CCNA Security Profiles Questions

75 of 232 questions · Page 1/4 · Security Profiles · Answers revealed

1
MCQmedium

An administrator needs to block all traffic from an application that uses a proprietary protocol not recognized by any application signature. Which security profile method should be used to block this traffic?

A.Create an application control profile and add a custom application signature
B.Use a web filter profile to block by URL
C.Use an IPS profile with a custom signature based on protocol anomalies
D.Use a data leak prevention (DLP) profile to match on data patterns
AnswerC

IPS can detect anomalous behavior or specific payload patterns via custom signatures.

Why this answer

Option C is correct because IPS with custom signatures can detect and block traffic based on protocol anomalies or patterns, even without a pre-defined application signature.

2
MCQhard

An administrator configures a DLP profile to detect credit card numbers in email traffic. The DLP rule uses a regular expression. However, the DLP sensor is not triggering on emails containing credit card numbers. What is a likely reason?

A.SSL deep inspection is not enabled on the policy
B.The regular expression is case-sensitive and credit card numbers are lowercase
C.The DLP sensor is configured to 'monitor' only
D.The DLP profile is applied to the inbound policy only
AnswerA

Email sent over TLS is encrypted. Without SSL deep inspection, the FortiGate cannot read the email content to apply DLP.

Why this answer

DLP sensors operate on traffic that has been decrypted if necessary. If the email is sent over TLS, the FortiGate needs SSL deep inspection to see the email content. Also, the DLP sensor needs to be applied to the correct direction (e.g., both send and receive).

3
Multi-Selecteasy

A FortiGate admin wants to enforce safe search on Google and Bing for all users. The firewall policy has web filtering enabled. Which TWO configurations are required?

Select 2 answers
A.Install a custom CA certificate on client browsers
B.Use an application control profile to block non-safe search applications
C.Enable SSL deep inspection
D.Configure a URL filter to rewrite search URLs to include safe search parameters
E.Enable 'Safe Search' in the web filter profile's FortiGuard settings
AnswersD, E

Alternative method to enforce safe search.

Why this answer

Options B and C are correct: Safe search enforcement is done via web filter options or URL filter add-ons. DNS filter can also reroute search queries to enforce safe search.

4
MCQmedium

An administrator wants to block all traffic to websites in the 'Pornography' category but allow an exception for a specific research site that falls under that category. The FortiGuard category is set to block. How should the administrator configure the exception?

A.Set the FortiGuard category to 'Monitor' and create a URL filter to block all other sites
B.Add a URL filter entry with the site's domain set to 'Allow'
C.Use the DNS filter to allow the site's FQDN
D.Add the site to the FortiGuard category override list with action 'Allow'
AnswerB

URL filter entries are processed before FortiGuard categories. An allow entry for the specific URL will override the category block.

Why this answer

In FortiGate, to allow a specific site that is blocked by a category, you add a URL filter entry with the action 'Allow' above the category block. URL filter entries are evaluated first and can override the category action.

5
MCQmedium

An administrator configures an IPS profile with a signature that has a 'block' action. However, traffic matching the signature is only being logged and not blocked. What is the most likely reason?

A.The IPS profile is applied to the inbound policy only
B.The firewall policy is set to 'accept' but logging is disabled
C.The FortiGate is operating in flow-based inspection mode
D.The signature's action is set to 'monitor' in the IPS sensor
AnswerD

If the signature is configured to 'monitor' in the IPS sensor, it will only log, regardless of the default action.

Why this answer

IPS signatures can be set to 'block' but the actual action in the firewall policy's IPS profile may be overridden by the policy's inspection mode or the IPS profile's configuration. Additionally, the signature's action must not be set to 'monitor' or 'pass' at the sensor level.

6
Multi-Selectmedium

A FortiGate administrator is configuring IPS to protect against a known exploit targeting a web server. The administrator wants to ensure that the IPS engine can decode the HTTP protocol. Which TWO actions are necessary?

Select 2 answers
A.Enable the HTTP protocol decoder in the IPS sensor
B.Configure an IP pool for the web server
C.Enable SSL deep inspection on the firewall policy
D.Set the IPS action to 'block'
E.Disable the FTP protocol decoder
AnswersA, C

The decoder must be enabled for the engine to parse HTTP traffic.

Why this answer

IPS protocol decoders are enabled per protocol. For HTTP, you need to enable the HTTP decoder. Additionally, if the traffic is HTTPS, SSL deep inspection must be enabled to decrypt the traffic so the decoder can analyze it.

7
MCQhard

A FortiGate configured with IPS anomaly detection is generating false positives for the 'tcp_syn_flood' anomaly. The administrator wants to reduce the false positives without completely disabling the detection. Which action should the administrator take?

A.Disable the anomaly and use a custom IPS signature
B.Decrease the threshold value
C.Set the action to 'pass'
D.Increase the threshold value
AnswerD

A higher threshold means more SYN packets per second are needed to trigger the anomaly, thus reducing false positives.

Why this answer

The threshold determines the number of SYN packets per second that trigger an alarm. Increasing the threshold will require more SYN packets to trigger, reducing false positives while still detecting heavy floods.

8
MCQeasy

Which inspection mode allows FortiGate to perform virus scanning by reassembling the entire file in memory before scanning, providing better detection but potentially higher latency?

A.Fast-path inspection
B.Deep inspection
C.Proxy-based inspection
D.Flow-based inspection
AnswerC

Proxy-based inspection buffers the entire file before scanning, which improves detection but adds latency.

Why this answer

Option B is correct. Proxy-based inspection reassembles the entire file in memory before scanning, which can detect threats that flow-based might miss, but at the cost of higher latency.

9
MCQhard

You run the following CLI command on a FortiGate: diagnose sys session filter dport 443 diagnose sys session list The output shows many sessions with 'proto=6 proto_state=01 duration=3600 expire=3599'. What does this indicate about the traffic?

A.The sessions are fully established and idle
B.The sessions are for UDP traffic
C.The sessions are being inspected by SSL deep inspection
D.The sessions are in the SYN_SENT state and have not completed the three-way handshake
AnswerD

Correct as explained.

Why this answer

Option B is correct. The proto=6 indicates TCP, and proto_state=01 indicates a TCP session in the SYN_SENT state (i.e., the three-way handshake is not complete). The long duration suggests these are half-open sessions, possibly indicating a SYN flood attack.

10
Multi-Selecthard

An administrator wants to block all traffic from the 'P2P' application category but allow traffic from 'File Sharing' applications like Dropbox. Which THREE configurations are required to achieve this?

Select 3 answers
A.Create an application control profile that sets 'P2P' category to 'block' and 'File Sharing' category to 'allow'
B.Set the firewall policy inspection mode to proxy-based
C.Enable SSL/TLS deep inspection on the firewall policy
D.Ensure that the application control signatures are up to date
E.Apply a web filter profile to override the application control
AnswersA, C, D

This is the core configuration to differentiate between the two categories.

Why this answer

To block P2P and allow File Sharing, the administrator needs to create an application control profile that blocks P2P category and allows File Sharing category. This profile must be applied to a firewall policy that has deep inspection enabled for encrypted traffic. Proxy-based inspection might be needed for granular control, but flow-based also works with deep inspection.

11
MCQmedium

A school district uses a FortiGate to filter web traffic for students. The administrator wants to enforce that Google searches are filtered for explicit content. Which configuration should be applied?

A.Enable 'Google Safe Search' in the web filter profile under 'FortiGuard Categories' -> 'Safe Search'.
B.Use an application control profile to block the 'Google Search' application.
C.Create a URL filter to block URLs containing 'porn' or 'adult'.
D.Block the URL category 'Search Engines' and allow only approved search engines.
AnswerA

Safe Search enforces strict filtering on Google (and other search engines) to block explicit content in search results.

12
Matchingmedium

Match each FortiGate CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays current system resource usage

Tests network connectivity to a host

Traces packet flow through the firewall

Displays the entire running configuration

Resets the device to factory defaults

Why these pairings

Common CLI commands used for troubleshooting and management.

13
MCQeasy

An administrator wants to block access to websites that host malware. Which FortiGate feature should be configured to achieve this goal?

A.IPS profile
B.DNS Filter profile
C.Application Control profile
D.Web Filtering profile with FortiGuard categories
AnswerD

Web filtering allows blocking based on URL categories such as 'Malicious Web Sites'.

Why this answer

FortiGate's Web Filtering profile with FortiGuard categories is the correct feature because it allows administrators to block access to websites based on URL categories, including those known to host malware. FortiGuard maintains a continuously updated database of malicious URLs, and applying a web filtering profile that blocks the 'Malicious Websites' category directly prevents users from accessing such sites. This is the most straightforward and effective method for blocking malware-hosting websites at the proxy or flow-based inspection level.

Exam trap

The trap here is that candidates often confuse DNS Filtering (which blocks domains at the DNS level) with Web Filtering (which blocks URLs at the HTTP/HTTPS level), but DNS Filtering cannot block specific URL paths or subdirectories, making it insufficient for blocking malware-hosting websites that may share a domain with legitimate content.

How to eliminate wrong answers

Option A is wrong because an IPS profile is designed to detect and prevent network-based attacks by inspecting traffic for exploit signatures, not to block access to specific websites or URL categories. Option B is wrong because a DNS Filter profile controls access based on domain name resolution, blocking or redirecting DNS queries to known malicious domains, but it does not inspect the full URL path or HTTP content, and it is not the primary feature for blocking malware-hosting websites. Option C is wrong because an Application Control profile identifies and controls applications (e.g., social media, file sharing) based on signatures, not URLs or web categories, so it cannot block specific websites hosting malware.

14
MCQmedium

An administrator wants to prevent data leakage by blocking outbound emails that contain credit card numbers. Which security profile should be configured?

A.Email Filter profile
B.Web Filter profile
C.Antivirus profile
D.DLP profile
AnswerD

DLP profiles can use predefined or custom data patterns to detect sensitive information.

Why this answer

Option C is correct. DLP (Data Leak Prevention) profiles can inspect content for sensitive data patterns like credit card numbers and block or quarantine the traffic.

15
MCQhard

A FortiGate is configured with an SSL deep inspection profile that uses 'Certificate Inspection' (not 'Full SSL Inspection'). Which of the following is TRUE about this configuration?

A.Deep inspection can still see client certificates
B.The antivirus profile can scan the HTTPS payload
C.The FortiGate can block HTTPS connections based on the certificate's CN
D.IPS can still inspect the application layer of HTTPS traffic
AnswerC

Certificate inspection allows blocking based on certificate CN as part of web filtering.

Why this answer

Option C is correct. Certificate inspection only validates the server certificate's Common Name (CN) and expiration; it does not decrypt the traffic payload, so the antivirus and IPS cannot inspect encrypted content.

16
MCQmedium

A FortiGate administrator configures an email filter profile to block spam. Users report that some legitimate emails are being blocked. The administrator wants to reduce false positives while still blocking spam. What should the administrator do?

A.Disable the email filter profile
B.Increase the spam threshold score
C.Decrease the spam threshold score
D.Enable the FortiGuard spam filter only
AnswerB

A higher threshold means emails need a higher spam score to be blocked, reducing false positives.

Why this answer

Spam filtering often uses a heuristic score. Lowering the spam threshold makes the filter more aggressive (more false positives). Increasing the threshold reduces false positives but may let some spam through.

The best approach is to whitelist known good senders or adjust the threshold appropriately.

17
MCQhard

A FortiGate is configured with flow-based inspection and an IPS profile. The administrator runs 'diagnose ips session list' and sees many sessions with 'state=bypass'. What does this indicate?

A.The IPS profile is configured with 'pass' action for all signatures
B.The IPS signatures have expired and are not being applied
C.The FortiGate is under DoS attack and is dropping sessions
D.The sessions are being offloaded to the NPU and are not inspected by IPS
AnswerD

In flow-based mode, many sessions are offloaded to NPU. The IPS engine marks them as 'bypass' because they are not sent to the CPU for inspection. This is expected behavior.

Why this answer

In flow-based IPS, sessions can be bypassed when the IPS engine determines that further inspection is unnecessary, for example, if the session is considered low-risk or to reduce CPU load. This is normal behavior in flow-based mode.

18
MCQeasy

Which two inspection modes are available for antivirus scanning on a FortiGate?

A.Stateful and stateless
B.Flow-based and proxy-based
C.Inline and passive
D.Kernel-based and user-based
AnswerB

These are the two standard inspection modes for security profiles on FortiGate.

Why this answer

FortiGate supports two inspection modes: flow-based and proxy-based. Flow-based is more efficient with lower latency, while proxy-based offers deeper inspection and more features like content archiving.

19
Multi-Selecthard

Which TWO statements about IPS in FortiGate are true?

Select 2 answers
A.IPS can be applied to individual firewall policies via IPS sensors.
B.An IPS sensor can only be applied to one firewall policy.
C.IPS is not supported in transparent mode.
D.IPS only works in flow-based inspection mode.
E.IPS signatures can have their actions overridden in an IPS filter.
AnswersA, E

IPS sensors are attached to firewall policies to enable IPS on selected traffic.

Why this answer

Option A is correct because IPS sensors are applied directly to individual firewall policies, allowing granular control over which traffic is inspected for intrusions. This enables administrators to enforce different IPS profiles for different traffic flows, such as applying a stricter sensor to internet-bound traffic and a lighter one to internal traffic.

Exam trap

The trap here is that candidates often assume IPS requires routed mode or flow-based inspection only, but FortiGate supports IPS in transparent mode and in both inspection modes, and sensors are reusable across multiple policies.

20
Matchingmedium

Match each Fortinet HA mode to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

One unit handles traffic; standby unit takes over on failure

Both units handle traffic simultaneously for load balancing

Multiple units act as a single logical firewall

Ensures active sessions are preserved after failover

FortiGate Clustering Protocol used for HA synchronization

Why these pairings

High Availability modes and features in FortiGate.

21
Multi-Selecteasy

Which TWO are valid types of SSL/TLS inspection available on FortiGate?

Select 2 answers
A.Off-box SSL Inspection
B.Proxy SSL Inspection
C.Full SSL Deep Inspection
D.Passive SSL Inspection
E.Certificate Inspection
AnswersC, E

Decrypts the traffic to inspect the content.

Why this answer

Options A and B are correct. FortiGate supports certificate inspection (examining certificates) and full deep inspection (decrypting and scanning content).

22
MCQmedium

A mid-sized company has a FortiGate 100F running FortiOS 7.2. They have two internal networks: Trusted (10.1.1.0/24) for employees and Guest (10.2.2.0/24) for visitors. The Guest network has a firewall policy that allows internet access only, with an application control profile that blocks all peer-to-peer and gaming applications. Recently, users on the Guest network have been able to play online games (e.g., Fortnite) despite the block. The administrator checks the application control profile and confirms that 'Fortnite' is listed as blocked. There are no other policies allowing Guest traffic. The administrator also notices that the Guest policy has 'set utm-status enable' and the application control profile is applied. What is the most likely reason that Fortnite is not being blocked?

A.The firewall policy is missing 'set deep-inspection enable' for application control to work.
B.SSL inspection is required to block encrypted game traffic, and it is not enabled.
C.The application control profile is not applied to the correct policy.
D.The application control signatures are outdated and do not include the latest Fortnite signatures.
AnswerD

Outdated signatures may miss new application traffic.

Why this answer

Option D is correct because if the Application Control signatures are outdated, the FortiGate may not recognize the latest Fortnite traffic patterns or encrypted handshakes, allowing the game to bypass the block. Even though the policy has UTM enabled and the profile is applied, stale signatures cannot match new application variants or updates. Regularly updating the IPS/Application Control database via FortiGuard is essential to maintain effective blocking.

Exam trap

The trap here is that candidates often assume SSL inspection is mandatory for blocking encrypted applications, but the real issue is that outdated signatures fail to recognize the latest application variants, even when the profile is correctly applied and UTM is enabled.

How to eliminate wrong answers

Option A is wrong because 'set deep-inspection enable' is not a valid command for firewall policies; deep inspection is configured via SSL/SSH inspection profiles, not a direct policy flag, and Application Control can work without full SSL inspection if the game uses non-encrypted or partially encrypted traffic. Option B is wrong because while SSL inspection can help identify encrypted game traffic, it is not strictly required for Application Control to block applications; many games use plaintext or proprietary protocols that signatures can match without decryption, and the question states the profile already blocks Fortnite, indicating the issue is signature freshness, not inspection depth. Option C is wrong because the administrator already confirmed the Application Control profile is applied to the Guest policy, and there are no other policies allowing Guest traffic, so the profile is correctly attached.

23
MCQmedium

A FortiGate administrator wants to block spam emails destined for internal users. The FortiGate receives SMTP traffic on port 25. What is the most effective way to filter spam using the email filter profile?

A.Enable spam filtering in the antivirus profile
B.Apply an email filter profile to a firewall policy that allows SMTP traffic
C.Use a DNS filter to block spam domains
D.Configure a web filter to block webmail
AnswerB

The email filter profile is designed to be applied to a policy handling email traffic (SMTP, POP3, IMAP). This is the standard method.

Why this answer

The email filter profile is applied to a firewall policy that matches SMTP traffic. It can perform spam filtering based on FortiGuard IP reputation and other heuristics.

24
Matchingmedium

Match each FortiGate firewall policy action to its result.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Allows traffic matching the policy

Blocks traffic and sends a reset or ICMP unreachable

Routes traffic into an IPsec VPN tunnel

Routes traffic into an SSL VPN tunnel

Logs traffic without enforcing action (used for learning)

Why these pairings

Policy actions determine how FortiGate handles matching traffic.

25
Multi-Selecthard

A FortiGate administrator is troubleshooting an issue where a user receives a certificate error when accessing a web server. The administrator has configured SSL deep inspection with a custom CA certificate. The error indicates the certificate is not trusted. Which THREE actions could resolve this issue? (Choose three.)

Select 3 answers
A.Install the FortiGate's CA certificate on the client devices.
B.Disable SSL inspection on the firewall policy entirely.
C.Update the FortiGate firmware to the latest version.
D.Change the SSL inspection profile to 'certificate-inspection' instead of 'deep-inspection'.
E.Add the web server to the SSL exemption list in the SSL inspection profile.
AnswersA, D, E

Clients need to trust the CA that signs the re-issued certificate.

Why this answer

The correct answers are A, B, and C. Installing the CA, exempting the server, or switching to certificate-inspection can all resolve certificate errors.

26
MCQmedium

An administrator is configuring email filtering on FortiGate to block spam. Which of the following is required for FortiGate to filter inbound email directly?

A.FortiMail must be deployed as a separate appliance
B.The FortiGate must be configured as an SMTP proxy
C.SSL deep inspection must be enabled for SMTP traffic
D.The email filtering profile must be applied to a policy covering port 110
AnswerB

FortiGate can act as an SMTP proxy to filter email traffic on port 25.

Why this answer

Option A is correct. FortiGate can be configured as an SMTP proxy in the email filter profile to intercept and filter email.

27
Multi-Selectmedium

Which TWO are valid actions for an application control rule?

Select 2 answers
A.quarantine
B.redirect
C.block
D.allow
E.monitor
AnswersC, D

'block' denies the application traffic.

Why this answer

Application control rules in FortiGate use actions to determine how matched traffic is handled. 'Block' is a valid action that drops the application traffic and can optionally send a reset or log the event. 'Allow' is also a valid action that permits the application traffic to pass through the firewall.

Exam trap

The trap here is that candidates often confuse 'quarantine' as an application control action because it appears in other FortiGate security features (like IPS or antivirus), but it is not a valid action for application control rules themselves.

28
MCQmedium

A FortiGate administrator has configured an Application Control profile to block 'P2P' applications. However, users are still able to use BitTorrent. What is the MOST likely reason?

A.The firewall policy does not have SSL deep inspection enabled, and BitTorrent is using encryption
B.The Application Control profile is configured in 'Monitor' mode instead of 'Block'
C.The BitTorrent signatures are not included in the FortiGate firmware
D.The Application Control profile is applied to the wrong direction
AnswerA

Many P2P applications use encryption. Without deep inspection, App Control cannot see the traffic signatures.

Why this answer

Option A is correct. If the Firewall policy does not have 'Deep Inspection' enabled for HTTPS, encrypted P2P traffic cannot be inspected by Application Control, and the application may not be detected.

29
Multi-Selecthard

An administrator configures an IPS sensor with a signature that is triggered by traffic to a specific server. The signature is set to 'Block' but the traffic is not being blocked. The administrator verifies that the IPS sensor is applied to the correct firewall policy and that the signature is enabled. Which TWO additional checks should the administrator perform? (Choose two.)

Select 2 answers
A.Ensure that the antivirus profile is not interfering with IPS.
B.Verify that the signature's 'Action' is not overridden by a higher-priority rule in the IPS sensor.
C.Check if the firewall policy is using 'flow-based' or 'proxy-based' inspection mode. Some IPS signatures require proxy mode.
D.Check if the destination server is in the 'Local-in' policy, which may bypass IPS.
E.Confirm that the signature has a valid CVE ID.
AnswersB, C

If multiple rules match the same traffic, the highest priority rule's action takes effect. An override with 'Monitor' could prevent blocking.

30
MCQhard

A FortiGate administrator runs the command 'diagnose application urlfilter 0 status' and sees 'status: enable' but users report that some malicious URLs are not blocked. The web filter profile uses FortiGuard categories with 'block' action. What should the administrator check next?

A.The antivirus profile is blocking URL filtering
B.The FortiGuard web filter rating service is reachable
C.The DNS filter is overriding the web filter
D.The firewall policy is set to 'accept' without inspection
AnswerB

If the FortiGate cannot reach the FortiGuard rating servers, it may allow all URLs or use local rating only.

Why this answer

Option A is correct. The FortiGate needs connectivity to FortiGuard servers for real-time rating; without it, blocking may fail.

31
MCQeasy

Which security profile type requires a FortiSandbox license to enable advanced detection features?

A.Application Control
B.DNS Filter
C.Antivirus
D.Web Filter
AnswerC

The Antivirus profile can send files to FortiSandbox for advanced malware detection when licensed.

Why this answer

FortiSandbox integration is configured within the Antivirus profile (and optionally with other profiles) to submit suspicious files for behavioral analysis. The license enables the FortiSandbox connection.

32
MCQhard

A FortiGate is configured with SSL inspection and web filtering. The administrator notices that some HTTPS traffic is being blocked even though the URL is in an allowed category. What could be the cause?

A.The FortiGate's DNS server is not resolving the domain correctly.
B.The web filter's 'allow' list is misconfigured.
C.The web filter profile has 'safe-search' enabled.
D.The SSL inspection profile has 'certificate-validation-failed' action set to 'block'.
AnswerD

A certificate mismatch triggers validation failure, which can block traffic.

Why this answer

When SSL inspection is enabled, the FortiGate acts as a man-in-the-middle and validates the server's certificate. If the certificate is invalid (e.g., expired, self-signed, or mismatched), the FortiGate can block the session based on the 'certificate-validation-failed' action in the SSL inspection profile. Even if the URL belongs to an allowed web filter category, a failed certificate validation will cause the traffic to be blocked before the web filter policy is applied.

Exam trap

The trap here is that candidates often assume web filtering categories alone control HTTPS traffic, forgetting that SSL inspection's certificate validation can preemptively block sessions even for allowed URLs.

How to eliminate wrong answers

Option A is wrong because DNS resolution issues would prevent the FortiGate from reaching the server at all, but the symptom here is that HTTPS traffic is blocked specifically, not that the domain is unreachable. Option B is wrong because the 'allow' list being misconfigured would affect all traffic, not just HTTPS, and the question states the URL is in an allowed category, so the web filter should permit it. Option C is wrong because 'safe-search' enforces search engine restrictions (e.g., Google SafeSearch) and does not block entire HTTPS sessions; it modifies search queries, not certificate validation.

33
Multi-Selecthard

A FortiGate administrator is configuring a data leak prevention (DLP) profile to prevent the leakage of social security numbers (SSNs) via email. Which TWO settings must be configured in the DLP profile?

Select 2 answers
A.Set the email filter to quarantine
B.Configure IPS to block SSN patterns
C.Enable SSL deep inspection on the firewall policy
D.Enable FortiSandbox integration
E.Create a DLP sensor that uses a custom pattern for SSNs
AnswersC, E

Why this answer

A DLP sensor with a custom pattern for SSNs is needed to detect the data. SSL deep inspection is required to decrypt email traffic (SMTP over TLS) so DLP can inspect the content. FortiSandbox and IPS do not directly handle DLP.

34
MCQmedium

An administrator configured a DLP profile to detect credit card numbers in outgoing emails. The profile is applied to an outbound SMTP policy. Users report that emails with credit card numbers are still being sent successfully. What is the most likely cause?

A.The DLP profile is set to 'monitor' instead of 'block'
B.The DLP profile is not applied to the correct policy
C.The credit card number pattern is not correctly defined
D.The SMTP traffic is encrypted and deep inspection is not enabled
AnswerD

If SMTP over TLS is used, the FortiGate cannot inspect the email content without SSL deep inspection decrypting the traffic. DLP will not detect the credit card numbers.

Why this answer

DLP scanning requires deep inspection if the traffic is encrypted. If SMTP traffic is encrypted with TLS (SMTPS), the FortiGate needs SSL deep inspection to decrypt and inspect the content. Without it, DLP cannot see the credit card numbers.

35
MCQmedium

A network administrator notices that users cannot access HTTPS websites after enabling SSL inspection. The firewall policy allows the traffic, and the certificate is trusted on the clients. What is the most likely cause?

A.The CA certificate used for SSL inspection is not trusted by the clients.
B.The client's browser has a proxy configured incorrectly.
C.The firewall policy has SSL inspection disabled.
D.The DNS server is not resolving the domain names.
AnswerA

If the CA certificate is not trusted, clients will block HTTPS connections.

Why this answer

Option A is correct because the most likely cause is that the CA certificate used for SSL inspection is not trusted by the clients. Even if the firewall policy allows the traffic and the certificate is trusted on the clients, if the CA certificate used to generate the inspection certificate is not trusted, the clients will not trust the certificate presented by the firewall, resulting in HTTPS access failures.

Exam trap

The trap here is that candidates may assume that if the firewall policy allows traffic and the certificate is trusted, SSL inspection should work, but they overlook that the CA certificate used for inspection must be trusted by the clients, not just the server certificate.

How to eliminate wrong answers

Option B is wrong because an incorrectly configured proxy in the client's browser would cause issues with all HTTP/HTTPS traffic, not just HTTPS after enabling SSL inspection, and the scenario specifically states the issue occurs after enabling SSL inspection. Option C is wrong because the firewall policy has SSL inspection enabled (the administrator enabled SSL inspection), and the policy allows the traffic, so disabling SSL inspection would not be the cause. Option D is wrong because DNS resolution issues would prevent access to all websites, not just HTTPS, and the scenario specifically states users cannot access HTTPS websites after enabling SSL inspection.

36
MCQeasy

What is the purpose of enabling 'Safe Search' in a web filter profile on a FortiGate?

A.It blocks all searches containing the word 'safe'.
B.It redirects users to a safe landing page when a blocked site is accessed.
C.It forces search engines to filter explicit content from search results.
D.It encrypts search queries to protect user privacy.
AnswerC

Safe Search enforces strict filtering on supported search engines (Google, Bing, Yahoo) to block adult content from search results.

37
MCQeasy

Which security profile is used to detect and prevent spam email messages?

A.DLP profile
B.Web filter profile
C.Email filter profile
D.Antivirus profile
AnswerC

Email filter is specifically designed for spam and email-specific threats.

Why this answer

Option B is correct: Email filter profile provides anti-spam capabilities using FortiGuard, custom rules, and integration with FortiMail.

38
Multi-Selectmedium

A FortiGate administrator wants to create a web filter profile that blocks access to social networking sites during work hours but allows them during lunch breaks. Additionally, the administrator wants to ensure that HTTPS social networking sites are blocked. Which TWO configurations are required? (Choose two.)

Select 2 answers
A.Create a web filter profile with a FortiGuard category filter that blocks the 'Social Networking' category and set a time-based schedule.
B.Apply the web filter profile to a firewall policy that uses a schedule for work hours.
C.Enable SSL deep inspection to decrypt HTTPS traffic to social networking sites.
D.Use a URL filter to manually list all social networking sites.
E.Configure DNS filter to block social networking domains.
AnswersA, C

The web filter profile can use time-based schedules to apply different actions during different times of day.

39
MCQmedium

A FortiGate administrator needs to prevent employees from using peer-to-peer file sharing applications such as BitTorrent. The administrator creates an application control profile with a rule to block the 'Peer-to-Peer' application category. After applying the profile to the firewall policy, users can still use BitTorrent. What is the most likely cause?

A.The application control profile is applied to the outbound policy but not to the inbound policy.
B.The application control profile is set to 'Monitor' instead of 'Block' for the Peer-to-Peer category.
C.BitTorrent is not a recognized application in the FortiGuard application control database.
D.The firewall policy has SSL inspection set to certificate inspection, so the FortiGate cannot see the application.
AnswerB

If the action is monitor, traffic is logged but not blocked. The profile must be set to block.

40
MCQmedium

A network administrator configures a web filtering profile to block access to the 'Social Networking' FortiGuard category. However, users can still access Facebook. The firewall policy has web filtering enabled. What is the MOST likely reason?

A.The Facebook URL is cached in the user's browser
B.The FortiGuard web filter database is outdated
C.The web filter options are not set to use FortiGuard rating lookup
D.The firewall policy does not have SSL deep inspection enabled
AnswerC

Without FortiGuard rating enabled, the filter won't check categories.

Why this answer

Option A is correct because the web filter must have the rating lookup set to 'FortiGuard' to use the cloud-based category database. If it's set to 'Local' or disabled, FortiGuard categories won't be enforced.

41
Multi-Selectmedium

An administrator is configuring web filtering on a FortiGate. Which TWO statements about web filtering profiles are correct?

Select 2 answers
A.Web filtering profiles can be used together with application control profiles.
B.Web filtering profiles can only be applied to users who are authenticated.
C.Web filtering profiles can block access to websites based on URL categories and ratings.
D.Web filtering profiles are applied globally by default.
E.Web filtering profiles are used to configure SSL certificate inspection.
AnswersA, C

Correct; they can be applied to the same firewall policy.

Why this answer

Option A is correct because web filtering profiles and application control profiles operate independently at different layers of the FortiGate security fabric. Web filtering inspects HTTP/HTTPS traffic against URL categories and ratings, while application control identifies and controls application-level traffic (e.g., Facebook, Skype) using deep packet inspection. They can be applied together in a single security policy to provide layered protection without conflict.

Exam trap

The trap here is that candidates often confuse the scope of web filtering profiles, assuming they require authentication (B) or are global by default (D), or they mistakenly think SSL inspection is configured within the web filtering profile (E) instead of as a separate inspection profile.

42
MCQeasy

Refer to the exhibit. An administrator has configured the SSL/SSH profile shown. However, users are unable to access HTTPS websites. What is the most likely cause?

A.The 'untrusted-caname' should be set to a trusted CA certificate to handle untrusted server certificates.
B.The port is set to 443, but HTTPS also uses port 8443.
C.The 'caname' is set to 'Fortinet_CA_SSL', which is not a valid certificate name.
D.The 'whitelist-mode' is disabled, which prevents inspection.
AnswerA

Without a trusted CA for untrusted certificates, clients will see certificate warnings.

Why this answer

Option A is correct because when the SSL/SSH profile has 'untrusted-caname' set to 'Fortinet_CA_SSL' (an untrusted CA), the FortiGate cannot re-sign certificates from untrusted servers with a trusted CA. This causes HTTPS websites to fail as the client receives an untrusted certificate warning or connection error. Setting 'untrusted-caname' to a trusted CA certificate ensures that even untrusted server certificates are re-signed with a certificate the client trusts.

Exam trap

The trap here is that candidates confuse the 'caname' and 'untrusted-caname' fields, assuming any CA name is sufficient, without understanding that the CA must be trusted by the client for the re-signed certificate to be accepted.

How to eliminate wrong answers

Option B is wrong because HTTPS uses port 443 by default, and the profile is configured for port 443; port 8443 is an alternative HTTPS port but not required for standard HTTPS access. Option C is wrong because 'Fortinet_CA_SSL' is a valid default certificate name used by FortiGate for SSL inspection; the issue is not the name but its trust status. Option D is wrong because 'whitelist-mode' being disabled is the default and does not prevent inspection; it simply means all traffic is inspected unless explicitly whitelisted.

43
MCQmedium

A network administrator is troubleshooting why certain web-based applications are not being identified by application control. The applications are accessed over HTTPS. What is the most likely missing configuration?

A.Web filter profile is not applied to the firewall policy.
B.SSL inspection is not configured and applied to the firewall policy.
C.Deep packet inspection is not enabled on the firewall policy.
D.IPS is not enabled on the firewall policy.
AnswerB

SSL inspection is required to decrypt HTTPS for application control to work.

Why this answer

Application control relies on inspecting the content of traffic to identify applications. When traffic is encrypted with HTTPS, the firewall cannot inspect the payload without decrypting it first. Therefore, SSL inspection must be configured and applied to the firewall policy to allow the FortiGate to decrypt the traffic and match it against application control signatures.

Exam trap

The trap here is that candidates confuse 'deep packet inspection' with 'SSL inspection,' but DPI is a broader concept that includes many inspection types, and the specific missing piece for HTTPS application identification is SSL inspection, not DPI as a whole.

How to eliminate wrong answers

Option A is wrong because a web filter profile controls access to URLs and categories, not the identification of applications; application control is a separate feature. Option C is wrong because deep packet inspection (DPI) is a general term that includes SSL inspection, but the specific missing configuration for encrypted traffic is SSL inspection, not DPI in general. Option D is wrong because IPS is an intrusion prevention system that detects and blocks threats, not a mechanism for identifying applications; it does not decrypt HTTPS traffic.

44
MCQmedium

An administrator configures an application control profile to block 'Facebook' and 'Twitter' using application signatures. Users can still access Facebook via HTTPS. The administrator has enabled deep inspection. What is missing?

A.The application control profile must be applied to both ingress and egress policies
B.The firewall policy must have inspection mode set to 'proxy-based' for application control to work with HTTPS
C.The application signatures need to be updated to the latest version
D.The web filter profile must be set to 'authenticate' for the connection
AnswerB

Application control for HTTPS requires proxy-based inspection mode because it needs to reassemble the SSL stream. Flow-based mode may not apply application control to encrypted traffic.

Why this answer

Application control requires the firewall policy to be set to 'proxy-based inspection' for HTTPS traffic. Even with deep inspection enabled, if the policy is flow-based, application control may not inspect HTTPS traffic correctly.

45
Multi-Selectmedium

A security administrator wants to ensure that all DNS queries from internal users are filtered to block access to known malicious domains. Which TWO configurations must be applied?

Select 2 answers
A.Enable deep inspection on the firewall policy
B.Apply the DNS Filter profile to the firewall policy that allows DNS traffic
C.Enable DNS inspection on the SSL/SSH inspection profile
D.Create a DNS Filter profile to block malicious domains
E.Configure a DNS server on the FortiGate
AnswersB, D

The profile must be attached to the policy to be enforced.

Why this answer

Options A and C are correct. A DNS filter profile must be created with categories, and the firewall policy for DNS traffic must reference that profile.

46
MCQmedium

A FortiGate is configured with an IPS profile to protect a web server. The administrator notices that some attacks are not being detected. The IPS signature database is up to date. What should the administrator check first?

A.Increase the severity level of the IPS sensor.
B.Ensure the IPS profile is applied to the firewall policy that handles traffic to the web server.
C.Disable flow-based inspection and enable proxy-based inspection.
D.Change the IPS signature action from 'default' to 'block'.
AnswerB

If the IPS profile is not applied to the correct policy, traffic will not be inspected. This is a common misconfiguration.

47
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is using UDP protocol
B.The session is blocked by the firewall policy
C.The session is in SYN-SENT state
D.The session has been established for 3600 seconds and will expire in 3599 seconds
AnswerD

Duration and expire fields show ages.

Why this answer

Option C is correct: The session has been active for 3600 seconds and will expire in 3599 seconds (almost fresh start). 'proto_state=01' indicates TCP three-way handshake completion.

48
MCQmedium

A FortiGate administrator has configured a firewall policy with SSL deep inspection using a forward trust CA certificate. When users access an HTTPS website with a valid certificate, they still receive a certificate warning. What is the MOST likely reason?

A.The website certificate is expired
B.The forward trust CA certificate is not installed on the users' devices
C.The firewall policy is set to certificate inspection instead of deep inspection
D.The FortiGate's CA certificate is not trusted by the browser
AnswerB

Why this answer

For deep inspection, the FortiGate's CA certificate must be installed and trusted on client devices. Otherwise, browsers will show a warning that the connection is not private because the certificate is issued by an untrusted authority.

49
Multi-Selectmedium

An administrator configures a DLP profile to detect Social Security numbers in outbound traffic. The profile is applied to an outbound HTTP policy. Which TWO additional configurations are necessary for the DLP to inspect HTTPS traffic?

Select 2 answers
A.Set the firewall policy inspection mode to proxy-based
B.Add an SSL exemption for the destination servers
C.Enable SSL/TLS deep inspection on the firewall policy
D.Create a DLP sensor with the correct pattern and apply it to the policy
E.Configure a web filter profile to allow the traffic
AnswersC, D

Without deep inspection, the DLP engine cannot see the content of HTTPS traffic.

Why this answer

DLP scanning of HTTPS traffic requires SSL deep inspection to decrypt the traffic. Additionally, the firewall policy must have deep inspection enabled and the DLP profile must be applied. The inspection mode (flow vs proxy) may affect performance but both can work.

50
Drag & Dropmedium

Drag and drop the steps to configure IPsec VPN phase 1 settings on FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Phase 1 establishes the secure channel; key parameters include remote gateway, PSK, IKE version, and encryption.

51
MCQhard

An admin runs the following command on a FortiGate: 'diagnose sys session filter dport 443' and sees output: 'proto=6 proto_state=01 duration=3600 expire=3599'. What does this indicate?

A.The session is stuck in a half-open state due to a firewall policy misconfiguration
B.The session is in the SYN_SENT state and is not yet fully established
C.The session is fully established and has been active for 3600 seconds
D.The session is using UDP protocol
AnswerB

proto_state=01 corresponds to TCP SYN_SENT, meaning the three-way handshake is not complete.

Why this answer

Option D is correct. The session state '01' indicates a TCP session in the SYN_SENT state, meaning the session is still in the process of being established. The short duration and expire time suggest it is a new session.

52
Multi-Selectmedium

An administrator needs to block users from uploading files containing credit card numbers to external websites. Which TWO actions must be configured? (Choose two.)

Select 2 answers
A.Apply an antivirus profile to the policy
B.Enable SSL deep inspection on the firewall policy
C.Create a DLP profile with a credit card number sensor set to block
D.Configure application control to block file transfer applications
E.Use a web filter to block all upload websites
AnswersB, C

To inspect HTTPS uploads, SSL deep inspection is required to decrypt traffic.

Why this answer

Option B is correct because SSL deep inspection is required to decrypt HTTPS traffic so the firewall can inspect the content of encrypted uploads for sensitive data like credit card numbers. Without decryption, the DLP profile cannot see the payload of encrypted sessions, rendering the DLP sensor ineffective.

Exam trap

The trap here is that candidates often forget that DLP requires SSL inspection to see the content of encrypted traffic, and mistakenly think a DLP profile alone is sufficient to block credit card numbers in HTTPS uploads.

53
MCQhard

A security engineer is designing an application control policy for a corporate network. The goal is to allow Microsoft Teams for business use but block personal use of other collaboration apps like Zoom and Slack. The engineer configures an application control profile with a rule to 'monitor' Microsoft Teams and 'block' Zoom and Slack. However, users report that Zoom is still working. What is the most likely reason?

A.Application control profiles can only have one rule.
B.There is an implicit allow rule or a higher-priority rule that allows Zoom before the block rule is evaluated.
C.The 'monitor' rule for Teams overrides the 'block' rule for Zoom.
D.Application control uses port-based inspection and Zoom uses a non-standard port.
AnswerB

If a rule allows all traffic or a broad category, it may match Zoom before the specific block rule.

Why this answer

Option B is correct because FortiGate application control policies are evaluated in order, and the first matching rule is applied. If a higher-priority rule (or an implicit allow rule) permits Zoom traffic before the block rule is reached, Zoom will be allowed. The engineer likely placed the block rule after an allow rule or the default implicit allow policy is permitting Zoom traffic.

Exam trap

The trap here is that candidates often assume a block rule will always take effect regardless of rule order, forgetting that FortiGate processes policies sequentially and a preceding allow rule will override a later block rule.

How to eliminate wrong answers

Option A is wrong because application control profiles can contain multiple rules, each with different actions and conditions. Option C is wrong because a 'monitor' rule for Teams does not override a 'block' rule for Zoom; each application is evaluated independently based on its own rule. Option D is wrong because application control uses signature-based inspection (not port-based) to identify applications, and Zoom uses standard HTTPS ports (443) which are still subject to application-level inspection.

54
Multi-Selectmedium

Which TWO actions can cause SSL inspection to fail with certificate errors on client browsers? (Choose two.)

Select 2 answers
A.The FortiGate's CA certificate has expired.
B.The firewall policy allows the traffic.
C.The web server's certificate is signed by a public CA.
D.The client browser has the FortiGate CA certificate installed.
E.The FortiGate's generated server certificate does not match the requested domain name.
AnswersA, E

Expired CA certs cause trust errors.

Why this answer

Option A is correct because the FortiGate acts as a certificate authority (CA) for SSL inspection. If the FortiGate's CA certificate has expired, any server certificate it generates and signs for intercepted HTTPS sessions will be considered invalid by client browsers. Browsers will display a certificate error because the signing CA (the FortiGate) is no longer trusted due to expiration, even if the client has the CA certificate installed.

Exam trap

The trap here is that candidates often assume a public CA-signed server certificate is always trusted during inspection, forgetting that the FortiGate re-signs the certificate with its own CA, so the browser only sees the FortiGate's CA certificate and the generated server certificate, not the original public CA certificate.

55
MCQmedium

After enabling SSL inspection, a user receives a warning 'The certificate is not trusted' in the browser. The administrator has installed the CA certificate on the client. What else could be the cause?

A.The firewall policy denies the traffic.
B.The CA certificate is not added to the browser's trusted root store.
C.The FortiGate is not decrypting the traffic.
D.The web server's certificate has expired.
AnswerB

The CA must be trusted by the browser.

Why this answer

Even though the administrator installed the CA certificate on the client, the browser uses its own trusted root store, which is separate from the operating system's certificate store. If the CA certificate is not specifically added to the browser's trusted root store (e.g., Chrome uses the system store but Firefox maintains its own), the browser will still flag the certificate as untrusted. This is a common misconfiguration when deploying SSL inspection with FortiGate.

Exam trap

The trap here is that candidates assume installing the CA certificate on the client OS is sufficient for all browsers, but browsers like Firefox maintain their own certificate trust store, and even Chrome on some platforms may require the certificate to be in the correct store (e.g., the 'Trusted Root Certification Authorities' store) for the warning to disappear.

How to eliminate wrong answers

Option A is wrong because a firewall policy denying traffic would block the connection entirely, not generate a certificate trust warning in the browser. Option C is wrong because if FortiGate were not decrypting the traffic, the browser would receive the original web server certificate, which would be trusted (assuming it is a valid public CA), so no untrusted warning would appear. Option D is wrong because an expired web server certificate would cause a different error (e.g., 'expired certificate'), not specifically 'The certificate is not trusted' — and the FortiGate's re-signed certificate would be the one presented to the client, not the original server certificate.

56
MCQhard

An administrator configured SSL inspection with 'deep-inspection' profile. Users report that some websites fail to load with certificate errors. The firewall policy is correct. What is the most likely reason?

A.The CA certificate has expired.
B.The web server uses a cipher that the FortiGate cannot re-encrypt.
C.The user's browser is outdated.
D.The firewall needs a policy to allow DNS traffic.
AnswerB

Some ciphers may not be supported for re-encryption, causing errors.

Why this answer

When deep-inspection is used, the FortiGate decrypts the client-to-server traffic, inspects the content, and then re-encrypts it before forwarding to the client. If the web server uses a cipher suite that the FortiGate does not support for re-encryption (e.g., an obsolete or non-standard cipher), the FortiGate cannot complete the SSL handshake with the client, causing certificate errors or connection failures. This is the most likely reason because the firewall policy is correct and the CA certificate is valid.

Exam trap

The trap here is that candidates often assume certificate errors are always due to an expired CA certificate, but the question specifies that only some websites fail, which points to a cipher mismatch during re-encryption rather than a global CA issue.

How to eliminate wrong answers

Option A is wrong because if the CA certificate had expired, the FortiGate would not be able to generate valid signed certificates for any inspected site, causing all deep-inspection sessions to fail, not just some websites. Option C is wrong because an outdated browser might cause compatibility issues with modern ciphers, but the error described is a certificate error specifically from the FortiGate's re-encryption process, not a browser-side cipher mismatch. Option D is wrong because DNS traffic is typically allowed by default in the implicit allow policy or a separate DNS policy; a missing DNS policy would prevent name resolution entirely, not cause certificate errors on specific websites.

57
MCQmedium

An administrator configures an application control profile to block 'BitTorrent'. Users are still able to download files using BitTorrent. The administrator has enabled deep inspection and the policy is set to proxy-based. What is the most likely reason the application is not being blocked?

A.BitTorrent uses randomized ports that bypass application control
B.The application control profile is not applied to the correct policy
C.The application signatures are out of date
D.The policy is set to flow-based instead of proxy-based
AnswerC

Outdated signatures may not detect newer versions of BitTorrent. The FortiGate must have up-to-date application control signatures to identify the latest applications.

Why this answer

Application control uses application signatures to identify traffic. If the signatures are not up to date, new versions of BitTorrent may not be recognized. Also, if the traffic is encrypted and uses non-standard ports, application control may not detect it if the signatures are not comprehensive.

58
MCQeasy

What is the purpose of the 'safe search' option in a FortiGate web filter profile?

A.It enforces Google SafeSearch, Bing SafeSearch, and YouTube Restricted Mode on supported search engines.
B.It logs all search queries made by users.
C.It blocks access to all search engines except Google.
D.It redirects search queries to a secure HTTPS connection.
AnswerA

Safe search forces the search engine to filter explicit content from search results.

Why this answer

Option B is correct. Safe search enforces content filtering on supported search engines like Google, Bing, and YouTube to block explicit results.

59
MCQmedium

A company uses deep SSL inspection to filter traffic. Users report that some HTTPS sites are not loading. The administrator checks the FortiGate and sees that the certificate for the sites is not trusted on the client machines. What is the most likely cause?

A.The FortiGate's CA certificate is not installed in the Trusted Root Certification Authorities store on the clients.
B.The FortiGate is using a self-signed certificate for the SSL inspection policy.
C.The SSL inspection policy is set to 'no-inspection' for the affected sites.
D.The FortiGate's web filter profile is blocking the certificate.
AnswerA

Without the CA certificate, the browser cannot verify the inspection certificate.

Why this answer

When deep SSL inspection is enabled, the FortiGate acts as a man-in-the-middle by decrypting HTTPS traffic using a local CA certificate. For clients to trust the decrypted connections, the FortiGate's CA certificate must be installed in the Trusted Root Certification Authorities store on each client machine. If it is missing, the browser will display a certificate trust error and may block the site, causing the reported loading failures.

Exam trap

The trap here is that candidates may confuse the FortiGate's self-signed certificate used for its own web interface with the CA certificate required for deep inspection, or assume that 'no-inspection' would cause loading failures rather than bypassing inspection entirely.

How to eliminate wrong answers

Option A is correct because the root cause is the missing CA certificate on clients. Option B is wrong because a self-signed certificate in the SSL inspection policy is used for the FortiGate's own management interface or for certificate re-signing, but the core issue is the CA certificate not being trusted by clients, not the type of certificate used in the policy. Option C is wrong because setting the policy to 'no-inspection' would bypass SSL inspection entirely, allowing HTTPS sites to load normally without certificate errors.

Option D is wrong because a web filter profile blocks URLs or categories based on policy, not certificates; certificate trust is handled by the SSL inspection configuration, not the web filter.

60
MCQhard

A FortiGate administrator is troubleshooting an issue where users cannot access a legitimate website that is categorized as 'Pornography' by FortiGuard. The web filter profile is configured to block that category. The administrator wants to allow access for a specific user group without modifying the global web filter profile. What is the BEST approach?

A.Change the FortiGuard category rating for the website to 'Unrated'
B.Create a separate firewall policy for that user group with a web filter profile that allows the category
C.Create a URL filter exemption for the website in the same web filter profile
D.Disable web filtering for that website in the global settings
AnswerB

Why this answer

Using a separate firewall policy with a different web filter profile allows granular control for specific user groups. URL filter exemption would apply to all users using that profile, not just the specific group.

61
MCQmedium

An administrator configures an antivirus profile in proxy-based inspection mode on a FortiGate. However, SMTP traffic is not being scanned for viruses. The firewall policy includes the antivirus profile and the FortiGate has a valid FortiGuard subscription. What is the most likely cause?

A.Flow-based inspection is required for SMTP scanning
B.The SMTP protocol is not enabled in the proxy options of the security profile
C.The FortiGate does not have a valid SSL certificate for SMTP inspection
D.The antivirus profile is configured to scan only HTTP traffic
AnswerB

Proxy-based inspection requires explicit protocol enablement. If SMTP is not enabled in the proxy options, the traffic is not inspected.

Why this answer

In proxy-based inspection, the FortiGate acts as a proxy for the protocol. If SMTP inspection is not enabled in the proxy options, the traffic bypasses scanning.

62
MCQeasy

A company wants to block all peer-to-peer file sharing applications on the network. Which FortiGate feature should be used to achieve this goal?

A.Application Control
B.Web Filter
C.DNS Filter
D.Intrusion Prevention System (IPS)
AnswerA

Application control identifies and manages application traffic based on signatures.

Why this answer

Application Control is the correct feature because it is specifically designed to identify and block peer-to-peer (P2P) file-sharing applications by inspecting traffic patterns and signatures, regardless of the port or protocol used. Unlike port-based blocking, Application Control uses deep packet inspection (DPI) to recognize P2P protocols such as BitTorrent, eDonkey, and Gnutella, even when they attempt to evade detection by using non-standard ports or encryption.

Exam trap

The trap here is that candidates often confuse Application Control with IPS, assuming that IPS can block any unwanted traffic, but IPS focuses on threats and exploits, not on enforcing acceptable use policies for specific applications like P2P file sharing.

How to eliminate wrong answers

Option B (Web Filter) is wrong because it controls access to URLs and web content categories, not the application-layer protocols used by P2P file-sharing software. Option C (DNS Filter) is wrong because it blocks or redirects DNS queries to specific domains, but P2P applications often use hardcoded IP addresses or peer discovery mechanisms that bypass DNS entirely. Option D (Intrusion Prevention System) is wrong because IPS is designed to detect and block network-based attacks and vulnerabilities, not to enforce application usage policies like blocking P2P file sharing.

63
MCQhard

During a security audit, an administrator finds that an IPS sensor configured with a 'block' action for a critical vulnerability signature is not blocking the associated traffic. The traffic matches the signature, but the action appears as 'pass' in the logs. The IPS sensor is applied to a firewall policy that also has application control enabled. What is the most likely cause?

A.Application control profile is set to 'allow' for the application associated with the traffic, overriding the IPS block action.
B.The IPS engine is bypassed because the traffic matches a fast-path rule.
C.The IPS sensor is not enabled in the firewall policy.
D.The IPS sensor is configured with 'monitor' action instead of 'block'.
AnswerA

Application control can override IPS if it allows the application, as it is evaluated after IPS in the policy flow.

Why this answer

When an IPS sensor with a 'block' action logs 'pass' for matching traffic, it indicates that another security profile is overriding the IPS action. In FortiOS, if an application control profile is set to 'allow' for the application, it can bypass the IPS block because application control processing occurs before IPS inspection. The traffic is permitted by the application control profile, so the IPS engine does not enforce the block action, resulting in a 'pass' log entry.

Exam trap

The trap here is that candidates assume IPS block actions are absolute and independent of other security profiles, but FortiOS applies profiles in a strict sequence where application control can override IPS actions, causing the 'pass' log entry even when the signature matches.

How to eliminate wrong answers

Option B is wrong because fast-path rules are used for traffic that matches session helpers or specific protocols to accelerate processing, but they do not cause IPS to log 'pass' when a block action is configured; fast-path bypasses inspection entirely, not just the block action. Option C is wrong because if the IPS sensor were not enabled in the firewall policy, the traffic would not be inspected by IPS at all, and the log would not show an IPS action of 'pass'—it would simply not appear in IPS logs. Option D is wrong because if the IPS sensor were configured with 'monitor' action, the logs would show 'monitor' or 'detect', not 'pass'; 'pass' specifically indicates the traffic was allowed through, not that the action was changed to monitoring.

64
MCQmedium

A FortiGate is configured to use a DNS filter profile to block access to malicious domains. However, users can still reach a known malicious domain. The DNS filter profile is applied to the firewall policy. Which step should the admin take FIRST to troubleshoot?

A.Enable DNS inspection logging to see if the domain is being flagged
B.Check if the FortiGuard DNS filter database is up to date
C.Verify that the domain is in the FortiGuard DNS category list
D.Check if DNS traffic is matching the correct firewall policy
AnswerD

If DNS traffic is going through a different policy without the DNS filter, it won't be filtered.

Why this answer

Option D is correct. The admin should verify that DNS traffic (port 53) is matching the firewall policy with the DNS filter applied. If DNS queries bypass the policy (e.g., they are allowed by a different policy), the DNS filter will not be applied.

65
MCQmedium

A FortiGate is configured to integrate with FortiSandbox for advanced threat detection. The antivirus profile is set to send files to FortiSandbox when a virus is detected. What action does FortiGate take on the file while it is being analyzed by FortiSandbox?

A.Quarantines the file on the FortiGate
B.Blocks the file until a verdict is received from FortiSandbox
C.Immediately blocks the file and logs the event
D.Allows the file to pass through and logs the event
AnswerB

When using FortiSandbox integration, the administrator can configure the action to 'block' while the file is being analyzed.

Why this answer

Option D is correct. While FortiSandbox analyzes a file, the default action is to 'monitor' or 'allow' the file to pass through temporarily, but the FortiGate can also be configured to block the file until verdict. Typically, the configuration includes 'quarantine' or 'block' options.

The most common behavior is to allow the file with monitoring, but many administrators block. The question is ambiguous; however, based on standard FortiGate behavior, the action is usually 'monitor' unless specified. But the answer should be 'block until verdict' if configured.

Given the options, D is the most accurate.

66
Multi-Selecthard

An administrator receives reports that some internal users can access Facebook despite a web filtering profile that blocks the 'Social Networking' category. The policy is configured with deep inspection. Which THREE checks should the administrator perform to troubleshoot this issue?

Select 4 answers
A.Check if the users are using HTTPS and if the SSL inspection profile has an exemption for Facebook
B.Ensure that the antivirus profile is enabled on the policy
C.Check if the users are accessing Facebook via an SSL VPN tunnel that bypasses the policy
D.Verify that the web filtering profile is applied to the correct policy and that the policy order is correct
E.Confirm that the 'Social Networking' category is not set to 'Monitor' instead of 'Block'
AnswersA, C, D, E

If Facebook is exempted from deep inspection, the web filtering may not see the HTTP content.

Why this answer

The issue could be due to policy order, category not being blocked for that specific user, or SSL inspection exemptions.

67
MCQmedium

A FortiGate with antivirus in flow-based inspection mode is not detecting a known virus in HTTP traffic. The same virus is detected when using proxy-based inspection. What is the most likely reason?

A.Flow-based inspection does not reassemble files or unpack archives, so it misses some viruses
B.Flow-based inspection requires FortiSandbox integration to detect viruses
C.The antivirus signature database is outdated for flow-based inspection
D.Flow-based inspection only scans on explicit proxy policies
AnswerA

Proxy-based reassembles and unpacks, providing deeper inspection.

Why this answer

Option B is correct: Flow-based inspection uses less resources and may not perform full file reassembly or unpacking that proxy-based does, allowing some viruses to evade detection.

68
MCQeasy

A company wants to block all HTTP traffic but allow HTTPS. Which SSL inspection method should be used on the firewall policy?

A.No inspection
B.Deep inspection
C.Full SSL inspection
D.Certificate inspection
AnswerA

No inspection allows HTTPS to pass through without decryption.

Why this answer

To block HTTP (port 80) while allowing HTTPS (port 443), no SSL inspection is needed because the firewall can distinguish traffic by port number alone. SSL inspection is only required when you need to examine the encrypted payload of HTTPS traffic, not to permit or deny it based on the protocol. Therefore, 'No inspection' is correct for this access control requirement.

Exam trap

The trap here is that candidates assume HTTPS traffic must be inspected to be allowed, but the firewall can permit or deny based on the destination port without any SSL inspection at all.

How to eliminate wrong answers

Option B (Deep inspection) is wrong because deep inspection decrypts HTTPS traffic to inspect the payload, which is unnecessary and adds overhead when the goal is simply to allow HTTPS and block HTTP based on port. Option C (Full SSL inspection) is wrong because it also involves decrypting all SSL/TLS traffic, which is not required for port-based allow/deny decisions. Option D (Certificate inspection) is wrong because certificate inspection only validates the server certificate without decrypting the traffic, but it is still an SSL inspection method that is not needed for simple port-based filtering.

69
MCQhard

A FortiGate administrator runs the following command and sees: 'diagnose ips anomaly list' returns no entries, but the IPS sensor is configured with anomaly signatures. What is the MOST likely reason the signatures are not appearing?

A.The IPS sensor is configured in 'passive' mode, which suppresses anomaly detection.
B.The anomaly signatures have not triggered any events yet because traffic thresholds have not been exceeded.
C.Anomaly signatures are not displayed by 'diagnose ips anomaly list'; they require a different command.
D.The IPS sensor is not enabled on any firewall policy.
AnswerB

Anomaly detection is rate-based; signatures only appear when the configured threshold is exceeded. If no traffic has triggered them, the list will be empty.

Why this answer

Option C is correct. Anomaly signatures are dynamic; they only appear in the anomaly list when traffic triggers them. Empty output means no thresholds have been exceeded.

70
Multi-Selecthard

A FortiGate administrator notices that some users can bypass the web filter to access prohibited categories. The web filter profile is applied to the firewall policy. Which TWO actions should the admin take to determine why the filter is being bypassed? (Choose two.)

Select 2 answers
A.Ensure that the FortiGate has connectivity to FortiGuard
B.Check if the firewall policy that the traffic matches has the web filter profile applied
C.Verify that the DNS filter is also applied to the same policy
D.Check if SSL deep inspection is enabled on the policy
E.Examine the client's browser proxy settings
AnswersB, D

If the policy does not have the profile, it will not be filtered.

Why this answer

Options A and D are correct. Verifying that the web filter profile is correctly applied to the policy is fundamental. Checking if HTTPS traffic is being inspected is critical because without SSL deep inspection, web filter cannot see the hostnames in encrypted traffic.

Options B and C are not directly relevant; option E is about client-side, not the cause.

71
MCQmedium

A network administrator wants to allow employees to access a specific web application but block all other application traffic. The administrator creates a firewall policy with an application control profile that allows the desired application. However, employees can still access other applications. What is the MOST likely reason?

A.The application control profile is applied to the wrong firewall policy
B.The firewall policy has SSL inspection disabled
C.The application signatures are outdated
D.The application control profile is set to 'Monitor All' rather than 'Block All'
AnswerD

Why this answer

If the application control profile is set to 'Monitor All', it will only log but not block unlisted applications. To block all except allowed, the profile should be set to 'Block All' with exceptions for allowed applications.

72
MCQmedium

A company is deploying FortiGate for outbound web filtering. They want to block users from accessing social media sites during business hours, but still allow access to cloud-based productivity tools like Office 365. Which approach should the administrator use to meet this requirement?

A.Create a firewall policy to block all traffic to ports commonly used by social media (e.g., TCP 443).
B.Use a web filter profile to block URLs containing 'facebook' or 'twitter'.
C.Configure an application control profile with rules to block social media applications and allow Office 365 applications.
D.Implement a DNS filter to block DNS queries for social media domains.
AnswerC

Application control profiles can precisely allow or block applications regardless of port/protocol, meeting the requirement exactly.

Why this answer

Application control is the correct approach because it can identify and control applications like social media and Office 365 based on their unique signatures, regardless of the ports or protocols they use. Unlike URL filtering or port blocking, application control can differentiate between Office 365 traffic and social media traffic even when both use HTTPS on TCP 443, allowing the administrator to block social media while permitting cloud productivity tools.

Exam trap

The trap here is that candidates often assume URL filtering or port blocking is sufficient, but the NSE4 exam tests the understanding that application control is required when applications share the same port (e.g., TCP 443) and need to be differentiated based on their behavior, not just their domain or port.

How to eliminate wrong answers

Option A is wrong because blocking TCP 443 would block all HTTPS traffic, including Office 365 and other legitimate web services, not just social media. Option B is wrong because URL filtering based on keywords like 'facebook' or 'twitter' is unreliable—social media sites often use dynamic URLs, CDNs, or IP addresses that do not contain those keywords, and users can bypass it via direct IP access or HTTPS encryption. Option D is wrong because DNS filtering only blocks domain resolution; users could still access social media by using direct IP addresses, cached DNS entries, or alternative DNS servers, making it an incomplete solution.

73
MCQeasy

Which web filtering feature allows an administrator to force web search engines to filter explicit content in search results, regardless of the user's browser settings?

A.DNS filter
B.URL filter
C.Application control
D.Safe search
AnswerD

Safe search enforces filtering at the search engine level.

Why this answer

Option A is correct. Safe search is a web filtering feature that redirects search engine queries to use safe search mode, blocking explicit content. It can be enforced through FortiGate.

74
MCQeasy

Which SSL/TLS inspection mode only validates the server certificate without decrypting the traffic?

A.Deep inspection
B.Flow-based inspection
C.Certificate inspection
D.Proxy-based inspection
AnswerC

Certificate inspection validates the certificate without decryption.

Why this answer

Certificate inspection checks the certificate chain but does not decrypt the content.

75
MCQeasy

Which security profile type is used to prevent sensitive data such as credit card numbers from being sent out of the network via email or web traffic?

A.Email filter profile
B.Antivirus profile
C.Web filter profile
D.DLP profile
AnswerD

DLP profiles specifically prevent data leakage.

Why this answer

Option D is correct. Data Leak Prevention (DLP) profiles are designed to detect and block transmission of sensitive data based on patterns or predefined data types.

Page 1 of 4 · 232 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Profiles questions.