate's custom IPS signatures? (Choose three.)

Question 73mediummultiple choice
Read the full Advanced Threat Protection explanation →

A network administrator has configured FortiGate to send files to FortiSandbox for analysis. However, files are not being submitted. The administrator checks the FortiGate configuration and sees that the FortiSandbox server IP is correctly entered. What is the most likely cause of the issue?

Question 74mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator wants to prevent users from downloading known malicious files from the internet. The administrator has enabled FortiGuard Outbreak Prevention and applied an antivirus profile to the outbound policy. However, some malicious files are still reaching users. What configuration step is most likely missing?

Question 75hardmultiple choice
Read the full Advanced Threat Protection explanation →

A security analyst is investigating a phishing email that bypassed email security. The email's headers show SPF=pass, DKIM=pass, but DMARC=quarantine. The email was delivered to the inbox. What is the most likely reason DMARC did not block or quarantine the email?

Question 76easymultiple choice
Read the full Advanced Threat Protection explanation →

What is the primary function of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus profile?

Question 77hardmultiple choice
Read the full Advanced Threat Protection explanation →

An administrator wants to create an automation stitch that automatically blocks an IP address when a high-severity IPS alert is triggered. The administrator creates a trigger for 'IPS event' and an action of 'Add to Blocked IPs'. However, the action fails to execute. Which of the following is the most likely cause?

Question 78mediummultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator notices that traffic classified as 'unknown' by the antivirus is being allowed. The administrator wants to ensure that such files are submitted to FortiSandbox for analysis and blocked until a verdict is received. Which configuration is required?

Question 79mediummultiple choice
Read the full NAT/PAT explanation →

A company uses FortiGate as a web application firewall (WAF) to protect a public web server. The security team wants to block SQL injection attacks. Which WAF signature category should the administrator enable?

Question 80easymultiple choice
Read the full Advanced Threat Protection explanation →

What is the purpose of FortiDeceptor in an enterprise security architecture?

Question 81mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator wants to use FortiGate to automatically block traffic if FortiEDR detects a threat on an endpoint. Which feature should the administrator configure?

Question 82hardmultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator receives a report that a user downloaded a malicious PDF file. The antivirus profile has machine learning engine enabled, CDR enabled, and FortiSandbox integration. However, the file was allowed. The log shows: 'file=malicious.pdf, action=allow, ml_score=85, cd_result=clean, sandbox=not_submitted'. What is the most likely reason the file was not submitted to FortiSandbox?

Question 83easymultiple choice
Read the full Advanced Threat Protection explanation →

What is the primary benefit of using FortiClient with ATP features in conjunction with FortiGate?

Question 84mediummultiple choice
Read the full NAT/PAT explanation →

An administrator needs to create a custom IPS signature to detect a specific exploit that sends a unique string 'EXPLOIT_2024' in the HTTP User-Agent header. Which IPS signature syntax should the administrator use?

Question 85mediummulti select
Read the full Advanced Threat Protection explanation →

A company receives a threat intelligence feed that lists several IP addresses as malicious. The administrator wants to automatically block traffic from these IPs on FortiGate. Which TWO methods can achieve this? (Choose two.)

Question 86hardmulti select
Read the full Advanced Threat Protection explanation →

A security team is configuring FortiMail for email security. They want to ensure that incoming emails are authenticated using SPF, DKIM, and DMARC, and that emails failing authentication are quarantined. Which THREE settings must be configured in FortiMail? (Choose three.)

Question 87mediummulti select
Read the full DNS explanation →

An administrator is troubleshooting why a custom IPS signature for protocol anomaly detection is not triggering. The signature is designed to detect abnormal DNS query lengths. Which TWO steps should the administrator take to verify the signature is working? (Choose two.)

Question 88mediummultiple choice
Read the full Advanced Threat Protection explanation →

A network admin notices that files submitted to FortiSandbox from FortiGate are not being analyzed. The FortiGate has a valid FortiSandbox license and the device is reachable. What configuration step is most likely missing?

Question 89easymultiple choice
Read the full Advanced Threat Protection explanation →

An organization wants to prevent users from downloading malicious files from the internet. Which FortiGate security profile should be applied to the outbound firewall policy to block files based on their hash if they have been identified as malicious by FortiSandbox?

Question 90mediummultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

Question 91hardmultiple choice
Read the full Advanced Threat Protection explanation →

A security admin notices that FortiClient ATP is not blocking threats on a managed endpoint. The FortiClient is registered with FortiGate and the ATP feature is enabled in the FortiClient profile. What is the most likely cause?

Question 92mediummultiple choice
Read the full Advanced Threat Protection explanation →

An organization wants to protect against zero-day malware by using FortiGate's outbreak prevention feature. Which configuration is required to enable outbreak prevention in the antivirus profile?

Question 93hardmultiple choice
Read the full Advanced Threat Protection explanation →

An admin configures Content Disarm and Reconstruction (CDR) on FortiGate to protect against malicious macros in Office documents. After applying the CDR profile to a firewall policy, users complain that documents are not being delivered. What is the most likely cause?

Question 94easymultiple choice
Read the full NAT/PAT explanation →

Which FortiGate IPS feature allows administrators to create rules that detect network traffic patterns deviating from normal protocol behavior?

Question 95mediummultiple choice
Read the full NAT/PAT explanation →

An admin wants to create a custom IPS signature to detect a specific exploit that sends a string 'EXPLOIT' in the HTTP Host header. Which signature syntax is correct?

Question 96hardmultiple choice
Read the full NAT/PAT explanation →

A company uses FortiWeb to protect its web application. They want to block SQL injection attempts. Which FortiWeb feature should be configured to inspect HTTP requests for malicious SQL patterns?

Question 97mediummultiple choice
Read the full Advanced Threat Protection explanation →

An organization uses FortiGate's WAF feature (not FortiWeb) to protect a web server. The admin configures an inline WAF profile but notices that the WAF is not inspecting traffic. What is the most likely cause?

Question 98easymultiple choice
Read the full NAT/PAT explanation →

What does FortiGuard Outbreak Prevention use to protect against newly discovered malware outbreaks before traditional signatures are available?

Question 99mediummultiple choice
Read the full Advanced Threat Protection explanation →

An admin receives an email from FortiMail regarding a message that was rejected due to SPF failure. What does this indicate about the email?

Question 100hardmulti select
Read the full NAT/PAT explanation →

A security analyst wants to use automation stitches on FortiGate to automatically block IP addresses that trigger an IPS signature for 'SSH Brute Force'. Which two components are required to create this automation stitch? (Choose two.)

Question 101mediummulti select
Read the full Advanced Threat Protection explanation →

An organization wants to implement multiple layers of defense against advanced persistent threats. Which three Fortinet solutions would be most effective in an ATP strategy? (Choose three.)

Question 102mediummulti select
Read the full Advanced Threat Protection explanation →

A network admin is troubleshooting why FortiGate's antivirus is not detecting a known malware sample. The sample is detected by other scanners. Which two checks should the admin perform? (Choose two.)

Question 103easymultiple choice
Read the full Advanced Threat Protection explanation →

An administrator wants to block a zero-day malware outbreak detected by FortiGuard. Which feature should be configured to automatically block the threat across all enabled FortiGate devices?

Question 104mediummultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate admin configures an automation stitch to send an email alert when a high-severity IPS event occurs. The trigger is 'IPS Event' and the action is 'Email'. After testing, no email is sent despite events being logged. What is the most likely cause?

Question 105hardmultiple choice
Read the full Advanced Threat Protection explanation →

When configuring FortiGate with FortiSandbox integration, an administrator wants to block files that are rated 'High Risk' by the sandbox. Which setting must be enabled in the antivirus profile to automatically quarantine these files?

Question 106mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator sees the following log entry: 'id=13593 msg="CDR: File attachment sanitized"' Which feature generated this log?

Question 107easymultiple choice
Read the full Advanced Threat Protection explanation →

Which Fortinet product is specifically designed to deploy decoys and lures to detect lateral movement and early-stage attacks inside the network?

Question 108mediummultiple choice
Read the full Advanced Threat Protection explanation →

A company uses FortiMail and wants to ensure that incoming emails are authenticated using SPF, DKIM, and DMARC. Which profile should the administrator configure to enforce these checks?

Question 109hardmultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator runs the following CLI command: 'diagnose ips anomaly log' The output shows numerous 'tcp_syn_flood' events from a single source IP. To mitigate this, the administrator wants to block the source IP automatically. Which feature should be used?

Question 110mediummultiple choice
Read the full Advanced Threat Protection explanation →

Which Fortinet solution collects and correlates security events from multiple sources to provide a unified view of threats across the network?

Question 111mediummultiple choice
Read the full Advanced Threat Protection explanation →

A network admin wants to use FortiClient's advanced threat protection features to detect ransomware behavior on endpoints. Which FortiClient feature should be enabled?

Question 112easymultiple choice
Read the full Advanced Threat Protection explanation →

Which feature on FortiGate uses machine learning to detect never-before-seen malware based on file characteristics?

Question 113mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator configures a WAF profile on FortiGate to protect a web application. However, the administrator notices that SQL injection attacks are not being blocked. What should the administrator check first?

Question 114hardmultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate is configured to submit files to FortiSandbox. The administrator notices that files are being submitted but no verdicts are returned. Which two conditions could cause this?

Question 115mediummultiple choice
Read the full NAT/PAT explanation →

An organization uses FortiWeb to protect its web applications. The security team wants to block requests that contain a specific custom pattern in the URL. Which feature should be used?

Question 116easymultiple choice
Read the full Advanced Threat Protection explanation →

Which FortiGate security feature removes potentially malicious active content from files (e.g., macros, scripts) before delivering them to end users?

Question 117mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator wants to integrate FortiGate with an external threat intelligence feed to block known malicious IP addresses automatically. Which object should be used to consume the feed?

Question 118hardmulti select
Read the full NAT/PAT explanation →

A FortiGate administrator is troubleshooting why a custom IPS signature is not triggering on traffic matching the pattern. Which TWO checks should be performed?

Question 119mediummulti select
Read the full Advanced Threat Protection explanation →

A company wants to use FortiMail to implement email authentication to prevent spoofing. Which THREE mechanisms should be configured in FortiMail's Authentication Profile?

Question 120mediummulti select
Read the full Advanced Threat Protection explanation →

An administrator wants to create an automation stitch that responds to a high-severity IPS event by blocking the attacker IP. Which THREE components are required to build this automation stitch?

Question 121mediummultiple choice
Read the full Advanced Threat Protection explanation →

A network admin notices that files submitted to FortiSandbox are not being analyzed. The FortiGate is configured to send files to FortiSandbox. What is the MOST likely cause?

Question 122mediummultiple choice
Read the full Advanced Threat Protection explanation →

An admin wants to block malicious files detected by FortiSandbox at the FortiGate level. Which configuration is required on the FortiGate to automatically block files based on FortiSandbox verdict?

Question 123easymultiple choice
Read the full Advanced Threat Protection explanation →

Which FortiClient feature is specifically designed to prevent the execution of unknown malware by analyzing behavior in real-time?

Question 124hardmultiple choice
Read the full Advanced Threat Protection explanation →

A company uses an advanced antivirus profile with machine learning engine enabled. After a recent outbreak, several files that were previously undetected are now flagged. How does the outbreak prevention feature help in this situation?

Question 125mediummultiple choice
Read the full Advanced Threat Protection explanation →

An admin wants to ensure that office documents (e.g., Word, Excel) downloaded from the internet are safe before users open them. Which feature should be used to remove potentially malicious macros and active content?

Question 126mediummultiple choice
Read the full NAT/PAT explanation →

An IPS administrator wants to detect a new custom attack that sends malformed HTTP headers. The attack pattern is a specific sequence of bytes that is not covered by existing signatures. What is the BEST way to detect this attack on FortiGate?

Question 127hardmultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate is configured with an IPS sensor that has protocol anomaly detection enabled. The admin notices that legitimate VoIP traffic (SIP) is being blocked. Which action should the admin take to reduce false positives?

Question 128mediummultiple choice
Read the full Advanced Threat Protection explanation →

An organization wants to protect a public-facing web application against SQL injection and cross-site scripting (XSS) attacks. They have a FortiGate and a FortiWeb. What is the BEST deployment approach?

Question 129mediummultiple choice
Read the full Advanced Threat Protection explanation →

An email security administrator wants to prevent attackers from spoofing the company's domain. Which email authentication mechanism should be configured to allow receiving servers to verify that emails claiming to be from the domain are sent from authorized mail servers?

Question 130hardmultiple choice
Read the full Advanced Threat Protection explanation →

A company uses FortiMail to protect email. They set up DMARC with a policy of 'quarantine' for emails failing SPF and DKIM checks. However, legitimate emails from a third-party service are being quarantined. What should the admin do?

Question 131easymultiple choice
Read the full Advanced Threat Protection explanation →

Which Fortinet product is designed to deploy decoy systems to lure attackers and detect lateral movement within the network?

Question 132mediummultiple choice
Read the full Advanced Threat Protection explanation →

An organization wants to implement a solution that can detect and automatically respond to threats across multiple Fortinet security products. Which product should they use?

Question 133mediummulti select
Read the full Advanced Threat Protection explanation →

A security analyst wants to use automation stitches on FortiGate to automatically block an IP address when a critical severity event is logged. Which TWO components are essential to create this automation stitch? (Choose two.)

Question 134hardmulti select
Read the full Advanced Threat Protection explanation →

An organization is deploying FortiEDR to enhance endpoint protection. Which THREE capabilities does FortiEDR provide? (Choose three.)

Question 135mediummulti select
Read the full Advanced Threat Protection explanation →

A FortiGate administrator wants to use threat intelligence feeds to block known malicious IP addresses. Which TWO steps are required to accomplish this? (Choose two.)

Question 136mediummultiple choice
Read the full Advanced Threat Protection explanation →

A network administrator wants to ensure that files downloaded from the internet are analyzed by FortiSandbox before being delivered to the client. The FortiGate is configured with a FortiSandbox connection and an antivirus profile. Which setting must be enabled in the antivirus profile to submit files to FortiSandbox?

Question 137easymultiple choice
Read the full Advanced Threat Protection explanation →

What is the primary purpose of Content Disarm and Reconstruction (CDR) in advanced antivirus protection?

Question 138hardmultiple choice
Read the full NAT/PAT explanation →

An administrator configures a custom IPS signature to detect traffic to a specific malicious domain. Which syntax is correct for a custom IPS signature in FortiGate?

Question 139mediummultiple choice
Read the full NAT/PAT explanation →

A company uses FortiMail for email security. They want to prevent email spoofing by verifying that incoming emails originate from authorized servers. Which email authentication method should be configured on FortiMail to check the sending server's IP against a published SPF record?

Question 140mediummultiple choice
Read the full Advanced Threat Protection explanation →

A security analyst notices repeated failed login attempts from a specific IP address to the FortiGate management interface. The administrator wants to automatically blacklist the IP after 3 failed attempts within 60 seconds. Which feature should be configured?

Question 141mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator configures an automation stitch to respond to a high severity event. The trigger is 'event' and the action is 'CLI script'. What must be defined for the action to execute properly?

Question 142easymultiple choice
Read the full Advanced Threat Protection explanation →

Which of the following best describes the function of FortiDeceptor in an enterprise network?

Question 143hardmultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate is configured with an antivirus profile that has the machine learning engine enabled. An administrator notices that some files are being detected by the ML engine but the verdict is 'probably clean'. What does this verdict indicate?

Question 144easymultiple choice
Read the full Advanced Threat Protection explanation →

What is the primary difference between using a Web Application Firewall (WAF) on FortiGate versus using FortiWeb?

Question 145mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator wants to automatically block a file that FortiSandbox has determined to be malicious. The FortiGate is configured with an antivirus profile that includes FortiSandbox submission. Which verdict action should be set to 'block' in the antivirus profile to achieve this?

Question 146hardmultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator runs 'diagnose ips anomaly list' and sees many entries with 'protocol anomaly - tcp_port_scan'. The administrator wants to reduce false positives. Which action should be taken in the IPS sensor configuration?

Question 147mediummultiple choice
Read the full Advanced Threat Protection explanation →

A company wants to receive threat intelligence feeds from external sources to enhance their FortiGate's protection. Which method should be used to integrate external threat feeds into FortiGate?

Question 148mediummulti select
Read the full Advanced Threat Protection explanation →

An administrator needs to configure advanced email security on FortiMail to protect against phishing and spoofing. Which THREE features should be enabled to achieve comprehensive email authentication?

Question 149hardmulti select
Read the full Advanced Threat Protection explanation →

A FortiGate administrator wants to use automation stitches to respond to a detected threat. The trigger is 'event' and the action is to quarantine the source IP. Which TWO actions can be used in FortiGate automation stitches to achieve IP quarantine?

Question 150mediummulti select
Read the full Advanced Threat Protection explanation →

A company has deployed FortiClient with advanced threat protection (ATP) features. Which TWO capabilities does FortiClient ATP provide beyond basic antivirus?

Question 151mediummultiple choice
Read the full Advanced Threat Protection explanation →

A network administrator notices that FortiGate is not blocking a known malicious file that was submitted to FortiSandbox and received a 'malicious' verdict. The firewall policy includes a FortiSandbox inline scan profile. What is the MOST likely cause?

Question 152hardmultiple choice
Read the full NAT/PAT explanation →

An administrator runs 'diagnose ips anomaly list' and sees many 'data_leak' events from a specific internal IP address. The IPS sensor has the default pre-defined signatures enabled. What additional step should the administrator take to block this specific anomaly?

Question 153easymultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator wants to ensure that files in email attachments are disarmed before delivery. Which security feature should be configured in the antivirus profile?

Question 154mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator is configuring a firewall policy for web traffic to a critical web application. They want to protect against SQL injection and cross-site scripting. Which security profile should they apply?

Question 155hardmultiple choice
Read the full Advanced Threat Protection explanation →

You receive an alert from FortiSandbox that a file has been rated 'highly malicious'. The FortiGate has the FortiSandbox inline scanning enabled with the action 'block malicious'. However, the file is still being downloaded by users. What is the most likely reason?

Question 156mediummultiple choice
Read the full Advanced Threat Protection explanation →

An administrator is deploying FortiClient with ATP features. They want to ensure that if a process is detected as malicious by the FortiClient machine learning engine, the endpoint is isolated from the network. Which configuration should they use?

Question 157easymultiple choice
Read the full Advanced Threat Protection explanation →

An administrator wants to secure email traffic by ensuring that incoming emails are verified against the sender's domain SPF record. Which email authentication method provides this verification?

Question 158mediummultiple choice
Read the full Advanced Threat Protection explanation →

A FortiGate administrator is troubleshooting an issue where a legitimate application is being blocked by the IPS. The administrator wants to ensure the application works while maintaining protection for other traffic. What is the best action?

Question 159hardmultiple choice
Read the full Advanced Threat Protection explanation →

An administrator configured FortiGate to forward suspected malicious files to FortiSandbox. They set the action to 'block' for malicious verdicts. Some files are being blocked, but others with a 'clean' verdict are allowed. However, they notice that some files that should have been sent to FortiSandbox are not being forwarded. Which reason is MOST likely?

Question 160easymultiple choice
Read the full Advanced Threat Protection explanation →

Which feature in FortiMail provides an additional layer of protection by analyzing the behavior of email attachments in a sandbox environment?

Question 161mediummulti select
Read the full Advanced Threat Protection explanation →

An administrator is configuring FortiDeceptor to detect threats within the network. Which TWO statements about FortiDeceptor are correct?

Question 162hardmulti select
Read the full Advanced Threat Protection explanation →

An administrator is configuring automation stitches to respond to a detected ransomware outbreak. Which THREE components are essential for an automation stitch?

Question 163mediummulti select
Read the full NAT/PAT explanation →

An administrator wants to protect against zero-day malware that has not yet been discovered by signature-based detection. Which TWO technologies can help mitigate such threats?

Question 164easymulti select
Read the full Advanced Threat Protection explanation →

An administrator is configuring FortiMail to be more secure against advanced email threats. Which THREE features should they enable to protect against email-based phishing attacks?

Question 165hardmulti select
Read the full Advanced Threat Protection explanation →

An administrator is investigating an alert from FortiEDR indicating a suspicious process on an endpoint. The administrator wants to gather more context. Which TWO sources can provide threat intelligence to enrich the investigation?

Question 166mediummulti select
Read the full Advanced Threat Protection explanation →

A security administrator is configuring FortiSandbox integration to automatically block malicious files detected in email attachments. Which TWO actions are required to achieve this integration?

Question 167hardmulti select
Read the full Advanced Threat Protection explanation →

A network security team is evaluating options for web application security. They need to protect a critical web application from SQL injection and cross-site scripting (XSS) attacks, and they require granular control over HTTP request parameters. Which THREE factors should influence their decision between using FortiGate's WAF profiles versus deploying a dedicated FortiWeb appliance?

Question 168mediummulti select
Read the full Advanced Threat Protection explanation →

An organization wants to implement email authentication to prevent spoofing and phishing attacks. They use FortiMail as their email security gateway. Which THREE mechanisms should they configure to achieve comprehensive email authentication?

Question 169mediummulti select
Read the full Advanced Threat Protection explanation →

An administrator is configuring FortiGate automation stitches to respond to a detected ransomware outbreak. The trigger is a high severity event from FortiSandbox. Which TWO actions can be used in an automation stitch to contain the threat?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

NSE7 Practice Test 1 — 10 Questions→NSE7 Practice Test 2 — 10 Questions→NSE7 Practice Test 3 — 10 Questions→NSE7 Practice Test 4 — 10 Questions→NSE7 Practice Test 5 — 10 Questions→NSE7 Practice Exam 1 — 20 Questions→NSE7 Practice Exam 2 — 20 Questions→NSE7 Practice Exam 3 — 20 Questions→NSE7 Practice Exam 4 — 20 Questions→Free NSE7 Practice Test 1 — 30 Questions→Free NSE7 Practice Test 2 — 30 Questions→Free NSE7 Practice Test 3 — 30 Questions→NSE7 Practice Questions 1 — 50 Questions→NSE7 Practice Questions 2 — 50 Questions→NSE7 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Advanced Networking and SD-WANAdvanced VPN and Zero TrustEnterprise Firewall and VDOMsAdvanced Threat ProtectionTroubleshooting and Diagnostics

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Advanced Threat Protection setsAll Advanced Threat Protection questionsNSE7 Practice Hub