CCNA Security Profiles Questions

75 of 232 questions · Page 3/4 · Security Profiles · Answers revealed

151
MCQeasy

An administrator wants to apply a safe search policy to enforce strict search results on Google, Bing, and Yahoo. Which security profile feature should be used?

A.Web filter safe search enforcement
B.Application control to block search engines
C.DNS filter to block search engine domains
D.Web filter URL filter with keyword blocking
AnswerA

Safe search is a built-in web filter feature that forces search engines to use strict filtering.

Why this answer

Web filter safe search enforcement is the correct feature because it directly integrates with search engines (Google, Bing, Yahoo) to force the use of their built-in safe search parameters (e.g., Google's 'safe=active' parameter appended to URLs). This ensures that explicit content is filtered at the source, regardless of the user's browser settings or search engine choice.

Exam trap

The trap here is that candidates may confuse 'blocking search engines' (application control or DNS filter) with 'enforcing safe search within search engines' (web filter safe search enforcement), leading them to select an option that prevents access rather than controlling content.

How to eliminate wrong answers

Option B is wrong because application control blocks or allows applications (e.g., blocking all search engine traffic), but it cannot enforce safe search parameters within allowed search engines. Option C is wrong because a DNS filter blocks entire domains (e.g., blocking google.com), which would prevent access to search engines entirely, not enforce safe search. Option D is wrong because a URL filter with keyword blocking can block specific URLs or keywords in the URL, but it cannot dynamically inject safe search parameters into search engine queries, which is required for strict safe search enforcement.

152
Multi-Selectmedium

An administrator wants to configure a DNS filter to block access to known malicious domains and also enforce safe search on search engines. Which THREE settings are required in the DNS filter profile? (Choose three.)

Select 3 answers
A.Add entries to the static domain blocklist
B.Select 'Redirect to safe search' for search engines
C.Configure a DNS sinkhole IP address
D.Specify external DNS servers for resolution
E.Enable DNS filtering based on FortiGuard categories
AnswersA, B, E

Custom blocklist allows blocking specific domains not in FortiGuard categories.

Why this answer

Options A, B, and D are correct. The DNS filter must have FortiGuard DNS filtering enabled for malicious domain blocking. 'Redirect to safe search' enforces safe search. A custom domain blocklist can be used to block additional domains.

Option C is for DNS sinkhole, which is optional. Option E is for external DNS servers, not part of the profile.

153
MCQmedium

An administrator runs the following CLI command and sees the output: 'diagnose sys session list | grep -A 5 10.1.1.100' and finds a session with 'proto=6 proto_state=01 duration=3600 expire=3599'. What does this indicate about the session?

A.The session is about to expire
B.The session has been active for approximately 1 second
C.The session has been active for 3600 seconds
D.The session is using UDP protocol
AnswerB

duration minus expire gives the actual session age, which is 1 second.

Why this answer

The duration is 3600 seconds and expire is 3599 seconds, meaning the session has been active for only about 1 second out of a 3600-second lifetime. The session is new.

154
MCQhard

An administrator runs 'diagnose ips anomaly list' and sees the following output: List of anomaly events: ID: 1, Type: tcp_syn_flood, Status: triggered, Count: 1500, Threshold: 1000 What does this indicate?

A.The IPS anomaly sensor is configured to block all TCP traffic.
B.The FortiGate has detected a single TCP SYN packet and is logging it.
C.The FortiGate is experiencing a TCP SYN flood attack and has triggered rate-based detection.
D.The FortiGate is performing a TCP SYN flood attack.
AnswerC

The output shows an anomaly event of type tcp_syn_flood that has been triggered, indicating the number of SYN packets exceeded the threshold.

155
MCQmedium

Which of the following best describes the difference between flow-based and proxy-based inspection for antivirus scanning?

A.Flow-based inspection reassembles the entire file before scanning, while proxy-based scans packets on the fly
B.Flow-based inspection scans first packet and allows, while proxy-based buffers the entire session
C.Flow-based inspection requires SSL deep inspection, while proxy-based does not
D.Flow-based inspection uses pattern matching and anomaly detection with low latency, while proxy-based provides full content reassembly and higher detection rates
AnswerD

Why this answer

Flow-based inspection is faster using pattern matching and anomaly detection, while proxy-based provides full content reassembly and can detect more sophisticated threats. Both can use SSL inspection.

156
MCQeasy

A network administrator wants to prevent users from accessing known malicious websites using FortiGate. Which security profile should be applied to the firewall policy to achieve this goal?

A.Antivirus profile
B.Application control profile
C.IPS profile
D.Web filtering profile
AnswerD

Web filtering profiles are specifically designed to control web access using FortiGuard categories, URL filters, and DNS filters.

Why this answer

Web filtering profiles allow administrators to control access to websites based on FortiGuard categories, URL filtering, and DNS filtering.

157
MCQmedium

An administrator wants to block upload of files containing credit card numbers via web forms. Which security profile should be used?

A.Antivirus profile
B.Web filter profile
C.Application control profile
D.Data leak prevention (DLP) profile
AnswerD

DLP is designed to detect and prevent data loss.

Why this answer

Option A is correct: DLP (Data Leak Prevention) profile can inspect content for sensitive data patterns like credit card numbers and block uploads.

158
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.The FortiGuard antivirus subscription has expired
B.The web server's certificate is self-signed and FortiGate is rejecting the connection
C.SSL/TLS deep inspection is not enabled on the firewall policy
D.The antivirus profile is configured for flow-based inspection instead of proxy-based
AnswerC

HTTPS traffic is encrypted. FortiGate cannot inspect the payload without SSL deep inspection decrypting the TLS session. The antivirus profile requires inspection mode to be enabled.

Why this answer

Option B is correct because HTTPS uses TLS encryption. Without SSL deep inspection enabled on the policy, FortiGate cannot decrypt and inspect the content of HTTPS traffic. The antivirus profile will only scan unencrypted traffic or traffic where deep inspection has decrypted it first.

159
MCQeasy

When configuring SSL inspection, which type of inspection decrypts and inspects all HTTPS traffic including applications using non-standard ports?

A.SSL Offloading
B.Certificate Inspection
C.Full SSL Inspection (Deep Inspection)
D.Flow-based Inspection
AnswerC

Deep inspection decrypts and inspects all traffic.

Why this answer

Full SSL Inspection (Deep Inspection) is the correct answer because it performs a man-in-the-middle decryption and re-encryption of all HTTPS traffic, regardless of the port used. This allows the FortiGate to inspect the payload of encrypted sessions, including those on non-standard ports, for threats and policy violations.

Exam trap

The trap here is confusing the processing mode (Flow-based vs. Proxy-based) with the actual SSL inspection method, leading candidates to incorrectly select Flow-based Inspection as a type of SSL decryption.

How to eliminate wrong answers

Option A is wrong because SSL Offloading only decrypts traffic destined to a protected server to reduce server load, not to inspect all HTTPS traffic including non-standard ports. Option B is wrong because Certificate Inspection only checks the SSL certificate validity and does not decrypt the traffic payload, so it cannot inspect the content of HTTPS sessions. Option D is wrong because Flow-based Inspection is a processing mode (flow vs. proxy) that can be used with SSL inspection, but it is not a type of SSL inspection itself.

160
MCQmedium

A FortiGate administrator wants to block outgoing DNS requests to known malware domains. Which security profile should be used?

A.Application control
B.Web filter
C.IPS
D.DNS filter
AnswerD

DNS filter can block DNS queries to malicious domains based on FortiGuard or custom categories.

Why this answer

DNS Filter is the correct security profile because it is specifically designed to inspect and block DNS queries based on domain names, IP addresses, or categories. By configuring a DNS filter policy with a custom list of known malware domains, the FortiGate can intercept outgoing DNS requests and drop those matching the malicious entries, preventing the resolution of malware domains.

Exam trap

The trap here is that candidates often confuse DNS Filter with Web Filter, assuming that blocking malicious domains is a web filtering function, but DNS Filter operates at the DNS protocol level and is the correct profile for blocking DNS requests to specific domains.

How to eliminate wrong answers

Option A is wrong because Application Control identifies and controls application traffic (e.g., Skype, BitTorrent) based on signatures, not DNS queries to specific domains. Option B is wrong because Web Filter inspects HTTP/HTTPS traffic to block URLs or categories, but it does not inspect DNS requests themselves. Option C is wrong because IPS (Intrusion Prevention System) detects and blocks network-level attacks and exploits using signatures, not DNS queries to specific domain names.

161
MCQeasy

What is the primary function of protocol decoders in the FortiGate IPS engine?

A.They block malicious IP addresses based on reputation.
B.They normalize traffic for specific protocols to enable signature matching.
C.They rate-limit traffic to prevent DoS attacks.
D.They decrypt SSL/TLS traffic for inspection.
AnswerB

Protocol decoders parse and normalize protocol traffic (e.g., HTTP, SMTP) so IPS signatures can match effectively.

Why this answer

Option B is correct. Protocol decoders normalize traffic so that IPS signatures can detect attacks within the protocol context.

162
MCQeasy

What is the primary purpose of FortiSandbox integration with FortiGate antivirus?

A.To replace the local antivirus scanning engine
B.To perform SSL deep inspection
C.To cache antivirus signatures locally
D.To detect zero-day malware by analyzing file behavior in a sandbox environment
AnswerD

FortiSandbox submits suspicious files for behavioral analysis, catching unknown threats.

Why this answer

Option B is correct. FortiSandbox provides advanced threat detection by executing files in a controlled environment.

163
MCQhard

A FortiGate administrator receives reports that users cannot access a legitimate website that uses HTTPS. The web filtering profile is configured with strict FortiGuard categories and 'monitor all' for unknown sites. The firewall policy has an SSL/SSH inspection profile set to 'deep-inspection'. What is the most likely cause of the issue?

A.The website uses a self-signed certificate which is not trusted by the FortiGate CA bundle
B.The antivirus profile is blocking a file on the website
C.The DNS filter is blocking the domain
D.The website's FortiGuard category is set to 'block'
AnswerA

Deep inspection requires the FortiGate to trust the server certificate. A self-signed or untrusted CA certificate will cause the connection to fail.

Why this answer

When deep inspection is enabled, the FortiGate decrypts and re-encrypts traffic. If the website's certificate is not trusted by the FortiGate (e.g., self-signed or issuer not in CA bundle), the connection may fail.

164
Drag & Dropmedium

Drag and drop the steps to configure a VLAN interface on FortiGate into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN interfaces require a physical parent, VLAN ID, IP address, and optional administrative access.

165
MCQhard

A FortiGate is configured with SSL deep inspection using a self-signed CA certificate. Users report that they see a certificate warning in their browser when accessing HTTPS sites. The admin wants to eliminate these warnings. What should the admin do?

A.Install the FortiGate's CA certificate on each client device's trusted root certificate store
B.Disable SSL deep inspection and rely on flow-based antivirus
C.Change the SSL inspection mode to certificate inspection only
D.Configure an SSL certificate exemption for all HTTPS traffic
AnswerA

Installing the CA certificate makes the clients trust the certificates issued by FortiGate, eliminating warnings.

Why this answer

The certificate warning appears because the client does not trust the self-signed CA used by FortiGate. To eliminate warnings, the FortiGate's CA certificate must be installed in the trusted root store of each client device.

166
Multi-Selecthard

A FortiGate administrator is troubleshooting an issue where users cannot access an internal HTTPS server (10.10.10.10:443) after enabling SSL deep inspection. The administrator sees that the server's certificate is self-signed. Which TWO actions should the administrator take to allow access while maintaining inspection?

Select 2 answers
A.Disable deep inspection on the policy
B.Change the policy action to DENY
C.Disable certificate validation in the SSL/SSH profile
D.Import the server's self-signed certificate into FortiGate's trusted CA list
E.Add the server's IP address to the SSL/SSH profile's exemption list
AnswersD, E

If FortiGate trusts the server's CA (or the certificate itself), it can establish the inspection without certificate errors.

Why this answer

To allow inspection of a server with a self-signed certificate, you need to either add the server to the exemption list in the SSL/SSH profile (so it is not inspected) or import the server's CA certificate and add it as a trusted CA so that deep inspection can validate the certificate.

167
MCQhard

Refer to the exhibit. A FortiGate SSL VPN user is unable to connect. The debug output shows the above error. What is the most likely cause?

A.The SSL VPN certificate has expired.
B.The CA that issued the SSL VPN certificate is not trusted by the client.
C.The user's password is incorrect.
D.The firewall policy is blocking the SSL VPN port.
AnswerB

Unknown CA error indicates trust issue.

Why this answer

The debug output indicates an SSL/TLS handshake failure, specifically that the client does not trust the server's certificate. This occurs when the Certificate Authority (CA) that issued the SSL VPN certificate is not in the client's trusted root store. Option B correctly identifies this as the most likely cause because the error is a certificate trust issue, not an expiration or authentication problem.

Exam trap

The trap here is that candidates confuse certificate trust issues (CA not trusted) with certificate expiration, but the debug output clearly shows a trust chain failure, not a validity date error.

How to eliminate wrong answers

Option A is wrong because a certificate expiration error would typically produce a different debug message (e.g., 'certificate has expired') and would be logged as a validity period failure, not a trust chain issue. Option C is wrong because an incorrect password would result in an authentication failure at the login stage, not an SSL/TLS handshake error during the initial connection setup. Option D is wrong because a firewall policy blocking the SSL VPN port would prevent any TCP connection from being established, resulting in a timeout or 'connection refused' error, not an SSL handshake failure with certificate trust messages.

168
MCQhard

An administrator configures an application control profile to block 'Facebook' and 'Twitter' using application signatures. Users can still access Facebook via HTTPS. The firewall policy has application control enabled and SSL deep inspection is not configured. Why is Facebook not blocked?

A.The application signature for Facebook is not updated
B.The application control profile is configured in monitor-only mode
C.HTTPS traffic is encrypted and cannot be inspected without SSL deep inspection
D.Facebook uses a non-standard port that application control does not monitor
AnswerC

Application signatures rely on payload; encryption hides that.

Why this answer

Option A is correct: Without SSL deep inspection, FortiGate cannot see the encrypted application payload to match application signatures for HTTPS traffic. Application control requires decryption for encrypted applications.

169
MCQhard

An administrator runs the command shown in the exhibit and sees anomalies detected from 10.1.1.100 to 10.2.2.200. The IPS sensor's anomaly settings are configured with the default actions. What will be the default action for the ICMP Flood anomaly?

A.Monitor
B.Block
C.Pass
D.Quarantine
AnswerB

Default action for flood anomalies is to block the source.

Why this answer

The correct answer is B because, by default, FortiGate IPS sensors set the action for ICMP Flood anomalies to 'Block'. This default action is defined in the IPS sensor configuration and is applied when the anomaly threshold is exceeded, as indicated by the detected anomalies from 10.1.1.100 to 10.2.2.200.

Exam trap

The trap here is that candidates often confuse the default action for anomaly-based IPS signatures with the default action for signature-based IPS rules, where 'Monitor' is the default, leading them to incorrectly select 'Monitor' for flood anomalies.

How to eliminate wrong answers

Option A is wrong because 'Monitor' is not the default action for ICMP Flood anomalies; it is a user-configurable action that logs the event without blocking traffic. Option C is wrong because 'Pass' would allow the traffic to bypass inspection, which is not the default behavior for detected anomalies. Option D is wrong because 'Quarantine' is an action typically used for compromised hosts in other security contexts, not the default action for ICMP Flood anomalies in an IPS sensor.

170
MCQeasy

A FortiGate administrator wants to block access to gambling websites using web filtering. Which FortiGuard category should be blocked?

A.Spam
B.Malware
C.Gambling
D.Pornography
AnswerC

The FortiGuard web filtering category for gambling is named 'Gambling'.

Why this answer

FortiGuard categorizes websites into many categories. Gambling is a specific category, and blocking it prevents access to those sites.

171
MCQhard

An administrator integrates FortiGate with FortiSandbox for advanced threat detection. The FortiGate is configured to send files to FortiSandbox for analysis. Despite correct configuration, files are not being submitted. The administrator runs 'diagnose debug application fortisandbox -1' and sees 'no server configured'. What is the issue?

A.The FortiSandbox license has expired
B.Firewall policies are blocking communication to the FortiSandbox server
C.The FortiSandbox server IP address is not configured on the FortiGate
D.The antivirus profile is not configured to submit files to FortiSandbox
AnswerC

The debug message clearly states 'no server configured', meaning the FortiSandbox server definition is missing.

Why this answer

The debug output indicates that the FortiSandbox server is not configured. Even if the integration settings are present, the FortiGate must have the FortiSandbox server IP and credentials properly configured under Security Fabric > FortiSandbox.

172
MCQmedium

A FortiGate administrator wants to ensure that all DNS queries to known malware domains are blocked. The firewall policy allows DNS traffic. Which security profile must be applied?

A.Web filter profile
B.DNS filter profile
C.Antivirus profile
D.Application control profile
AnswerB

DNS filter blocks malicious domains at DNS level.

Why this answer

Option B is correct: DNS filter is specifically designed to inspect DNS queries and block based on FortiGuard categories or custom lists.

173
Multi-Selectmedium

A network administrator wants to ensure that all users are blocked from accessing websites categorized as 'Pornography' and 'Hacking' on a FortiGate. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Create a URL filter to block all URLs containing 'pornography' and 'hacking'
B.Enable DNS filter and block the categories there
C.Apply the web filter profile to the firewall policy that governs outbound internet traffic
D.Enable SSL deep inspection to ensure the categories can be identified
E.Create a web filter profile and set the categories 'Pornography' and 'Hacking' to 'block'
AnswersC, E

The profile must be applied to the relevant policy to take effect.

Why this answer

To block categories, the administrator must configure a web filter profile that blocks the desired categories and apply that profile to the firewall policy handling internet traffic.

174
MCQmedium

A FortiGate administrator needs to ensure that all outbound DNS queries from internal clients are inspected for malicious domains. The administrator has a DNS filter profile configured. What additional configuration is required on the firewall policy to make the DNS filter effective?

A.Enable SSL deep inspection on the policy
B.Configure FortiGuard DNS filtering service on the FortiGate
C.Set the inspection mode to proxy-based
D.Apply the DNS filter profile to a firewall policy that matches DNS traffic (UDP/TCP port 53)
AnswerD

The DNS filter profile must be attached to a policy that handles DNS traffic; otherwise it is not applied.

Why this answer

Option C is correct. The DNS filter profile must be applied to a firewall policy that matches DNS traffic. Without that, the traffic is not inspected.

175
MCQeasy

Which IPS detection method analyzes traffic patterns over time to identify attacks that are characterized by a threshold of events?

A.Protocol decoder-based detection
B.Rate-based detection
C.Signature-based detection
D.Anomaly-based detection
AnswerB

Rate-based detection uses thresholds to detect events like port scans or DoS attacks.

Why this answer

Rate-based detection monitors the rate of events (e.g., connections per second) and triggers when a threshold is exceeded. Anomaly detection looks for deviations from a baseline, not specifically thresholds.

176
MCQhard

An admin has configured an application control profile to block 'Facebook' and 'Twitter' using application signatures. Users can still access these sites via HTTPS. The firewall policy has SSL deep inspection enabled and the application control profile is applied. What is the MOST likely cause?

A.The application control profile does not have deep inspection enabled for HTTPS traffic
B.Users are accessing the sites via IP address instead of domain name
C.The firewall policy is using a proxy policy instead of an explicit policy
D.The application signatures for Facebook and Twitter are outdated
AnswerA

Application control requires SSL deep inspection to identify applications in encrypted traffic. If the profile's 'Other Applications' or specific application signatures are not set to block, it may not work.

Why this answer

Option A is correct. Application control signatures for web-based applications often rely on the HTTP Host header or SNI. Without deep inspection, the FortiGate cannot see the hostname in encrypted HTTPS traffic, so it cannot identify the application.

Even with SSL deep inspection enabled, the profile must be configured to inspect HTTPS traffic; if the application control profile's 'Other Applications' category is not set to block, it might pass.

177
MCQmedium

An administrator wants to prevent employees from uploading sensitive credit card numbers via web forms. Which security profile feature is MOST appropriate to achieve this?

A.Antivirus with FortiSandbox integration
B.Data Leak Prevention (DLP) with a credit card number sensor
C.Web Filter to block all upload sites
D.Application Control to block web forms
AnswerB

Why this answer

DLP can inspect traffic content for patterns like credit card numbers and block or log the transmission. Antivirus handles malware, application control identifies apps, and web filter blocks URLs.

178
MCQeasy

An administrator needs to ensure that IPS signatures are updated automatically on the FortiGate. Which configuration should be verified?

A.The IPS engine is upgraded to the latest version.
B.The intrusion prevention profile is applied to the firewall policy.
C.The application control profile is set to 'monitor' for all applications.
D.The FortiGuard service is enabled and the signature update schedule is configured.
AnswerD

Automatic updates require FortiGuard service enabled and schedule set.

Why this answer

Option D is correct because automatic IPS signature updates require the FortiGuard service to be enabled and a signature update schedule to be configured. Without a schedule, updates occur only manually; without the service enabled, the FortiGate cannot connect to FortiGuard distribution servers to retrieve new signatures.

Exam trap

The trap here is confusing IPS signature updates with IPS engine updates or profile application, leading candidates to select options that affect detection or inspection rather than the update mechanism itself.

How to eliminate wrong answers

Option A is wrong because upgrading the IPS engine version improves detection capabilities but does not enable automatic signature updates; signature updates and engine updates are separate processes. Option B is wrong because applying an intrusion prevention profile to a firewall policy enables IPS inspection on traffic but does not control how signatures are updated. Option C is wrong because setting the application control profile to 'monitor' for all applications configures application visibility, not IPS signature updates.

179
Multi-Selecthard

An administrator is configuring an IPS profile on FortiGate to detect and block SQL injection attacks. The profile must be applied to inbound traffic to a web server. Which TWO settings should the administrator enable to achieve this goal? (Choose two.)

Select 2 answers
A.Add the 'SQL.Injection' signature to the IPS sensor and set action to 'block'.
B.Create a DoS policy to limit the number of connections per second.
C.Enable the HTTP protocol decoder in the application control profile.
D.Configure the IPS sensor to bypass traffic from trusted IP addresses.
E.Enable the IPS sensor in the firewall policy.
AnswersA, E

The specific signature for SQL injection must be included and configured to block.

Why this answer

Option A is correct because SQL injection attacks are identified by specific IPS signatures, and adding 'SQL.Injection' to an IPS sensor with the action set to 'block' directly instructs FortiGate to detect and block those attacks. Option E is correct because an IPS sensor must be enabled within a firewall policy to apply its inspection to the traffic passing through that policy, ensuring the profile is active on inbound traffic to the web server.

Exam trap

The trap here is that candidates often confuse DoS policies (rate limiting) with IPS (signature-based detection), or mistakenly think application control profiles handle IPS signatures, when in fact IPS sensors are separate and must be explicitly enabled in a firewall policy.

180
Multi-Selectmedium

Which TWO web filtering features can be used to block access to malicious websites? (Choose two.)

Select 2 answers
A.Static URL filtering
B.Application control
C.FortiGuard category-based filtering
D.Web rating override
E.DNS filter
AnswersC, D

Blocks categories like 'Malicious'.

Why this answer

FortiGuard category-based filtering (C) is correct because it leverages FortiGuard's cloud-based web rating database to categorize URLs and block access to known malicious sites, such as those hosting malware or phishing. Web rating override (D) is correct because it allows administrators to manually override the FortiGuard rating for specific URLs, enabling them to block a site that may not yet be categorized as malicious by FortiGuard. Both features directly control access to malicious websites based on URL reputation.

Exam trap

The trap here is that candidates often confuse DNS filter with web filtering, but DNS filter is a separate security feature (under DNS Filter profile) and is not considered a web filtering feature in the NSE4 exam; the question explicitly asks for 'web filtering features' as defined in the FortiGate Web Filter profile.

181
Multi-Selecthard

Which THREE of the following are valid methods to exclude certain HTTPS traffic from SSL inspection on a FortiGate?

Select 3 answers
A.Adding the domain to the 'SSL Exempt Domains' list in the SSL/SSH inspection profile.
B.Setting the firewall policy action to 'accept' with no inspection.
C.Using a certificate category exemption (e.g., exempting 'Fortinet Trusted Certificate').
D.Using a web filter category exemption.
E.Adding the destination IP address to the 'SSL Exempt IPs' list in the SSL/SSH inspection profile.
AnswersA, C, E

Domain-based exemption is a supported method.

Why this answer

Option A is correct because the 'SSL Exempt Domains' list in the SSL/SSH inspection profile allows you to specify domain names (e.g., *.example.com) that will bypass SSL inspection entirely. When FortiGate matches the SNI field in the ClientHello or the certificate CN/SAN against this list, it skips decryption and passes the traffic through without inspection, reducing overhead for trusted or non-critical domains.

Exam trap

The trap here is that candidates often confuse web filter category exemptions with SSL inspection exemptions, but web filter exemptions only affect URL filtering decisions, not the decryption process itself.

182
MCQmedium

A network administrator notices that users can access websites categorized as 'Pornography' despite a web filter profile blocking that category. The firewall policy uses the web filter profile and is applied to the users' traffic. What is the MOST likely cause?

A.The FortiGate cannot reach the FortiGuard servers
B.The web filter profile is applied to the wrong policy
C.The users are bypassing the FortiGate using a proxy
D.The web filter profile has the 'Override' feature enabled
AnswerA

Without FortiGuard connectivity, web filtering fails open, allowing all categories. This is a common issue.

Why this answer

Option C is correct because if the FortiGate cannot reach the FortiGuard servers, web filtering will fail open by default, allowing all web traffic. The administrator should verify FortiGuard connectivity.

183
MCQhard

A large enterprise uses a FortiGate 600E in NAT mode to protect its internal network. The security team has implemented an Application Control profile that categorizes applications and allows only 'Business' and 'General-Interest' categories. They have also applied an IPS sensor with default settings and enabled SSL inspection for outbound traffic. Recently, the helpdesk has received reports that some users cannot access a critical cloud-based CRM application, while others can. The CRM uses HTTPS on port 443. The Application Control profile is applied to the firewall policy for outbound traffic. The IPS sensor is also applied. The FortiGate is not configured for load balancing. Which of the following is the most likely cause of the issue?

A.The IPS sensor is detecting and blocking the CRM traffic as an attack.
B.The CRM application is not categorized in the Application Control database.
C.The FortiGate is performing load balancing and some users are directed to a different path.
D.SSL inspection is blocking the CRM traffic due to certificate validation failure.
AnswerB

If uncategorized, it may be blocked by default; some users might be using different IPs that match a different policy.

Why this answer

The correct answer is B because the Application Control profile is configured to allow only 'Business' and 'General-Interest' categories. If the CRM application is not categorized in FortiGuard's Application Control database, or if it falls under a different category (e.g., 'Uncategorized' or 'Unknown'), the FortiGate will block the traffic by default. This explains why some users can access the CRM (if they are using a different path or the application is categorized differently) while others cannot, as the FortiGate enforces the profile based on the application signature match.

Exam trap

The trap here is that candidates often assume IPS or SSL inspection is the culprit for selective access issues, but the key clue is that the problem affects only some users, pointing to a categorization mismatch in Application Control rather than a global block.

How to eliminate wrong answers

Option A is wrong because the IPS sensor with default settings is unlikely to block legitimate CRM HTTPS traffic on port 443 unless it matches a known attack signature, and the issue is user-specific, not global. Option C is wrong because the FortiGate 600E is explicitly stated as not configured for load balancing, so this cannot be the cause. Option D is wrong because SSL inspection certificate validation failure would affect all users equally, not just some, and the issue is isolated to a specific application, not all HTTPS traffic.

184
Multi-Selecthard

Which TWO of the following are best practices when configuring IPS on a FortiGate in a high-throughput environment?

Select 2 answers
A.Set all signatures to block action to maximize security.
B.Set the IPS severity filter to high and above only.
C.Disable all custom signatures to simplify management.
D.Enable only relevant signatures based on the network environment.
E.Use flow-based inspection for better performance.
AnswersD, E

Enabling only necessary signatures reduces overhead and false positives.

Why this answer

Option D is correct because enabling only relevant signatures based on the network environment reduces false positives and unnecessary processing overhead, ensuring that IPS resources are focused on threats that actually apply to the traffic traversing the FortiGate. Option E is correct because flow-based inspection uses a single-pass, pattern-matching engine that offers higher throughput and lower latency compared to proxy-based inspection, making it ideal for high-throughput environments.

Exam trap

The trap here is that candidates often assume 'maximum security' means enabling all signatures or using the strictest action, but the NSE4 exam emphasizes that effective IPS in high-throughput environments requires balancing security with performance by selectively enabling relevant signatures and using flow-based inspection.

185
MCQmedium

A network administrator configures an application control profile to block social media applications. Users can still access Facebook through a web browser. What is the MOST likely reason?

A.The application signatures are outdated
B.Application control is not enabled for HTTPS traffic without deep inspection
C.The firewall policy is in proxy-based mode
D.The application control profile is not applied to the correct policy
AnswerB

Facebook uses HTTPS. Without SSL deep inspection, application control cannot identify the application within encrypted traffic.

Why this answer

Option A is correct. Application control requires deep inspection to identify applications in encrypted traffic.

186
MCQeasy

An administrator wants to block the use of social media applications like Facebook and Twitter on the company network. Which security profile should be used?

A.DNS Filter profile
B.Web Filter profile
C.Application Control profile
D.IPS profile
AnswerC

Application control can block the Facebook and Twitter applications regardless of the URL used.

Why this answer

Option B is correct. Application control can identify and block specific applications based on signatures, including social media apps.

187
Multi-Selectmedium

A FortiGate administrator is configuring intrusion prevention (IPS) for a web server. The administrator wants to both block known exploits and detect anomalous traffic patterns. Which TWO features should be enabled? (Choose two.)

Select 2 answers
A.IPS signatures
B.Web filter
C.Antivirus
D.Anomaly detection
E.Application control
AnswersA, D

IPS signatures detect and block known exploits based on pattern matching.

188
MCQeasy

Which FortiGate feature allows the administrator to scan SMTP, IMAP, and POP3 traffic for spam and apply actions such as tagging or discarding?

A.Email filter profile
B.Application control profile
C.Antivirus profile
D.Web filter profile
AnswerA

Email filter inspects email traffic (SMTP, IMAP, POP3) for spam and other threats.

Why this answer

Option C is correct. The email filter profile is designed to scan email traffic for spam and can apply actions like tag, discard, or quarantine.

189
MCQhard

An administrator configures a web filter profile to block the URL category 'Pornography'. The profile is applied to a policy for the sales department. Users report they can still access some sites that should be blocked. The administrator verifies that the FortiGuard web filter service is licensed and the FortiGate has internet connectivity. What should the administrator check next?

A.Verify that the antivirus profile is not interfering with web filtering.
B.Ensure the web filter profile has 'FortiGuard category based filter' enabled and the action for 'Pornography' is set to 'Block'.
C.Check if the sales department policy is using NAT that might bypass the FortiGate.
D.Confirm that the FortiGate has a static route to the FortiGuard servers.
AnswerB

If the category action is not set to block, or if the profile has other allow rules that override, the blocking may not occur. Also check for URL exemptions or override rules.

190
Multi-Selectmedium

A FortiGate administrator needs to prevent data leakage by blocking the upload of files containing credit card numbers via web traffic. Which THREE components must be configured? (Choose three.)

Select 3 answers
A.Application control profile to block file upload applications
B.DLP profile with a rule to detect credit card numbers
C.Firewall policy that applies the DLP profile and SSL inspection to the traffic
D.Antivirus profile to scan the files for malware
E.SSL deep inspection to decrypt HTTPS traffic
AnswersB, C, E

A DLP (Data Leak Prevention) profile can use predefined or custom patterns to detect sensitive data like credit card numbers.

191
Multi-Selectmedium

A FortiGate administrator wants to prevent users from downloading executable files via HTTP from the internet. Which TWO security profile features can be used together to achieve this? (Choose two.)

Select 2 answers
A.Antivirus profile with a file filter to block 'exe' files
B.Web filter profile with a URL filter to block '*.exe' URLs
C.DNS filter to block domains that host executable files
D.Application control profile to block HTTP file transfer applications
E.SSL deep inspection to allow inspection of encrypted traffic
AnswersA, B

The file filter in antivirus can block specific file types.

Why this answer

Antivirus can block file types by signature (e.g., exe), and application control can block file transfer applications or protocols. Additionally, web filter can block specific file extensions, but the most straightforward combination is antivirus and file filter within antivirus.

192
MCQhard

An administrator configures SSL deep inspection with a CA certificate. Users accessing an internal site (internal.company.com) receive a certificate error. The administrator wants to avoid the error without disabling deep inspection. What should be done?

A.Replace the CA certificate with a self-signed one
B.Use certificate inspection instead of deep inspection
C.Disable certificate validation in the deep inspection profile
D.Add internal.company.com to the SSL/SSH inspection exemption list
AnswerD

Exempting the domain from deep inspection will allow traffic without decryption, avoiding certificate errors.

Why this answer

Option A is correct. The exemption list allows certain domains to bypass deep inspection, preserving trust.

193
MCQmedium

An administrator has configured the policy shown in the exhibit. Traffic to the web server at 10.0.1.10 over HTTPS is allowed, but users complain that they cannot access the web server's login page. The IPS sensor 'High_Security_Sensor' has a signature that blocks SQL injection attempts. The application list 'Block_Social_Media' blocks Facebook and Twitter. What is the most likely cause of the issue?

A.The IPS sensor is blocking the login page due to a false positive.
B.The firewall policy action is set to 'deny' but the exhibit shows 'accept'.
C.The HTTPS service is not correctly defined and blocking the traffic.
D.The application control profile is blocking the web application.
AnswerD

Application control may block the web application if it is misclassified.

Why this answer

The policy explicitly allows HTTPS traffic to 10.0.1.10, but the application control profile 'Block_Social_Media' is applied. This profile blocks Facebook and Twitter, which are web-based applications. If the web server's login page is served over HTTPS and is incorrectly classified by the FortiGate as a social media application (e.g., due to shared CDN or similar traffic patterns), the application control profile will block it, preventing user access despite the firewall policy allowing the service.

Exam trap

The trap here is that candidates assume the IPS sensor is the cause of the block, but the question specifies the IPS sensor only blocks SQL injection attempts, not login pages, while the application control profile explicitly blocks social media applications that could be misclassifying the web server's traffic.

How to eliminate wrong answers

Option A is wrong because the IPS sensor 'High_Security_Sensor' has a signature that blocks SQL injection attempts, not login pages; a false positive for SQL injection would block specific HTTP requests containing malicious patterns, not the entire login page. Option B is wrong because the exhibit shows the policy action as 'accept', and the question states traffic is allowed; a 'deny' action would block all traffic, not just the login page. Option C is wrong because HTTPS is a well-defined service (TCP/443) and the policy explicitly allows it; if the service were misdefined, all HTTPS traffic would be blocked, not just the login page.

194
MCQmedium

A network administrator notices that traffic from a specific internal host is not being inspected by the application control profile applied to the firewall policy. The policy is configured with proxy-based inspection and the application control profile includes a rule to block 'Facebook'. The administrator confirms the host can still access Facebook. What is the MOST likely cause?

A.The host is accessing Facebook over HTTPS and the policy does not have SSL/TLS deep inspection enabled.
B.The firewall policy is using flow-based inspection instead of proxy-based.
C.The application control profile is configured with 'deep inspection' disabled.
D.The application control profile is applied only to outgoing traffic, but the host is using a proxy.
AnswerA

Application control cannot inspect encrypted application signatures without SSL deep inspection to decrypt the traffic.

Why this answer

Option D is correct because Facebook uses HTTPS. Without SSL deep inspection, FortiGate cannot see the application layer inside the encrypted tunnel, so application control cannot block Facebook.

195
MCQmedium

A FortiGate administrator receives reports that some users are receiving spam emails despite an email filter profile being applied to the SMTP traffic. The email filter profile has 'spam' action set to 'discard'. What is the most likely reason spam is still reaching users?

A.The internal email server receives email directly from the internet without passing through the FortiGate
B.The spam dictionary is not updated with latest spam signatures
C.The email filter profile is not configured to scan outbound emails
D.The email filter profile is applied to the wrong policy direction (inbound vs outbound)
AnswerA

If the mail server is accessible directly from the internet, the FortiGate cannot inspect the SMTP traffic. The email filter only works on traffic that flows through the FortiGate.

Why this answer

Email filter profiles scan email traffic that passes through the FortiGate. If users are receiving spam from external mail servers that connect directly to the internal mail server without passing through the FortiGate, the email filter will not inspect that traffic.

196
MCQeasy

Which of the following security profiles is used to prevent malicious files from being downloaded via HTTP, FTP, or email by inspecting the content of the traffic?

A.Antivirus
B.Application Control
C.Web Filter
D.Intrusion Prevention System (IPS)
AnswerA

Why this answer

Antivirus profiles scan files transferred over HTTP, FTP, and email for malware. Web filter controls URL access, application control identifies applications, and IPS detects network-based attacks.

197
MCQeasy

What is the purpose of the 'safe search' option in a FortiGate web filter profile?

A.It enforces the use of HTTPS for search engines
B.It allows users to bypass URL filters during safe search
C.It filters explicit content from search engine results
D.It blocks all search engine traffic
AnswerC

Safe search activates the safe search mode of search engines (e.g., Google SafeSearch) to filter adult content.

Why this answer

Safe search enforces strict filtering on search engines to block explicit content in search results. It works by redirecting search queries to the safe search versions of supported search engines (Google, Bing, YouTube, etc.) when enabled.

198
MCQmedium

An organization uses Application Control to allow only business-critical applications and block social media. The administrator has configured the profile to block Facebook and Twitter, but users can still access Facebook. The firewall policy applies the profile correctly. What is the most likely cause?

A.The application control profile is applied to the wrong direction.
B.Facebook is not included in the default application signatures.
C.SSL inspection is not enabled on the firewall policy.
D.The FortiGate is in flow-based inspection mode.
AnswerC

Without SSL inspection, HTTPS traffic cannot be decrypted and inspected.

Why this answer

Application Control relies on SSL inspection to identify applications like Facebook that use HTTPS. Without SSL inspection enabled on the firewall policy, FortiGate can only see encrypted traffic as generic SSL/TLS flows and cannot match the application signatures for Facebook. Enabling SSL inspection (deep inspection or certificate-based inspection) allows the FortiGate to decrypt the traffic and apply the application control profile correctly.

Exam trap

The trap here is that candidates assume application control works on encrypted traffic by default, but FortiGate requires explicit SSL inspection to decrypt and identify HTTPS applications like Facebook.

How to eliminate wrong answers

Option A is wrong because the application control profile is applied to the firewall policy, which is bidirectional by default; the direction is not the issue since the policy is correctly applied and the traffic is passing through it. Option B is wrong because Facebook is included in the default application signatures provided by FortiGuard; the administrator would not need to add it manually. Option D is wrong because flow-based inspection mode does not prevent application control from working; it actually supports application control and can still identify applications, but without SSL inspection, encrypted traffic remains opaque regardless of inspection mode.

199
MCQmedium

An administrator configures an email filter profile to block spam. Users complain that legitimate emails from a specific partner are being blocked. The admin wants to allow emails from that partner's domain without disabling spam filtering for other domains. What is the BEST approach?

A.Add the partner's domain to the IP allowlist in the email filter profile
B.Increase the spam threshold until the emails pass
C.Disable spam filtering for the entire firewall policy
D.Create a separate firewall policy for the partner's traffic without email filtering
AnswerA

This ensures emails from that domain are not scanned for spam, while others are.

Why this answer

Option A is correct. An IP allowlist or domain whitelist in the email filter profile can be used to bypass spam filtering for specific senders, while still filtering other emails.

200
MCQhard

An administrator notices that a specific application (e.g., Skype) is not being detected by the application control profile. The profile includes the 'Skype' application signature but traffic is passing through without being logged as Skype. What is the most likely reason?

A.The application control profile is set to 'Monitor' mode
B.The traffic is using a non-standard port
C.The application signature is outdated
D.SSL deep inspection is not enabled on the firewall policy
AnswerD

Skype uses encryption. Without deep inspection, FortiGate cannot decrypt the traffic to inspect the application layer.

Why this answer

Application control requires deep inspection for encrypted traffic because it needs to see into the TLS session to match application signatures. If the policy does not have SSL deep inspection, the traffic appears as generic HTTPS and cannot be identified as Skype.

201
MCQeasy

Which security profile is used to detect and prevent network-based attacks by analyzing traffic patterns and comparing them against known attack signatures?

A.DLP profile
B.IPS profile
C.Web filter profile
D.Antivirus profile
AnswerB

IPS uses signatures to detect and prevent network attacks.

Why this answer

Option C is correct. Intrusion Prevention System (IPS) profiles analyze traffic for malicious patterns and can block attacks in real-time.

202
MCQeasy

What is the difference between 'certificate inspection' and 'full SSL deep inspection' on a FortiGate?

A.Certificate inspection decrypts the traffic but does not check the certificate.
B.Deep inspection is less secure than certificate inspection.
C.Certificate inspection only validates the server certificate, while deep inspection decrypts and inspects the entire TLS session content.
D.Both methods provide the same level of inspection.
AnswerC

Certificate inspection checks the certificate chain and validity but does not decrypt traffic. Deep inspection decrypts the session, inspects the payload, then re-encrypts.

203
Multi-Selectmedium

An administrator wants to ensure that all DNS traffic from internal users is filtered by the FortiGate to block malicious domains. Which TWO configurations are necessary? (Choose two.)

Select 2 answers
A.Set DNS server to FortiGate's IP
B.Apply the DNS filter profile to a firewall policy that matches DNS traffic
C.Create a DNS filter profile and set action for malicious domains to 'block'
D.Enable sinkhole on the DNS filter profile
E.Configure SSL deep inspection for DNS over HTTPS
AnswersB, C

The profile must be applied to a policy that intercepts DNS queries (typically port 53).

Why this answer

Options A and B are correct. The DNS filter profile and its application to a firewall policy are necessary.

204
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.The FortiGuard antivirus subscription has expired
B.The web server's certificate is self-signed and FortiGate is rejecting the connection
C.SSL/TLS deep inspection is not enabled on the firewall policy
D.The antivirus profile is configured for flow-based inspection instead of proxy-based
AnswerC

HTTPS traffic is encrypted. Without SSL deep inspection, FortiGate cannot decrypt the TLS session to inspect the payload. The antivirus profile requires the traffic to be decrypted first.

Why this answer

Option B is correct because HTTPS uses TLS encryption. Without SSL deep inspection enabled on the policy, FortiGate cannot decrypt and inspect the content of HTTPS traffic. The antivirus profile will only scan unencrypted traffic or traffic where deep inspection has decrypted it first.

205
MCQmedium

An administrator configures a web filter profile with FortiGuard category blocking and URL filter to allow example.com. Users report that example.com is still blocked. What is the most likely cause?

A.The URL filter requires deep inspection to be enabled
B.The URL filter entry is placed after the FortiGuard category in the policy
C.The DNS filter is blocking example.com before the web filter is evaluated
D.The FortiGuard category action is set to 'block' and takes precedence over the URL filter allow rule
AnswerD

In FortiOS, when a category is set to block, it blocks all URLs in that category regardless of individual URL filter entries unless the URL filter uses an allow action and is configured to override categories.

Why this answer

In FortiOS, the FortiGuard category action takes precedence over URL filter exceptions unless the URL filter is configured with an action of 'allow' and a higher priority order. By default, category blocking overrides individual URL allow rules.

206
MCQmedium

A network administrator notices that an IPS sensor is generating excessive false positives for a specific signature. The administrator wants to exclude traffic from a trusted internal server (IP 10.1.1.100) from inspection for that signature only, while keeping other signatures active. Which configuration change should the administrator apply?

A.Set the signature action to 'pass' and use an application control profile to bypass the server.
B.Disable the signature in the IPS sensor configuration.
C.Add the server's IP to the exempt list in the IPS sensor.
D.Create an IPS filter that excludes the server's source IP address from the signature.
AnswerD

An IPS filter with a source address exception allows selective exclusion for a specific signature.

Why this answer

Option D is correct because an IPS filter allows the administrator to define a rule that excludes traffic from a specific source IP address (10.1.1.100) from inspection for a particular signature, while leaving all other signatures active. This granular approach ensures that false positives for that signature are reduced without disabling the signature entirely or affecting other traffic.

Exam trap

The trap here is that candidates often confuse the 'exempt list' (which bypasses all IPS inspection for a host) with an 'IPS filter' (which can exclude traffic from a specific signature only), leading them to choose option C incorrectly.

How to eliminate wrong answers

Option A is wrong because setting the signature action to 'pass' would bypass inspection for that signature globally, not just for the trusted server, and using an application control profile does not apply to IPS signatures. Option B is wrong because disabling the signature entirely would stop all inspection for that signature across all traffic, which is too broad and would miss real threats from other sources. Option C is wrong because the exempt list in an IPS sensor typically excludes traffic from all inspection, not just for a specific signature, which would bypass all IPS signatures for that server.

207
MCQhard

An administrator wants to inspect SSL traffic to a specific finance application that uses a custom port (9443) and a self-signed certificate. Which configuration is required?

A.Configure certificate inspection on the policy.
B.Disable SSL inspection for that application.
C.Use deep inspection and add the application's self-signed certificate to the FortiGate's trusted CA list.
D.Use flow-based inspection with certificate inspection.
AnswerC

Deep inspection decrypts and re-encrypts; trusted CA list allows self-signed certs.

Why this answer

Option C is correct because deep inspection is required to decrypt and inspect SSL traffic using a self-signed certificate on a non-standard port. The FortiGate must trust the application's self-signed certificate by adding it to the trusted CA list; otherwise, the deep inspection proxy will fail to validate the certificate and drop the connection. Certificate inspection (Option A) only checks the certificate metadata without decrypting the payload, so it cannot inspect the actual application traffic.

Exam trap

The trap here is that candidates often confuse certificate inspection with deep inspection, assuming certificate inspection can decrypt traffic, when in fact only deep inspection performs full decryption and is required for self-signed certificates on non-standard ports.

How to eliminate wrong answers

Option A is wrong because certificate inspection only validates the certificate chain and does not decrypt the SSL payload, so it cannot inspect the content of the finance application traffic. Option B is wrong because disabling SSL inspection would allow unencrypted traffic to pass without any inspection, defeating the administrator's goal of inspecting SSL traffic. Option D is wrong because flow-based inspection with certificate inspection still does not decrypt the traffic; deep inspection (proxy-based) is required to decrypt and inspect traffic with a self-signed certificate.

208
Multi-Selectmedium

An organization wants to implement data leak prevention (DLP) to detect when credit card numbers are sent via email (SMTP) and webmail (HTTPS). The FortiGate is using proxy-based inspection. Which THREE configurations are necessary? (Choose three.)

Select 3 answers
A.Set the inspection mode to flow-based for better performance.
B.Configure the antivirus profile to scan email attachments.
C.Create a DLP sensor with a rule to match credit card patterns.
D.Apply the DLP sensor to a firewall policy that handles SMTP and HTTPS traffic.
E.Enable SSL/TLS deep inspection on the firewall policy to inspect HTTPS.
AnswersC, D, E

The DLP sensor defines what to detect.

Why this answer

The correct answers are A, B, and C. DLP sensor, SSL inspection for HTTPS, and applying the sensor to the policy are all required.

209
Multi-Selecthard

An administrator has configured an IPS profile to detect SQL injection attacks. However, some SQL injection attempts are still reaching the web server. Which TWO actions should the administrator take to improve detection?

Select 2 answers
A.Configure anomaly detection for SQL traffic
B.Update the IPS signature database
C.Disable flow-based inspection and use proxy-based only
D.Enable protocol decoders for HTTP and SQL
E.Enable SSL deep inspection on the policy
AnswersB, D

Updated signatures include the latest SQL injection patterns.

Why this answer

Options A and B are correct. Protocol decoders allow IPS to parse database protocols, and updating signatures ensures the latest attacks are detected.

210
MCQhard

A FortiGate is configured with SSL deep inspection using a locally generated CA certificate. A user reports that they cannot access https://www.example.com and receive a certificate error. The administrator checks the firewall policy and sees that the SSL inspection profile is set to 'certificate-inspection' instead of 'deep-inspection'. What is the MOST likely effect?

A.The FortiGate decrypts the traffic but does not re-sign, causing mismatch errors.
B.The FortiGate does not decrypt the traffic, so the original server certificate is presented to the client, which may be valid; the error is unrelated.
C.The FortiGate blocks the connection because certificate-inspection cannot handle deep inspection profiles.
D.The user will see a warning about the certificate but will be able to proceed after accepting it.
AnswerB

Certificate-inspection mode only checks the certificate chain; it does not re-sign. The client sees the original server certificate. If that certificate is valid, there should be no error. The issue likely stems from a different problem.

Why this answer

Option B is correct. Certificate-inspection does not decrypt; it only validates. Therefore, the user sees the original server certificate.

If there is an error, it's likely due to something else.

211
MCQmedium

A FortiGate administrator wants to block all traffic to a known malicious IP address range using the Intrusion Prevention System (IPS). Which IPS configuration method is most appropriate?

A.Use a predefined IPS signature for known malicious IPs
B.Create a custom IPS signature that matches the IP range
C.Configure an IPS anomaly detection rule to block the IP range
D.Use a local IPS signature database
AnswerB

Custom IPS signatures can match any pattern, including IP addresses. This is a valid method.

Why this answer

Option B is correct. IPS signatures are designed to detect and block specific attack patterns, including traffic to known malicious IPs. The 'IPS sensor' can include signatures that match traffic to specific IP addresses.

Alternatively, a firewall policy with a destination address object is simpler, but the question specifies using IPS.

212
MCQmedium

An administrator runs the CLI command 'diagnose debug rating' and sees that all FortiGuard web filter requests are timing out. What is the most likely cause?

A.The web filter profile has an incorrect action configured
B.The web filter is set to 'monitor all' which causes all requests to timeout
C.The FortiGuard web filtering license has expired
D.The DNS server configured on the FortiGate is not resolving the FortiGuard FQDN
AnswerD

If DNS fails, the FortiGate cannot resolve the FortiGuard server IP, leading to connection timeouts.

Why this answer

If FortiGuard requests time out, the FortiGate cannot reach the FortiGuard servers. This could be due to network connectivity issues, DNS resolution failure, or a proxy configuration problem.

213
MCQhard

A FortiGate receives a file via SMTP that contains a virus. The antivirus profile is set to 'Block' for viruses and the action is set to 'Quarantine'. However, the email is delivered to the user with the infected attachment. What could be the reason?

A.The email filter profile is overriding the antivirus action
B.The antivirus profile is using flow-based inspection and the SMTP scan is not enabled
C.The antivirus signatures are outdated
D.The file is larger than the FortiGate's virus database can handle
AnswerB

Flow-based inspection requires explicit configuration for SMTP; proxy-based inspects all protocols by default.

Why this answer

Option B is correct. If the antivirus profile is configured for flow-based inspection, some email protocols may not be fully inspected unless explicitly configured. Flow-based inspection may skip SMTP depending on the configuration.

214
MCQeasy

What is the difference between certificate inspection and full SSL deep inspection on a FortiGate?

A.Certificate inspection decrypts traffic; deep inspection does not
B.Certificate inspection only validates the server certificate; deep inspection decrypts and inspects the content
C.Deep inspection is faster than certificate inspection
D.Both provide the same level of security
AnswerB

Certificate inspection examines the certificate for validity, while deep inspection performs a man-in-the-middle decryption.

Why this answer

Option B is correct. Certificate inspection checks the server certificate, while deep inspection decrypts and inspects the entire session.

215
MCQhard

An administrator wants to block users from uploading files to cloud storage services like Google Drive via HTTPS. Which security profile combination is required?

A.Application control profile to block cloud storage applications, with deep inspection enabled
B.IPS profile to block file uploads to cloud services
C.DNS filter to block Google Drive domain
D.Web filter profile with URL filter to block Google Drive
AnswerA

Application control can identify and block Google Drive traffic even over HTTPS, but only if deep inspection decrypts the traffic to read application signatures.

Why this answer

To block file uploads to HTTPS sites, deep inspection must be enabled to decrypt traffic. Then, application control can be used to identify cloud storage applications, and a DLP or file filter can block uploads. However, the most direct method is to use an antivirus profile with file pattern blocking, but that requires deep inspection.

Alternatively, use application control to block the application entirely.

216
MCQmedium

Refer to the exhibit. The policy applies deep inspection, but users cannot access any HTTPS websites. The FortiGate CA certificate is installed on clients. What is the most likely cause?

A.The deep inspection profile is misconfigured.
B.The antivirus profile is blocking the traffic.
C.The web filter profile 'strict' is blocking all sites.
D.The service 'HTTPS' only allows TCP 443, but some websites use other ports.
AnswerD

If non-standard ports are used, they are not allowed.

Why this answer

Option D is correct because the policy uses the service 'HTTPS', which by default only matches TCP port 443. If any HTTPS websites are hosted on non-standard ports (e.g., 8443, 9443), the FortiGate will not apply deep inspection to that traffic, causing the connection to fail when deep inspection is required. The FortiGate CA certificate being installed on clients ensures trust, but the service definition must match the actual destination port for inspection to occur.

Exam trap

The trap here is that candidates assume 'HTTPS' covers all secure web traffic, but FortiGate service objects are port-specific, and deep inspection requires the policy to match the exact destination port used by the website.

How to eliminate wrong answers

Option A is wrong because the deep inspection profile being misconfigured would typically cause certificate errors or decryption failures, not a complete inability to access all HTTPS websites; the question states the CA is installed, so profile misconfiguration is less likely. Option B is wrong because the antivirus profile blocking traffic would affect specific files or patterns, not all HTTPS websites, and would generate logs indicating virus detection. Option C is wrong because the web filter profile 'strict' blocking all sites would prevent HTTP as well, and the issue is specific to HTTPS; moreover, web filter profiles do not block at the transport layer but at the URL/content level.

217
MCQhard

A FortiGate administrator needs to configure a policy so that traffic to a specific external server is exempted from SSL deep inspection. Which method should be used?

A.Add the server's address to the 'SSL/SSH Inspection Profile' exemptions list
B.Create a separate firewall policy without SSL inspection for that server
C.Disable the IPS sensor on that policy
D.Set the antivirus profile to 'monitor' only
AnswerA

Exemptions in the SSL inspection profile allow bypassing deep inspection for specific destinations while keeping the profile applied.

Why this answer

Exemptions can be added in the SSL/SSH inspection profile to bypass inspection for specific destinations.

218
MCQmedium

An administrator configures an application control profile to block social media applications. Users can still access Facebook and Twitter via web browsers. What is the most likely reason?

A.The application signatures for Facebook and Twitter are not up to date
B.The firewall policy has SSL/SSH inspection set to 'certificate-inspection' instead of 'deep-inspection'
C.The application control profile is set to 'monitor' instead of 'block'
D.The firewall policy is configured with flow-based inspection
AnswerB

Certificate inspection only checks the certificate; deep inspection decrypts traffic to identify applications.

Why this answer

Application control relies on signatures to detect applications. If deep inspection is not enabled, encrypted traffic may not be identified correctly.

219
MCQhard

A FortiGate is configured with flow-based antivirus and an IPS profile on a policy. The administrator runs 'diagnose ips packet-list' and sees that packets are being forwarded without inspection. What is the most likely reason?

A.The session is offloaded to the NPU and is not being sent to the IPS engine
B.The antivirus profile is set to proxy-based, conflicting with flow-based IPS
C.The IPS profile is configured with 'monitor' mode instead of 'protect'
D.The traffic is UDP and flow-based inspection does not inspect UDP
AnswerA

In flow-based mode, sessions can be offloaded to hardware accelerators (NPU). When offloaded, the IPS engine does not inspect each packet; only session setup is checked. This is expected behavior for flow-based inspection.

Why this answer

Flow-based inspection offloads traffic to the network processor (NPU) for forwarding without sending all packets to the CPU for inspection. The IPS diagnostic output showing packets forwarded without inspection indicates flow-based mode is skipping inspection for non-TCP traffic or when a session is offloaded.

220
MCQhard

An administrator notices that traffic to a specific HTTPS website is being blocked. The FortiGate has SSL inspection enabled, and the web filter profile is set to monitor all categories. The URL is not in any blocked category. What should the administrator check next?

A.Check if the SSL inspection policy is using certificate inspection instead of full SSL inspection.
B.Review the SSL/SSH inspection profile's certificate revocation check settings.
C.Ensure that the FortiGate has the latest web filter database.
D.Verify that the web filter has the correct rating for the URL.
AnswerB

If the certificate is revoked, the FortiGate may block the connection.

Why this answer

When SSL inspection is enabled and a specific HTTPS site is blocked despite not being in a blocked category, the issue often lies in the SSL/SSH inspection profile's certificate revocation check. If the FortiGate cannot verify the server's certificate revocation status (e.g., via OCSP or CRL), it may block the connection as a security precaution, even if the web filter category allows the URL. Option B directly addresses this by suggesting a review of the revocation check settings.

Exam trap

The trap here is that candidates often assume HTTPS blocking is always due to web filter categories or inspection depth, overlooking that certificate revocation checks in the SSL inspection profile can independently block traffic even when the URL is allowed by the web filter.

How to eliminate wrong answers

Option A is wrong because certificate inspection only examines the SNI and certificate metadata, not the full payload, but the question states SSL inspection is enabled and the web filter is set to monitor all categories; the blocking is likely due to certificate validation failure, not inspection depth. Option C is wrong because the web filter database being outdated would affect URL categorization, but the URL is not in any blocked category, so the database is likely current; the issue is with SSL certificate validation, not URL ratings. Option D is wrong because the administrator already knows the URL is not in a blocked category, so re-verifying the rating would not resolve a block caused by certificate revocation check failure.

221
Multi-Selectmedium

A network admin is configuring a security policy for outbound HTTP traffic. The requirements are: (1) block access to known malicious websites, (2) prevent users from downloading executable files, (3) detect and block C2 traffic. Which THREE security profiles should be applied to the policy?

Select 3 answers
A.Antivirus
B.Web Filtering
C.Application Control
D.IPS
E.DNS Filter
AnswersA, B, D

Antivirus can block executable file downloads based on file type or virus signatures.

Why this answer

Options A, B, and C are correct. Web filtering blocks malicious websites; antivirus blocks executable file downloads; IPS detects and blocks C2 traffic.

222
Multi-Selecteasy

Which TWO types of inspection can be used for HTTPS traffic in a FortiGate security policy?

Select 2 answers
A.Deep inspection
B.Certificate inspection
C.Full inspection
D.Flow-based inspection
E.Proxy-based inspection
AnswersA, B

Why this answer

FortiGate offers two modes for inspecting HTTPS: certificate inspection (which checks certificate validity but does not decrypt content) and deep inspection (which decrypts and inspects the content). Flow-based and proxy-based refer to the inspection mode for other security profiles, not specifically for HTTPS inspection type.

223
MCQmedium

A FortiGate is configured for SSL deep inspection using a CA certificate. Users report that some websites show certificate errors. The administrator wants to allow these sites without inspection. Which setting should be used?

A.Disable certificate validation in the SSL inspection profile
B.Create a separate firewall policy without SSL inspection
C.Set the action for invalid certificates to 'allow'
D.Add the websites to the SSL/SSH exemption list
AnswerD

Exemption list tells FortiGate to skip deep inspection for those destinations.

Why this answer

Option D is correct: SSL/SSH exemption list allows specific destinations to bypass deep inspection, while still applying other security profiles.

224
Multi-Selecthard

A FortiGate is configured with an IPS profile to detect and block anomalous network behavior. Which THREE types of detection does IPS anomaly detection include? (Choose three.)

Select 3 answers
A.Protocol decoding
B.Port scan detection
C.SYN flood detection
D.Signature-based detection
E.UDP flood detection
AnswersB, C, E

Port scanning is a common anomaly that IPS can detect.

Why this answer

Port scan detection is a type of anomaly detection in FortiGate's IPS profile that identifies reconnaissance attempts by monitoring for multiple connection attempts to different ports from a single source. This behavior deviates from normal traffic patterns and is flagged as anomalous, allowing the IPS to block potential scanning activity before an attack progresses.

Exam trap

The trap here is that candidates often confuse signature-based detection (Option D) with anomaly detection, but FortiGate explicitly separates these into distinct IPS detection methods, and the question asks specifically for anomaly detection types.

225
MCQhard

An administrator runs 'diagnose ips anomaly list' and sees many 'tcp_syn_flood' entries. The IPS profile has anomaly detection enabled with action 'pass'. The administrator wants to block such attacks. What change is required?

A.Increase the threshold for the anomaly
B.Enable flow-based inspection on the policy
C.Add a DoS policy from the same source
D.Change the action for the anomaly from 'pass' to 'block'
AnswerD

Block action will drop offending packets.

Why this answer

Option B is correct because anomaly detection in IPS profiles uses a threshold-based mechanism; to block, the action must be set to 'block' (or 'reset' for TCP). Setting the action to 'pass' allows the traffic.

← PreviousPage 3 of 4 · 232 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Security Profiles questions.