CCNA Nse4 Security Profiles Questions

75 of 232 questions · Page 2/4 · Nse4 Security Profiles topic · Answers revealed

76
MCQeasy

Refer to the exhibit. An administrator is troubleshooting why SSL inspection is not working for web traffic. The policy shown is the only policy matching the traffic. What is the most likely reason SSL inspection is failing?

A.The policy is missing the 'set inspection-mode proxy' command.
B.The ssl-ssh-profile is set to 'deep-inspection' but the policy is using flow-based inspection.
C.The source interface is 'wan1' but the traffic is coming from 'internal'.
D.The policy has 'set action deny' instead of 'set action accept'.
AnswerA

Deep inspection requires proxy-based inspection mode.

Why this answer

Option A is correct because the policy is missing the 'set inspection-mode proxy' command. FortiGate requires proxy-based inspection mode to perform SSL/TLS interception; flow-based inspection cannot decrypt or re-encrypt HTTPS traffic. Without this command, the policy defaults to flow-based mode, causing SSL inspection to fail even if the ssl-ssh-profile is set to deep-inspection.

Exam trap

The trap here is that candidates assume setting the ssl-ssh-profile to 'deep-inspection' alone is sufficient, overlooking the mandatory 'set inspection-mode proxy' command required for SSL decryption to function.

How to eliminate wrong answers

Option B is wrong because the ssl-ssh-profile set to 'deep-inspection' is actually correct for SSL inspection; the issue is the inspection mode, not the profile. Option C is wrong because the source interface is 'wan1' and the traffic is coming from 'internal' — this mismatch would cause the policy not to match at all, not just SSL inspection to fail. Option D is wrong because the policy has 'set action deny' which would block all traffic, not specifically cause SSL inspection to fail; the exhibit shows the policy is matching traffic, so action must be accept.

77
Multi-Selectmedium

A FortiGate administrator is troubleshooting why antivirus scanning is not working for HTTPS traffic. Which TWO steps should be verified?

Select 2 answers
A.Ensure the antivirus profile is set to proxy-based inspection
B.Ensure the firewall policy has SSL/TLS deep inspection enabled
C.Confirm that the web filter profile is also applied
D.Verify that the antivirus profile is applied to the policy
E.Check that the FortiSandbox is online for advanced scanning
AnswersB, D

Without deep inspection, HTTPS traffic is encrypted and antivirus cannot see the payload.

Why this answer

For antivirus to scan HTTPS traffic, deep inspection must be enabled on the firewall policy, and the antivirus profile must be configured with the appropriate inspection mode. Both are required.

78
Matchingmedium

Match each FortiGate NAT type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Translates private source IP to public IP for outbound traffic

Translates public destination IP to private IP for inbound traffic

Assigns a range of ports to a private IP for NAT

Translates IPv6 traffic to IPv4 and vice versa

Translates IPv4 traffic to IPv6

Why these pairings

NAT methods used in FortiGate for address translation.

79
MCQeasy

A FortiGate administrator wants to block all traffic to websites that are categorized as 'Malware' and 'Phishing'. Which security profile should be configured to achieve this goal?

A.DNS Filter profile
B.Web Filter profile
C.IPS profile
D.Application Control profile
AnswerB

Web filtering can block categories such as Malware and Phishing.

Why this answer

Option A is correct. Web filtering profiles use FortiGuard categories to block access to malicious websites like malware and phishing sites.

80
MCQeasy

What is the purpose of the DNS filter security profile on a FortiGate?

A.To block DNS queries to known malicious domains
B.To inspect DNS traffic for virus signatures
C.To filter spam emails based on DNS blacklists
D.To prevent DNS tunneling attacks
AnswerA

DNS filter uses FortiGuard DNS categories and custom domain lists to block malicious DNS queries.

Why this answer

DNS filter inspects DNS queries to block access to malicious or unwanted domains.

81
MCQeasy

Which FortiGate security profile is BEST suited for blocking DNS queries to known malicious domains?

A.Web Filter profile
B.IPS profile
C.Application Control profile
D.DNS Filter profile
AnswerD

DNS filter specifically handles DNS query filtering.

Why this answer

Option D is correct. DNS Filter profile can block DNS queries based on FortiGuard categories or custom domain lists, preventing users from resolving malicious domains.

82
Multi-Selecthard

An administrator needs to ensure that all HTTPS traffic to a critical server is inspected by the IPS. The server uses a valid certificate from a public CA. Which THREE steps are required to achieve this?

Select 3 answers
A.Apply an IPS profile to the same firewall policy
B.Set the Antivirus profile to 'Deep Inspection'
C.Install the FortiGate's CA certificate on client browsers
D.Enable SSL deep inspection on the firewall policy
E.Upload the server's certificate to the FortiGate
AnswersA, C, D

IPS profile must be applied to the policy to inspect decrypted traffic.

Why this answer

Options A, D, and E are correct. SSL deep inspection must be enabled on the policy (A), the IPS profile must be applied in the same policy (D), and the FortiGate's CA certificate must be installed on clients (E) to avoid certificate errors.

83
MCQmedium

A network administrator notices that some users can access blocked web categories despite a web filter profile applied to the policy. The admin runs 'diagnose debug rating' and sees 'rating not allow' for the category. What is the MOST likely cause?

A.The web filter profile has an 'override' configured for those users
B.The policy is not using the correct web filter profile
C.DNS filter is allowing the domain
D.The FortiGuard web filter database is outdated
AnswerA

An override allows users to bypass the web filter rating. Even if the rating is 'block', the override permits access.

Why this answer

Option B is correct because the override feature can be used to grant users temporary access to blocked categories, bypassing the web filter rating.

84
MCQmedium

A company policy requires that all web searches by employees use safe search. Which setting should be configured in the web filtering profile?

A.Enable 'Restrict YouTube Access'
B.Create a URL filter to block URLs with 'safe search'
C.Enable 'Enforce 'Safe Search' on Google, Bing, and Yahoo'
D.Set the 'Action' for FortiGuard categories to 'Warning'
AnswerC

This setting forces safe search for the listed search engines.

Why this answer

Option C is correct because the 'Enforce Safe Search' setting in a FortiGate web filtering profile forces Google, Bing, and Yahoo to use their built-in safe search parameters (e.g., &safe=active for Google). This ensures that all web searches from the network comply with the company policy by appending the required query strings to search URLs, blocking explicit content at the search engine level.

Exam trap

The trap here is that candidates often confuse 'Enforce Safe Search' with URL filtering or category blocking, assuming that blocking or warning on categories like 'Search Engines' would achieve the same result, but safe search enforcement is a specific feature that modifies search queries rather than blocking access.

How to eliminate wrong answers

Option A is wrong because 'Restrict YouTube Access' only controls YouTube content (e.g., enforcing strict or moderate mode), not general web search safe search. Option B is wrong because creating a URL filter to block URLs containing 'safe search' would block access to safe search configuration pages, not enforce safe search on search engines. Option D is wrong because setting the 'Action' for FortiGuard categories to 'Warning' only displays a warning page for categorized sites, it does not modify search engine behavior to enforce safe search.

85
Multi-Selectmedium

An administrator wants to block all peer-to-peer (P2P) file sharing applications such as BitTorrent and eMule on the network. Which THREE steps should the administrator take?

Select 3 answers
A.Configure a web filter profile to block P2P websites
B.Enable deep inspection on the firewall policy to detect encrypted P2P traffic
C.Create an application control profile with the P2P category blocked
D.Apply the application control profile to a firewall policy allowing internet access
E.Enable antivirus to block P2P protocols
AnswersB, C, D

Why this answer

Blocking P2P requires application control with the P2P category blocked, deep inspection to detect encrypted P2P traffic, and applying the profile to the firewall policy. Web filter only blocks URLs, not the application traffic itself. Antivirus does not block protocols.

86
Drag & Dropmedium

Drag and drop the steps to capture traffic on a FortiGate interface using the CLI into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The sniffer command syntax is diagnose sniffer packet <interface> <filter> <verbose> <count>.

87
MCQmedium

A school uses FortiGate for web filtering. They want to block social media sites for students during class hours (8 AM to 3 PM) but allow access for teachers at all times. The network has a single internet connection and all users are in the same subnet. The administrator created a firewall policy for students (source IP range 192.168.1.100-200) and another for teachers (source IP range 192.168.1.10-50). The student policy has a web filter profile that blocks social media. However, teachers are also being blocked from social media during class hours. What is the most likely cause?

A.The web filter profile is applied globally.
B.The student policy is placed before the teacher policy in the policy list.
C.The teacher policy has a schedule that restricts access.
D.The student policy is placed after the teacher policy.
AnswerB

Policies are checked in order; first match applies.

Why this answer

FortiGate processes firewall policies in sequential order from top to bottom, and the first matching policy is applied. Since the student policy (source IP range 192.168.1.100-200) is placed before the teacher policy (source IP range 192.168.1.10-50), traffic from teachers whose source IP falls within the student range (e.g., 192.168.1.50) will match the student policy first, causing them to be subject to the web filter profile that blocks social media. This is the most likely cause of teachers being blocked during class hours.

Exam trap

The trap here is that candidates often assume policy order does not matter or that FortiGate evaluates policies based on best match rather than sequential order, leading them to overlook the critical placement of the student policy before the teacher policy.

How to eliminate wrong answers

Option A is wrong because a web filter profile applied globally would affect all traffic regardless of policy order, but the scenario describes separate policies for students and teachers, and the issue is specific to policy matching order, not a global setting. Option C is wrong because the question states that teachers should have access at all times, and a schedule restricting access on the teacher policy would contradict this requirement; the problem is that teachers are being blocked, not that their policy has a restrictive schedule. Option D is wrong because if the student policy were placed after the teacher policy, teachers would match their policy first and not be blocked; the issue is that the student policy is before the teacher policy, not after.

88
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session has been active for 1 hour and will expire in about 1 hour
B.The session is blocked by the firewall
C.The session is using UDP protocol
D.The session is in a half-open state
AnswerA

duration=3600 seconds = 1 hour, expire=3599 seconds ≈ 1 hour. This is a normal established session.

Why this answer

Option D is correct. The output shows a TCP session (proto=6) on port 443 with state 01 (established), duration 3600 seconds, and expire 3599 seconds. This indicates the session has been up for 1 hour and will expire in ~1 hour.

89
MCQmedium

A network administrator notices that HTTP traffic is being scanned by the antivirus profile, but HTTPS traffic to the same web server is not being scanned. The firewall policy has the antivirus profile applied and SSL inspection is set to 'certificate-inspection'. What is the most likely reason HTTPS traffic is not being scanned?

A.Certificate inspection does not decrypt the traffic, so the antivirus scanner cannot inspect the payload.
B.The antivirus profile is configured in flow mode, which does not support scanning HTTPS traffic.
C.The web server is not using a cipher supported by the FortiGate.
D.The FortiGate is using proxy-based inspection, which does not support HTTPS scanning.
AnswerA

Certificate inspection only verifies the server certificate; it does not decrypt the TLS session. Without decryption, the antivirus profile cannot scan the encrypted content.

90
MCQeasy

Which inspection mode in the antivirus profile processes traffic by buffering the entire file before scanning, allowing more thorough detection but potentially increasing latency?

A.Proxy-based inspection
B.Deep inspection
C.DNS inspection
D.Flow-based inspection
AnswerA

Proxy-based inspection buffers the entire file before scanning, enabling thorough analysis.

Why this answer

Option C is correct. Proxy-based inspection buffers the entire file for scanning, which can detect threats more accurately but introduces latency. Flow-based inspection scans packets as they pass through without full buffering.

91
Multi-Selectmedium

A FortiGate administrator wants to block access to Facebook for all internal users. However, the administrator must ensure that the CEO's computer (IP 10.0.0.100) is exempted. Which TWO steps should the administrator take? (Choose two.)

Select 2 answers
A.Add the CEO's IP to the application control profile's 'exempt IP' list.
B.Configure an IP exemption in the application control profile.
C.Create an application control profile with a rule to block 'Facebook' and apply it to the firewall policy for all users.
D.Create a firewall policy above the blocking policy that allows traffic from the CEO's IP to Facebook, with no application control profile.
E.Use a web filter profile with a URL block for 'facebook.com' instead of application control.
AnswersC, D

This blocks Facebook for general users.

Why this answer

The correct answers are A and B. Create a blocking profile and apply to a policy for general users, then create a higher priority policy that allows the CEO's traffic without the blocking profile.

92
Multi-Selectmedium

An administrator wants to detect and prevent malware outbreaks. The FortiGate is integrated with FortiSandbox. Which TWO actions should be taken to ensure files are sent to FortiSandbox for analysis?

Select 2 answers
A.Set the firewall policy inspection mode to flow-based
B.Enable FortiSandbox in the antivirus profile settings
C.Enable deep inspection for HTTPS traffic
D.Disable the antivirus profile on the policy
E.Configure the firewall policy inspection mode to proxy-based
AnswersB, E

The antivirus profile has an option to send files to FortiSandbox.

Why this answer

To leverage FortiSandbox, the antivirus profile must be configured to send files to FortiSandbox, and the inspection mode must be proxy-based for file submission.

93
MCQmedium

A company wants to block all peer-to-peer (P2P) traffic using Application Control on their FortiGate. They have enabled the application control profile, but users can still download files via BitTorrent. What is the most likely reason?

A.The application control profile does not have SSL inspection enabled.
B.The FortiGate is operating in Transparent mode.
C.The application control profile is applied to the outgoing policy, but BitTorrent traffic is incoming.
D.The default application signatures do not include BitTorrent.
AnswerA

Without SSL inspection, encrypted BitTorrent traffic cannot be inspected and matched.

Why this answer

BitTorrent traffic is often encrypted, so without SSL inspection, the FortiGate cannot inspect the payload of the encrypted sessions to identify the application. Application Control relies on deep packet inspection (DPI) to match traffic against application signatures; if SSL inspection is not enabled, the FortiGate only sees encrypted packets and cannot detect BitTorrent, allowing the traffic to pass unchecked.

Exam trap

The trap here is that candidates often assume application control works on all traffic regardless of encryption, but FortiGate requires SSL inspection to identify applications that use encryption, such as BitTorrent.

How to eliminate wrong answers

Option B is wrong because Transparent mode does not affect the ability to perform application control; the FortiGate can still inspect traffic and apply profiles in Transparent mode. Option C is wrong because BitTorrent traffic can be both incoming and outgoing; application control policies apply to the direction specified, and blocking outgoing P2P traffic is standard, so the direction is not the issue. Option D is wrong because FortiGate's default application signatures do include BitTorrent; the problem is that the signatures cannot match encrypted traffic without SSL inspection.

94
MCQmedium

A FortiGate administrator is configuring SSL deep inspection for a firewall policy that handles traffic to multiple internal servers. Some servers have self-signed certificates. The administrator wants to avoid certificate errors for users. What configuration is recommended?

A.Configure the firewall policy to accept invalid certificates
B.Use certificate inspection instead of deep inspection
C.Add the server certificates to the FortiGate's trusted CA store
D.Disable deep inspection for those servers
AnswerC

Why this answer

Adding the self-signed server certificates to the FortiGate's trusted CA store allows the FortiGate to trust them during deep inspection, preventing certificate errors for users. Disabling deep inspection or using certificate inspection would not inspect payloads.

95
MCQhard

An administrator has configured DLP sensors to detect credit card numbers in outgoing traffic. However, the administrator notices that traffic containing credit card numbers is still passing through undetected. The firewall policy uses flow-based inspection. What is the MOST likely reason DLP is not detecting the data?

A.DLP requires proxy-based inspection to perform data leakage detection.
B.The DLP sensor is not applied to the correct firewall policy.
C.The DLP sensor is configured with the wrong regular expression.
D.The credit card numbers are encrypted by SSL and deep inspection is not enabled.
AnswerA

DLP scanning requires proxy-based inspection because it needs to buffer the content for pattern matching.

Why this answer

Option A is correct. DLP requires proxy-based inspection to buffer and analyze the content. Flow-based inspection does not support DLP.

96
MCQmedium

A company with 500 users has a FortiGate 1000D running FortiOS 7.2. They have configured full SSL inspection and web filtering to block malware and phishing sites. The administrator receives complaints that some users cannot access a legitimate business website (https://vendor.example.com). The administrator checks the FortiGate logs and sees that the connection is allowed by the firewall policy and web filter. However, the user's browser shows 'ERR_CERT_AUTHORITY_INVALID'. The administrator verifies that the FortiGate's CA certificate is installed on all client machines. Further investigation reveals that the vendor's website uses a certificate signed by a private CA that is not trusted by the FortiGate. The administrator wants to resolve the issue without disabling SSL inspection for the whole website or compromising security. What should the administrator do?

A.Create an SSL exemption for the vendor's domain in the SSL inspection profile.
B.Import the vendor's private CA certificate into the FortiGate's trusted root CA store.
C.Change the SSL inspection profile to certificate inspection only.
D.Install the vendor's CA certificate on the client machines.
AnswerB

This allows the FortiGate to validate the vendor's certificate and issue a trusted session certificate.

Why this answer

The FortiGate cannot validate the vendor's certificate because its private CA is not in the FortiGate's trusted root store. By importing that CA certificate into the FortiGate's trusted root CA store, the FortiGate will trust the vendor's certificate chain, allowing full SSL inspection to proceed without errors. This resolves the ERR_CERT_AUTHORITY_INVALID error while maintaining security inspection for the domain.

Exam trap

The trap here is that candidates often assume the client-side CA certificate installation is sufficient, but the FortiGate itself must also trust the server's issuing CA to perform full SSL inspection without errors.

How to eliminate wrong answers

Option A is wrong because creating an SSL exemption bypasses inspection entirely for the domain, which compromises security by allowing encrypted traffic to pass without inspection. Option C is wrong because changing to certificate inspection only would disable deep packet inspection for all traffic, reducing security posture and not specifically addressing the untrusted CA issue. Option D is wrong because the client machines already have the FortiGate's CA certificate installed; the issue is that the FortiGate itself does not trust the vendor's private CA, so installing it on clients does not fix the server-side validation failure.

97
MCQmedium

A FortiGate administrator configures an IPS sensor with a signature that has a 'pass' action. The sensor is applied to a firewall policy. When traffic matches this signature, what will happen?

A.The traffic is allowed without any logging.
B.The traffic is reset and a log is generated.
C.The traffic is allowed but a log message is generated.
D.The traffic is blocked and logged.
AnswerC

Pass action allows the traffic and logs the event.

Why this answer

Option B is correct. 'Pass' action in IPS means the traffic is allowed to pass, but an event is logged.

98
MCQhard

An administrator sees the following CLI output when checking an IPS sensor: 'config ips sensor edit test config entries edit 1 set severity medium set action block set target default end'. However, attacks with severity medium are still passing. The IPS sensor is applied to a policy with flow-based inspection. What is the likely issue?

A.The IPS sensor is not enabled in the policy
B.The IPS sensor rule has 'target' set to 'default' which may not apply to the traffic direction
C.The FortiGate needs a FortiSandbox for IPS to work
D.The severity level is set too high
AnswerB

For flow-based inspection, target must be 'client' or 'server' to match direction. 'default' may not work as expected.

Why this answer

In flow-based inspection, the IPS sensor rules may require that the protocol decoder be enabled or that the traffic matches the rule's target (client, server, default). The output shows 'target default' which might not match the traffic flow.

99
MCQmedium

A company wants to block downloads of executable files via HTTP and HTTPS while allowing other content. Which combination of security profiles should be applied to the firewall policy?

A.Web Filtering and Antivirus
B.Application Control and Antivirus
C.Web Filtering and IPS
D.DNS Filtering and Web Filtering
AnswerA

Web filtering blocks file types, antivirus scans for malware.

Why this answer

To block executable file downloads over HTTP and HTTPS while allowing other content, a Web Filtering profile is required to filter based on URL category or content type, and an Antivirus profile is needed to scan and block files (such as .exe) within the HTTP/HTTPS stream. The Antivirus profile can detect and block executable files by file signature or MIME type, while Web Filtering controls access to download sites or file types. Together, they provide layered defense against malicious executable downloads without affecting other web content.

Exam trap

The trap here is that candidates often think Application Control can block file downloads, but Application Control only identifies applications, not file types within allowed protocols, while Antivirus is required for file-level blocking.

How to eliminate wrong answers

Option B is wrong because Application Control identifies and controls applications (e.g., Skype, Dropbox) but does not filter file types within HTTP/HTTPS traffic; it cannot block .exe downloads specifically. Option C is wrong because IPS (Intrusion Prevention System) detects and blocks network-based attacks and exploits, not file-type filtering; it cannot prevent executable downloads unless they contain a known exploit signature. Option D is wrong because DNS Filtering blocks access to domains based on DNS queries, but it does not inspect or block specific file types within allowed HTTP/HTTPS traffic; it only prevents resolution of malicious domains.

100
MCQhard

An administrator enables deep inspection for HTTPS traffic. Users report that they cannot access some websites because of certificate errors. The administrator wants to override these errors and allow access. What should be configured?

A.Disable certificate verification in the deep inspection profile
B.Add the websites to the 'FortiGuard category' allow list
C.Configure the web filter to allow these websites
D.Add the websites to the 'SSL/SSH exemption' list in the deep inspection profile
AnswerD

The SSL/SSH exemption list allows specific domains to bypass deep inspection, thus avoiding certificate errors while still protecting other traffic.

Why this answer

In FortiOS, deep inspection can generate certificate errors for sites with self-signed or mismatched certificates. To allow access despite errors, the administrator can add the affected domains to the 'SSL/SSH exemption' list in the deep inspection profile. This exempts those sites from deep inspection, avoiding the certificate error.

101
MCQeasy

What is the purpose of enabling 'DNS filter' in a security profile?

A.To cache DNS responses for faster browsing
B.To prevent DNS tunneling attacks
C.To enforce safe search on search engines
D.To block DNS queries to known malicious domains
AnswerD

DNS filter inspects DNS traffic and blocks resolution of malicious domains.

Why this answer

Option A is correct: DNS filter blocks malicious domains based on FortiGuard category or custom lists by inspecting DNS queries and responses.

102
MCQmedium

An administrator wants to allow access to a specific website that is blocked by the FortiGuard web filter category 'Social Networking'. The administrator creates a URL filter override to allow the site. After applying, the site is still blocked. What should the administrator check?

A.Ensure the URL filter rule is placed above the FortiGuard category block in the web filter profile
B.Disable the FortiGuard category rating for Social Networking
C.Ensure the URL filter rule is set to 'exempt' instead of 'allow'
D.Set the web filter profile to use 'monitor' for the Social Networking category
AnswerA

URL filter rules are processed in order. If a later rule (e.g., FortiGuard category) blocks, the earlier allow may not take effect unless it's an 'exempt' action.

Why this answer

URL filter overrides take precedence over FortiGuard categories only if the URL filter action is set appropriately and the override is applied before the FortiGuard check. Additionally, the order of rules matters: URL filter rules are evaluated before FortiGuard categories, but the action must be 'allow' and the override must be enabled.

103
MCQmedium

An administrator configures a data leak prevention (DLP) profile to detect credit card numbers in outgoing emails. However, no violations are logged. The email filter profile is applied with the DLP profile on the same policy. What is the most likely cause?

A.The credit card numbers are being sent in PDF attachments, which are not scanned
B.The DLP profile is not applied to SMTP traffic
C.The FortiGate needs a FortiSandbox license for DLP to work
D.The SSL inspection profile on the policy is set to 'certificate-inspection' only
AnswerD

Email traffic may be encrypted via TLS. Certificate inspection does not decrypt traffic, so DLP cannot scan the content.

Why this answer

DLP scanning requires that the traffic be inspected. If the traffic is encrypted and not decrypted, DLP cannot see the content.

104
MCQeasy

What is the purpose of the 'DNS Filter' feature on a FortiGate?

A.To block DNS queries to malicious domains based on FortiGuard category and allow/block lists.
B.To cache DNS queries for faster resolution.
C.To encrypt DNS traffic to prevent eavesdropping.
D.To filter the content of DNS responses from legitimate servers.
AnswerA

DNS Filter inspects DNS queries and can block those to malicious or unwanted domains, preventing users from reaching those sites even if the IP is known.

105
MCQeasy

What is the PRIMARY purpose of enabling 'Safe Search' in a web filter profile?

A.To block all search engines
B.To prevent users from using HTTPS search engines
C.To enforce safe search settings on supported search engines like Google and Bing
D.To log all search queries
AnswerC

Why this answer

Safe Search enforces the safe search feature of popular search engines (e.g., Google, Bing) to filter explicit content from search results. It does not block search engines or HTTPS.

106
MCQeasy

Which IPS detection method uses a baseline of normal traffic and alerts when deviations exceed a threshold?

A.Anomaly detection
B.Rate-based detection
C.Signature-based detection
D.Protocol decode-based detection
AnswerA

Anomaly detection establishes a baseline and flags abnormal traffic.

Why this answer

Anomaly detection learns normal traffic patterns and triggers when traffic deviates significantly.

107
MCQeasy

Which of the following best describes the function of FortiGuard web filtering categories?

A.They are used to quarantine infected files
B.They block specific IP addresses known for hosting malware
C.They provide a list of allowed websites only
D.They categorize websites to allow granular control over access based on content type
AnswerD

This is the primary purpose: to enable policy-based control by website category.

Why this answer

FortiGuard categories classify websites into groups (e.g., Social Networking, Pornography) so administrators can define actions (allow, block, monitor) for each group in the web filter profile.

108
Multi-Selecthard

An administrator receives alerts about a possible data breach. Sensitive data (credit card numbers) might be leaving the network via email. The admin wants to detect and block such emails. Which THREE security profiles should be combined?

Select 3 answers
A.Web filter profile
B.SSL deep inspection profile
C.Email filter profile
D.Data leak prevention (DLP) profile
E.Antivirus profile
AnswersB, C, D

Needed to inspect encrypted email connections.

Why this answer

Options B, D, and E are correct: DLP detects credit card numbers in content; email filter processes SMTP traffic; SSL deep inspection is needed if email uses TLS.

109
MCQmedium

An administrator wants to block users from uploading sensitive documents through webmail. Which security profile should be configured on the FortiGate to achieve this goal?

A.Data Leak Prevention (DLP)
B.Antivirus
C.Application control
D.Web filter
AnswerA

DLP can inspect file content and block uploads containing sensitive data patterns, such as credit card numbers or confidential labels.

Why this answer

Option B is correct because DLP profiles can block data based on content inspection, including file uploads to webmail.

110
MCQeasy

Refer to the exhibit. An administrator has created an IPS sensor with two entries. The first entry sets severity 'medium' and action 'block'. The second entry sets severity 'critical' and action 'block'. What will happen when a packet triggers an IPS signature with severity 'low'?

A.The packet will be allowed (pass).
B.The packet will be logged and a session will be created.
C.The packet will be blocked if the signature severity is 'low' or 'high'.
D.The packet will be blocked because the sensor is enabled.
AnswerA

Signatures not matching any entry use the default action 'pass'.

Why this answer

The IPS sensor in the exhibit defines rules only for severity 'medium' and 'critical', both with action 'block'. When a packet triggers a signature with severity 'low', it does not match any entry in the sensor. Therefore, the default action for unmatched signatures is to allow (pass) the traffic.

FortiGate IPS sensors apply actions only to explicitly configured severity levels; unlisted severities are not affected.

Exam trap

The trap here is that candidates assume an enabled IPS sensor blocks all traffic by default, but FortiGate IPS sensors only apply actions to signatures whose severity is explicitly listed in the sensor entries.

How to eliminate wrong answers

Option B is wrong because logging and session creation are not automatic for unmatched severity levels; they only occur if the sensor entry specifies 'log' or if the signature action is triggered. Option C is wrong because the sensor does not block 'low' severity signatures, and 'high' severity is not even listed in the sensor entries. Option D is wrong because simply enabling the sensor does not block all traffic; blocking only happens for signatures that match an entry with a 'block' action.

111
MCQhard

A FortiGate is configured with an IPS profile that includes a signature with a 'Pass' action. The firewall policy uses this IPS profile. What will happen when traffic matching that signature is detected?

A.The traffic is allowed, but the session is reset
B.The traffic is allowed without logging
C.The traffic is blocked and logged
D.The traffic is blocked and the session is reset
AnswerB

Pass action permits traffic and by default does not generate a log (unless logging is separately enabled).

Why this answer

Option C is correct. A 'Pass' action means the traffic is allowed and not logged (unlike 'Allow' which logs). The signature will generate an event but will not drop or reset the session.

112
MCQmedium

A FortiGate admin notices that HTTPS traffic to a web server is not being scanned by the antivirus profile applied to the firewall policy. The admin confirms the policy is correct and antivirus is enabled. What is the MOST likely reason the traffic is not being scanned?

A.SSL/TLS deep inspection is not enabled on the firewall policy
B.The antivirus profile is configured for flow-based inspection instead of proxy-based
C.The web server's certificate is self-signed and FortiGate is rejecting the connection
D.The FortiGuard antivirus subscription has expired
AnswerA

HTTPS traffic is encrypted. FortiGate cannot inspect the payload without SSL deep inspection decrypting the TLS session. The antivirus profile requires inspection mode to be enabled.

Why this answer

Option B is correct because HTTPS uses TLS encryption. Without SSL deep inspection enabled on the policy, FortiGate cannot decrypt and inspect the content of HTTPS traffic. The antivirus profile will only scan unencrypted traffic or traffic where deep inspection has decrypted it first.

113
MCQmedium

An administrator wants to integrate FortiSandbox with a FortiGate to analyze suspicious files. Which security profile must be configured to send files to FortiSandbox?

A.Application Control profile with FortiSandbox enabled
B.Antivirus profile with FortiSandbox enabled
C.IPS profile with FortiSandbox enabled
D.Web Filter profile with FortiSandbox enabled
AnswerB

Why this answer

FortiSandbox integration is configured within the antivirus profile. When enabled, files that trigger certain conditions are sent to FortiSandbox for advanced analysis. Other profiles do not directly support FortiSandbox submission.

114
MCQhard

A company with 500 employees uses FortiGate as their internet gateway. They recently enabled SSL deep inspection using the built-in CA certificate. After deployment, many users report that they cannot access their online banking websites. The error message in the browser says 'The certificate is not trusted'. The administrator has already pushed the FortiGate CA certificate to all domain-joined computers via Group Policy. However, the problem persists for banking sites. The administrator also notices that banking sites load fine on mobile devices that do not have the CA certificate installed. What is the most likely cause and solution?

A.Disable SSL inspection entirely to avoid certificate issues.
B.The CA certificate is not properly installed on all computers. Re-deploy via Group Policy.
C.Use certificate inspection instead of deep inspection for all traffic.
D.Banking websites use certificate pinning. Exempt them from deep inspection using an SSL inspection exemption list.
AnswerD

Certificate pinning causes errors with re-signed certificates. Exempting prevents decryption.

Why this answer

Banking websites often use HTTP Public Key Pinning (HPKP) or certificate pinning, where the browser expects a specific certificate or public key from the server. When FortiGate performs SSL deep inspection, it re-signs the server's certificate with its own CA, breaking the pinning validation. This causes the 'certificate not trusted' error even when the FortiGate CA is trusted, because the browser detects that the presented certificate does not match the pinned certificate.

The correct solution is to exempt banking sites from deep inspection using an SSL inspection exemption list, allowing the original server certificate to pass through.

Exam trap

The trap here is that candidates assume the issue is always a missing CA certificate deployment, but the real problem is certificate pinning, which causes trust failures even when the CA is trusted, because the browser checks the pinned certificate hash against the presented certificate.

How to eliminate wrong answers

Option A is wrong because disabling SSL inspection entirely would remove security visibility for all HTTPS traffic, which is an overreaction and not necessary; the issue is specific to pinned certificates. Option B is wrong because the problem persists despite the CA certificate being properly deployed via Group Policy, and the error is not due to missing CA trust but due to certificate pinning validation failure. Option C is wrong because certificate inspection (which only inspects the certificate metadata, not the content) would still present the original server certificate to the browser, but it does not address the root cause of pinning; however, the question states deep inspection is enabled, and switching to certificate inspection would not resolve the pinning issue because the browser still sees the original certificate, which is actually correct for pinned sites—but the real fix is exemption, not a global change to certificate inspection.

115
Drag & Dropmedium

Drag and drop the steps to perform a factory reset on FortiGate via CLI into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Factory reset is done with execute factoryreset, then confirm; device reboots to defaults.

116
MCQhard

Given the above IPS sensor configuration, what will happen when traffic matching a high-severity IPS signature is detected?

A.The traffic will be logged but not blocked.
B.The traffic will be blocked only if the signature is enabled globally.
C.The traffic will be blocked because the sensor has a block action.
D.The traffic will be allowed because no entry exists for high severity.
AnswerD

High-severity signatures are not in the sensor, so they are allowed.

Why this answer

Option D is correct because the IPS sensor configuration shown does not include an entry for high-severity signatures. Without a specific action defined for high severity, the sensor defaults to allowing the traffic while still generating a log entry. This is a common behavior in FortiGate IPS where only explicitly configured severity levels have defined actions.

Exam trap

The trap here is that candidates assume high-severity signatures are automatically blocked by default, but FortiGate requires explicit action configuration per severity level, and the default action is to allow.

How to eliminate wrong answers

Option A is wrong because logging without blocking would require a 'monitor' or 'pass' action explicitly configured for high severity, which is absent. Option B is wrong because global signature enablement does not override the per-severity action configuration; the sensor's action table determines blocking, not global status. Option C is wrong because the sensor does not have a block action for high severity; the block action is only defined for critical and medium severity levels in the provided configuration.

117
MCQhard

An administrator has configured an IPS sensor to block critical-severity attacks. However, after a week, they notice that a known exploit (CVE-2021-44228) is still getting through. Which configuration change should be made to improve detection?

A.Set the IPS sensor severity filter to 'low' and above.
B.Change the IPS sensor action from 'default' to 'block' for all signatures.
C.Create a custom IPS signature for the exploit.
D.Enable the specific IPS signature for the exploit in the sensor.
AnswerD

The signature may be present but disabled; enabling it allows detection.

Why this answer

Option D is correct because the IPS sensor must have the specific signature for CVE-2021-44228 (Log4Shell) enabled to detect and block it. Even if the sensor is set to block critical-severity attacks, the signature for this exploit may be disabled by default in the sensor's signature database. Enabling the specific signature ensures the sensor inspects traffic for the exploit's unique patterns and applies the configured action.

Exam trap

The trap here is that candidates assume setting the severity filter to 'critical' or changing the action to 'block' globally will catch all critical exploits, but they forget that individual signatures must be explicitly enabled in the sensor to be evaluated.

How to eliminate wrong answers

Option A is wrong because lowering the severity filter to 'low' and above would cause the sensor to process more signatures, but it does not enable a disabled signature; the exploit's signature may still be disabled regardless of severity. Option B is wrong because changing the action from 'default' to 'block' for all signatures would override per-signature actions and could cause false positives or performance issues, but it still does not enable a disabled signature. Option C is wrong because creating a custom IPS signature is unnecessary when the vendor (Fortinet) already provides a signature for CVE-2021-44228; the issue is that the signature is disabled, not missing.

118
MCQeasy

Which FortiGate security feature can be used to block outgoing emails that contain specific keywords, such as confidential information?

A.Email Filter
B.Web Filter
C.Application Control
D.Antivirus
AnswerA

Why this answer

Email Filter profiles can scan SMTP, POP3, and IMAP traffic for keywords and patterns in email content. Antivirus scans for malware, web filter for URLs, application control for apps.

119
MCQhard

An administrator runs the CLI command: 'diagnose sys session list | grep -i dns' and sees sessions with dst port 53. The administrator has configured a DNS filter profile on the firewall policy. However, DNS requests are not being filtered. What is the MOST likely cause?

A.The DNS filter profile is applied to the wrong policy direction
B.DNS filtering requires proxy-based inspection mode on the policy
C.The DNS filter profile has no rules defined
D.The FortiGate is in transparent mode
AnswerB

Why this answer

DNS filtering in FortiOS requires proxy-based inspection mode. If the policy is set to flow-based, DNS filtering will not work. The administrator should change the inspection mode to proxy.

120
MCQhard

An administrator runs the command 'diagnose ips anomaly list' and sees many entries for 'tcp_src_session' with high counts. Users report slow internet. What is the most likely issue?

A.The IPS signature database is corrupted
B.The FortiGate has a hardware failure
C.A host on the network is infected with malware that is generating many outbound connections
D.The FortiGate is under a DDoS attack
AnswerC

A single source with excessive sessions is typical of malware or P2P activity.

Why this answer

High tcp_src_session counts indicate many TCP sessions from a single source, often due to a host generating excessive connections (e.g., malware or P2P).

121
Multi-Selectmedium

An administrator wants to prevent sensitive data (e.g., credit card numbers) from being sent out of the network via email. Which THREE components must be configured to achieve this?

Select 3 answers
A.A firewall policy that allows email traffic and applies the email filter profile
B.SSL deep inspection to decrypt email traffic if encrypted
C.An application control profile to block email applications
D.An email filter profile that includes the DLP sensor
E.A DLP sensor with a credit card number pattern
AnswersA, D, E

The policy is where the profile is applied to the traffic.

Why this answer

To block sensitive data via email, you need: a DLP sensor to define the data pattern, an email filter profile to apply the DLP sensor to email traffic, and a firewall policy that applies the email filter profile to SMTP/IMAP traffic.

122
MCQmedium

A company recently deployed FortiGate with application control to manage cloud application usage. They want to allow Google Drive for business but block personal Google accounts. Which application control configuration approach is most effective?

A.Use web filtering to block the URL of personal Google Drive.
B.Configure IPS to block personal Google Drive traffic.
C.Use application control with specific signatures for 'Google Drive Business' and 'Google Drive Personal' and apply appropriate actions.
D.Create a rule to block all Google Drive applications.
AnswerC

Application control signatures can distinguish between business and personal versions.

Why this answer

Option C is correct because FortiGate's application control uses application signatures to distinguish between different versions of the same application, such as 'Google Drive Business' and 'Google Drive Personal'. By configuring specific signatures with appropriate actions (allow for business, block for personal), you can enforce granular control over cloud application usage without affecting legitimate business traffic.

Exam trap

The trap here is that candidates often confuse web filtering (URL-based) with application control (signature-based), assuming that blocking a URL will effectively block personal accounts, but in reality, both account types use the same URL and only differ in application-layer metadata.

How to eliminate wrong answers

Option A is wrong because web filtering blocks URLs, but personal and business Google Drive often share the same base URL (drive.google.com), making URL-based blocking ineffective for distinguishing between account types. Option B is wrong because IPS is designed to detect and prevent network attacks and exploits, not to enforce application-level access policies based on user account type. Option D is wrong because blocking all Google Drive applications would also block the legitimate business use of Google Drive, which contradicts the requirement to allow business accounts.

123
MCQmedium

An organization wants to prevent users from downloading files with extensions such as .exe and .scr via HTTP and HTTPS. The FortiGate already has a web filter profile applied to the relevant policy. Which web filter feature should be configured to achieve this?

A.FortiGuard category filtering set to block 'Malicious Websites'
B.A static URL filter block rule for the file extensions
C.URL filter with a block rule for *\.exe and *\.scr patterns
D.Content filtering with a block rule for the file extensions
AnswerD

Content filtering can block based on file extension patterns in HTTP responses, including for HTTPS if SSL inspection is enabled.

Why this answer

Option D is correct. Content filtering inspects HTTP response bodies and can block file downloads by extension. For HTTPS, SSL deep inspection must be enabled.

124
Multi-Selectmedium

Which TWO of the following are required for full SSL inspection to work correctly?

Select 2 answers
A.The private key of each server certificate that will be inspected.
B.The FortiGate's CA certificate installed in the Trusted Root Certification Authorities store on client machines.
C.An intermediate CA certificate imported from the enterprise PKI.
D.A certificate on the FortiGate to generate session certificates.
E.A certificate signed by a public CA installed on the FortiGate.
AnswersB, D

Without this, clients will see certificate errors.

Why this answer

For full SSL inspection, the FortiGate must generate a session certificate on-the-fly for each HTTPS connection after decrypting it. This requires a CA certificate on the FortiGate to sign those session certificates. Additionally, client machines must trust this CA certificate, so it must be installed in their Trusted Root Certification Authorities store; otherwise, browsers will show certificate warnings and block the connection.

Exam trap

The trap here is that candidates often think the FortiGate needs the server's private key (Option A) to decrypt traffic, but in reality, full SSL inspection uses a man-in-the-middle approach where the FortiGate generates its own session certificates, requiring only its own CA certificate and client trust.

125
Multi-Selecthard

An administrator is troubleshooting why an application control profile is not detecting a custom application that uses a non-standard port. The administrator wants to ensure the application is properly identified. Which THREE steps should the administrator take? (Choose three.)

Select 3 answers
A.Set the application control action to 'block' for the application
B.Add a custom application signature based on the traffic pattern
C.Disable flow-based inspection and use proxy-based only
D.Ensure the application control profile is applied to the correct firewall policy
E.Enable SSL deep inspection if the application uses encryption
AnswersB, D, E

If the built-in signatures don't cover the custom app, a custom signature can be created.

Why this answer

Application control relies on signatures that may require specific settings like 'deep inspection' for encrypted traffic, adding custom signatures, or ensuring the traffic is not bypassing the FortiGate. Additionally, using an application group can help organize custom signatures.

126
MCQmedium

An organization uses FortiSandbox to detect advanced threats. The administrator wants to ensure that files downloaded from the internet are sent to FortiSandbox for analysis before being delivered to users. Which Antivirus profile setting should be configured?

A.Enable 'Inline Scan' for FortiSandbox
B.Enable 'FortiSandbox Monitoring'
C.Enable 'FortiSandbox Quarantine'
D.Set 'Scan Mode' to 'Quick'
AnswerA

Inline scanning sends files to FortiSandbox and holds delivery until a verdict is reached.

Why this answer

Option D is correct. The 'FortiSandbox Inline Scan' option sends files to FortiSandbox and waits for verdict before allowing or blocking the file.

127
Multi-Selecthard

Which THREE steps are necessary when configuring SSL deep inspection on FortiGate? (Choose three.)

Select 3 answers
A.Add a static route to the internet.
B.Create an SSL inspection profile defining the inspection mode.
C.Configure a forward proxy server.
D.Apply the SSL inspection profile to a firewall policy.
E.Generate or import a CA certificate on FortiGate.
AnswersB, D, E

Profile defines deep inspection settings.

Why this answer

Option B is correct because an SSL inspection profile defines how FortiGate handles encrypted traffic, including the inspection mode (e.g., full or certificate-inspection). This profile is a mandatory component for deep inspection, as it specifies whether to decrypt, re-encrypt, or simply examine certificates.

Exam trap

The trap here is that candidates often confuse general network configuration steps (like static routes) with SSL inspection-specific steps, or mistakenly think a separate forward proxy server must be configured, when in fact FortiGate handles the proxy role internally.

128
Multi-Selectmedium

A FortiGate is configured with an application control profile to allow only 'business-approved' applications. Users are still able to use Skype for Business. The admin wants to ensure that only Skype for Business is allowed and other Skype variants are blocked. Which THREE steps should the admin take? (Choose three.)

Select 3 answers
A.Identify the exact application signatures for Skype for Business
B.Apply the application control profile to the firewall policy
C.Enable logging for all traffic to verify the application being used
D.Create a custom application signature for Skype for Business
E.Block all other Skype-related application signatures
AnswersA, B, E

Needed to allow only the correct application.

Why this answer

Options A, C, and D are correct. The admin should identify the correct application signature for Skype for Business and block other Skype signatures. Creating a custom signature is not necessary as the signatures already exist.

Logging all traffic is not directly needed for blocking.

129
MCQmedium

An administrator wants to allow users to override a blocked category (e.g., Social Networking) by entering an administrator-defined password. Which of the following must be configured?

A.Configure a DNS filter to bypass the block
B.Create a separate firewall policy with a higher priority that permits the traffic
C.Set the web filter profile to 'Monitor' mode instead of 'Block'
D.Enable 'Override' in the Web Filter profile and configure an authentication scheme
AnswerD

Override requires both enabling the feature and setting up authentication (e.g., local password).

Why this answer

Option A is correct. Web filter override allows users to request access to blocked sites by providing a password. The override must be enabled in the web filter profile and a FortiGate authentication scheme must be set up.

130
MCQmedium

An administrator configures an email filter profile to block spam. Despite correct configuration, spam emails still reach users' inboxes. The FortiGate is deployed as a transparent bridge. What is the most likely reason?

A.The FortiGate does not have a valid FortiGuard license
B.The emails are encrypted with TLS and deep inspection is not enabled
C.The email filter profile is set to 'monitor' instead of 'block'
D.The firewall policy is using flow-based inspection, which does not support SMTP proxy
AnswerD

Email filtering for SMTP requires proxy-based inspection to work effectively. Flow-based may not apply the profile properly.

Why this answer

In transparent mode, the FortiGate forwards SMTP traffic without acting as a proxy unless explicitly configured for SMTP proxy. Email filtering requires proxy-based inspection for SMTP.

131
Multi-Selectmedium

A FortiGate is configured with a firewall policy that applies an Application Control profile and a Web Filter profile. The administrator wants to log all traffic blocked by the Web Filter profile. Which TWO configurations are required?

Select 2 answers
A.Enable 'Log All Blocked Sites' in the Web Filter profile
B.Set the global 'Logging' setting to 'Verbose'
C.Configure the Application Control profile to log blocked traffic
D.Enable 'Log All Traffic' or 'Log Violation Traffic' on the firewall policy
E.Enable 'Log All Allowed Sites' in the Web Filter profile
AnswersA, D

This enables logging for blocked web sites in the web filter profile.

Why this answer

Options A and D are correct. Logging of blocked traffic must be enabled in the Web Filter profile (A), and the firewall policy must have logging enabled (D) to capture the logs.

132
MCQmedium

An administrator wants to block an application named 'Skype' on the network. They create an application control profile and add a rule to block 'Skype'. However, after applying the profile to the policy, users can still use Skype. What is the most likely reason?

A.The application control profile is not enabled on the firewall policy
B.The application signature for Skype is outdated
C.The application control rule is set to 'monitor' instead of 'block'
D.Skype traffic is encrypted and SSL deep inspection is not enabled
AnswerD

Skype uses encryption. Without SSL deep inspection, the FortiGate cannot inspect the traffic to identify the application.

Why this answer

Application control requires that the traffic be visible to the FortiGate. If Skype is allowed to bypass inspection (e.g., because SSL deep inspection is not enabled, or because the application uses a non-standard port not monitored), the rule may not match.

133
MCQeasy

Which security profile component is specifically designed to prevent data exfiltration by inspecting outgoing traffic for sensitive data patterns?

A.Application Control
B.Data Leak Prevention (DLP)
C.Antivirus
D.Web Filter
AnswerB

DLP is designed to detect and prevent unauthorized transmission of sensitive data.

Why this answer

Data Leak Prevention (DLP) is the security profile that inspects outgoing data for sensitive information like credit card numbers, social security numbers, etc., to prevent data leaks.

134
MCQmedium

An organization uses FortiSandbox to analyze suspicious files. The FortiGate is configured to send files to FortiSandbox for analysis when the antivirus scan fails to reach a verdict. Which antivirus inspection mode must be used on the firewall policy for this integration to work?

A.Both flow and proxy modes support FortiSandbox equally
B.Deep inspection
C.Proxy-based inspection
D.Flow-based inspection
AnswerC

Proxy-based inspection allows FortiGate to buffer the file and send it to FortiSandbox while holding the connection for verdict.

Why this answer

Option B is correct. Proxy-based inspection buffers the file and can hold the connection until FortiSandbox returns a verdict. Flow-based does not support this hold-and-wait mechanism.

135
Multi-Selectmedium

A FortiGate administrator wants to block spam emails sent to the company's mail server. The mail server is behind the FortiGate. Which THREE configurations should be applied?

Select 3 answers
A.Enable DLP to filter spam
B.Configure Application Control to block email applications
C.Enable FortiGuard spam filtering in the Email Filter profile
D.Apply the Email Filter profile to the firewall policy that allows SMTP traffic to the mail server
E.Create an Email Filter profile with spam detection enabled
AnswersC, D, E

FortiGuard provides up-to-date spam signatures.

Why this answer

Options B, C, and E are correct. An email filter profile for spam detection (B), a firewall policy that applies the email filter to SMTP traffic (C), and FortiGuard spam filtering enabled (E) are all required.

136
MCQeasy

A network administrator notices that a FortiGate IPS sensor is not detecting any attacks, even though there is known malicious traffic on the network. Which initial troubleshooting step should the administrator take?

A.Ensure the firewall policy is set to flow-based inspection.
B.Disable any DoS policies that might be blocking traffic.
C.Verify that the IPS engine is running and signatures are up to date.
D.Check that the FortiGate is configured in NAT mode.
AnswerC

If the engine is down or signatures outdated, detection fails.

Why this answer

Option C is correct because the first step in troubleshooting a non-functional IPS sensor is to verify that the IPS engine is running and that the IPS signatures are up to date. If the engine is stopped or signatures are outdated, the sensor cannot detect known malicious traffic regardless of other configurations. This foundational check ensures the detection mechanism itself is operational before investigating policy or mode settings.

Exam trap

The trap here is that candidates often jump to changing inspection modes or firewall policies, forgetting that the IPS engine must be running and signatures current for any detection to occur, which is the most basic and critical prerequisite.

How to eliminate wrong answers

Option A is wrong because flow-based inspection is not required for IPS; IPS can work with both flow-based and proxy-based inspection, and changing the inspection mode is not the initial troubleshooting step when the sensor is not detecting attacks. Option B is wrong because DoS policies are separate from IPS detection and disabling them would not enable IPS to detect attacks; they might block traffic but do not prevent IPS from analyzing it. Option D is wrong because NAT mode is unrelated to IPS detection; FortiGate can run IPS in both NAT and transparent mode, and the mode does not affect the IPS engine's ability to detect attacks.

137
MCQhard

A FortiGate administrator configures SSL deep inspection on a policy using a self-signed CA certificate. Users report that they see a certificate warning in their browsers when accessing HTTPS sites. What is the most effective solution to eliminate these warnings?

A.Use a publicly trusted CA certificate for the FortiGate
B.Disable deep inspection and use certificate inspection only
C.Add the websites to the exemption list in the SSL/SSH profile
D.Install the FortiGate's CA certificate on all client machines in the trusted root store
AnswerD

When clients trust the CA, they will not show warnings for certificates signed by that CA, which is what FortiGate does.

Why this answer

To avoid certificate warnings, the FortiGate's CA certificate must be trusted by all clients. Deploying the CA certificate via Group Policy ensures that all domain-joined machines trust certificates signed by the FortiGate.

138
MCQhard

A company is implementing SSL/TLS inspection on a FortiGate to monitor encrypted traffic. They want to ensure that traffic to high-risk categories is blocked, while traffic to financial sites is inspected but not blocked. The administrator creates an SSL inspection profile that deep-inspects all traffic except traffic to financial sites. However, users report that they cannot access financial websites. What is the most likely cause?

A.The web filter profile is configured to block financial websites, overriding the SSL inspection exemption.
B.The SSL inspection profile should be set to certificate-inspection instead of deep-inspection for financial sites.
C.The SSL inspection profile must be applied after the web filter profile in the firewall policy.
D.The SSL inspection profile should have deep-inspection disabled for all categories except financial.
AnswerA

The web filter profile is likely blocking the financial category despite the SSL inspection exemption.

Why this answer

The most likely cause is that the web filter profile applied in the same firewall policy is configured to block financial websites. Even though the SSL inspection profile exempts financial sites from deep inspection, the web filter profile operates independently and can block traffic based on URL category. Since the web filter is evaluated after SSL inspection, it will block the decrypted or even non-decrypted traffic to financial sites if the category is set to block, overriding the SSL inspection exemption.

Exam trap

The trap here is that candidates assume the SSL inspection exemption automatically prevents web filtering from blocking the traffic, but FortiGate applies web filter policies independently, so a block action in the web filter profile overrides any SSL inspection exemption.

How to eliminate wrong answers

Option B is wrong because certificate-inspection only validates the certificate without decrypting the payload, which would not allow the web filter to inspect the content; the issue is not about the inspection type but about the web filter blocking the category. Option C is wrong because the order of profiles within a firewall policy does not affect the evaluation; both SSL inspection and web filter profiles are applied in sequence, but the web filter can still block traffic regardless of the SSL inspection profile's exemption. Option D is wrong because disabling deep-inspection for all categories except financial would still allow the web filter to block financial sites if the web filter profile is configured to block them; the exemption in the SSL inspection profile does not prevent the web filter from blocking.

139
MCQeasy

Which FortiGate feature allows you to block access to specific URL categories such as 'Social Media' or 'Gambling'?

A.Web Filtering
B.Antivirus
C.Intrusion Prevention System (IPS)
D.Application Control
AnswerA

Web Filtering is used to block or allow based on URL categories.

Why this answer

FortiGate's Web Filtering feature uses URL rating and category databases (e.g., FortiGuard) to block access to entire categories like 'Social Media' or 'Gambling' based on the destination URL. This is distinct from content inspection; it operates at the HTTP/HTTPS request level by matching the requested URL against predefined or custom category lists.

Exam trap

The trap here is confusing Application Control with Web Filtering, as both can block 'Social Media' but Application Control blocks based on application signatures (e.g., Facebook app traffic) while Web Filtering blocks based on URL categories, and candidates often overlook that Application Control cannot block a website accessed via a browser if the URL category is not explicitly blocked.

How to eliminate wrong answers

Option B (Antivirus) is wrong because it scans file content for malware signatures, not URL categories. Option C (IPS) is wrong because it detects and blocks network-based attacks using signatures, not URL categorization. Option D (Application Control) is wrong because it identifies and controls applications based on traffic patterns (e.g., Facebook app), not URL categories, and can be bypassed if the app uses different protocols or ports.

140
MCQhard

A user reports that a legitimate website is being blocked by FortiGate web filtering. The administrator checks and finds that the URL category is 'Unrated'. What is the most likely cause?

A.The DNS server is not resolving the domain.
B.The website is new and not yet categorized by FortiGuard.
C.The web filter is configured to block all unrated sites.
D.The website is in the 'Blocked' category.
AnswerB

New sites are often 'Unrated' until categorized.

Why this answer

When a website is categorized as 'Unrated' in FortiGate web filtering, it means FortiGuard's web filtering database has not yet assigned a category to that URL. This commonly occurs for newly registered or recently launched websites that have not been crawled and classified by FortiGuard's rating infrastructure. The correct answer is B because the 'Unrated' status directly indicates the site is new and not yet categorized.

Exam trap

The trap here is that candidates may confuse the 'Unrated' category with a configuration setting (like blocking unrated sites) or a network issue (like DNS failure), rather than recognizing it as a FortiGuard rating status indicating the site has not yet been classified.

How to eliminate wrong answers

Option A is wrong because DNS resolution is unrelated to URL categorization; a DNS failure would result in a connection error, not an 'Unrated' category. Option C is wrong because while a web filter policy can be configured to block unrated sites, the question asks for the most likely cause of the 'Unrated' category itself, not the blocking action. Option D is wrong because if the website were in the 'Blocked' category, it would show that specific category in the logs, not 'Unrated'.

141
Multi-Selecthard

Which THREE factors should be considered when tuning IPS to reduce false positives?

Select 3 answers
A.Excluding trusted source IP addresses from certain signatures.
B.Enabling hardware acceleration for IPS processing.
C.Increasing the sensitivity of signatures to catch more attacks.
D.Adjusting the severity threshold for which signatures generate alerts.
E.Creating IPS filters to whitelist specific traffic patterns.
AnswersA, D, E

Excluding known good traffic reduces false positives.

Why this answer

Option A is correct because excluding trusted source IP addresses from certain signatures prevents the IPS from generating alerts for traffic that is known to be legitimate, directly reducing false positives. This is a common tuning technique in FortiGate IPS where you can create exceptions for specific sources or destinations to avoid unnecessary alerts from benign traffic.

Exam trap

The trap here is that candidates often confuse performance optimization (hardware acceleration) with accuracy tuning, or mistakenly think that increasing sensitivity reduces false positives, when in fact it does the opposite.

142
MCQmedium

An administrator has configured an SSL deep inspection profile with 'certificate inspection' for a firewall policy. Users report that they receive certificate errors when accessing HTTPS sites. What is the MOST likely reason?

A.The certificate installed on the FortiGate for SSL inspection is expired
B.The web server uses a self-signed certificate which is blocked by the inspection profile
C.The users' browsers do not trust the FortiGate's CA certificate
D.The FortiGate is not configured to re-sign certificates with its own CA certificate
AnswerD

With certificate inspection, the FortiGate does not decrypt or re-sign; it only inspects the certificate. Certificate errors would not be caused by this. Actually, this answer might be incorrect. Let me re-evaluate.

Why this answer

Option A is correct. Certificate inspection only checks the server certificate but does not re-sign it. Since FortiGate does not re-issue a certificate, clients see the original server certificate, which may be valid, but if the FortiGate is performing a man-in-the-middle, the client should see the FortiGate's CA certificate.

Actually, with certificate inspection, the FortiGate does not decrypt the traffic, so it cannot inspect the content; it only checks the certificate. The question might be tricky: certificate inspection does not modify the certificate chain, so users should not see certificate errors unless the FortiGate is intercepting. However, the typical cause of errors is when using full deep inspection without proper CA deployment.

For certificate inspection, errors can occur if the server certificate is invalid. But the best answer is that the FortiGate is not properly configured to re-sign certificates.

143
MCQeasy

A network administrator wants to prevent users from downloading files with .exe extensions via HTTP and HTTPS. Which security profile feature should be used?

A.Web filter profile with URL filter to block .exe sites
B.Application control profile to block file transfer applications
C.Antivirus profile with 'block' action for file pattern matching .exe
D.IPS profile to block executable file transfers
AnswerC

Antivirus profiles can block files by extension using the 'File Pattern' feature. This works for HTTP and, with deep inspection, for HTTPS.

Why this answer

An antivirus profile can block files by file extension for both HTTP and HTTPS traffic, but only if SSL deep inspection is enabled for HTTPS. The file pattern filter is part of the antivirus profile.

144
MCQmedium

An administrator wants to ensure that search engine results from Google, Bing, and Yahoo are filtered to exclude explicit content when users perform searches. Which feature should the administrator configure in the web filter profile?

A.FortiGuard category filter
B.URL filter
C.Safe search
D.DNS filter
AnswerC

Safe search is a dedicated feature to enforce safe search on supported search engines.

Why this answer

Safe search enforces the search engine's built-in safe search settings (like Google SafeSearch) by appending parameters to the search URL, ensuring explicit content is filtered.

145
MCQhard

An administrator has configured an IPS profile with an anomaly detection sensor for 'tcp_syn_flood'. After applying the profile to a firewall policy, users report intermittent connectivity issues. The administrator runs 'diagnose ips anomaly list' and sees entries for 'tcp_syn_flood' with action 'pass'. What is the MOST likely cause of the connectivity issues?

A.The anomaly sensor is set to 'block' but the action is overridden by the policy
B.The anomaly sensor is using a different action than expected; it might be set to 'block' for some other sensor
C.The anomaly sensor is not actually applied; the list shows default entries
D.The anomaly sensor is set to 'pass' but the threshold is too low, causing false positives
AnswerC

Why this answer

The 'diagnose ips anomaly list' output shows default anomaly entries. If the sensor were properly applied, the action would be 'block' as configured. The connectivity issues may be unrelated to IPS; the administrator should verify the sensor is attached to the policy.

146
MCQmedium

An administrator configures a DLP sensor to detect credit card numbers in traffic. However, the sensor is not detecting any credit card numbers even though they are present in emails. What could be the reason?

A.Email traffic is encrypted and SSL deep inspection is not enabled
B.The DLP sensor is applied to the wrong policy
C.The credit card regular expression is incorrect
D.The DLP sensor is in 'Monitor' mode
AnswerA

DLP cannot inspect encrypted payloads. Deep inspection must be enabled to decrypt and scan.

Why this answer

DLP sensors inspect traffic content. If the traffic is encrypted (e.g., via TLS), the sensor cannot see the plaintext unless SSL deep inspection is enabled to decrypt the traffic first.

147
MCQhard

A FortiGate in flow-based mode is configured with an antivirus profile to block infected files. A user downloads a .zip file containing a known virus, but the download is allowed and the file is not quarantined. What is the MOST likely reason?

A.The antivirus profile is not set to 'block' for virus outbreaks
B.The virus definition database is outdated
C.Flow-based inspection does not support antivirus for .zip archives
D.Flow-based inspection does not decompress archives by default
AnswerD

In flow mode, FortiGate scans files in a streaming fashion and does not buffer them to decompress archives. The virus inside the zip may not be detected.

Why this answer

Option C is correct because flow-based inspection does not buffer files for decompression, so viruses inside archives may be missed.

148
MCQeasy

Which of the following is a prerequisite for SSL deep inspection to work correctly on FortiGate?

A.A dedicated HTTPS firewall policy.
B.A firewall policy that has SSL inspection enabled.
C.The FortiGate must be operating in proxy mode.
D.An active FortiCare license.
AnswerB

The policy must have SSL inspection profile applied.

Why this answer

SSL deep inspection requires a firewall policy with SSL inspection enabled to intercept and decrypt HTTPS traffic. Without such a policy, the FortiGate cannot apply the CA certificate to re-encrypt traffic for inspection, making deep inspection non-functional.

Exam trap

The trap here is that candidates often confuse the need for a firewall policy with SSL inspection enabled with the misconception that a separate HTTPS-only policy or proxy mode is mandatory, when in fact any policy matching HTTPS traffic can be configured for deep inspection.

How to eliminate wrong answers

Option A is wrong because a dedicated HTTPS firewall policy is not required; any firewall policy with the appropriate SSL inspection profile can handle HTTPS traffic. Option C is wrong because FortiGate supports SSL inspection in both proxy-based and flow-based modes, not exclusively proxy mode. Option D is wrong because an active FortiCare license is not a prerequisite for SSL deep inspection; it is required for FortiGuard services like web filtering but not for the inspection mechanism itself.

149
Multi-Selectmedium

A network admin wants to block all traffic from the BitTorrent application. The admin has enabled application control on the firewall policy. Which TWO steps are necessary to achieve this?

Select 2 answers
A.Add a DNS filter profile to block BitTorrent tracker domains
B.Add the BitTorrent application signature to the application control profile and set action to block
C.Set the application control inspection mode to proxy-based
D.Enable 'deep inspection' in the application control profile
E.Enable SSL deep inspection on the firewall policy
AnswersB, E

This defines what to block.

Why this answer

Option A and C are correct: The application control profile must include the BitTorrent signature and be configured to block it. Additionally, if BitTorrent uses random high ports or encryption, SSL deep inspection may be needed to identify the traffic.

150
Multi-Selecthard

An organization uses FortiMail for email filtering and FortiGate for web filtering. The administrator wants to ensure that email traffic is filtered for spam and malware before reaching the internal mail server. Which TWO steps should be taken? (Choose two.)

Select 2 answers
A.Configure FortiMail to scan incoming emails and then forward them to the internal mail server.
B.Apply an antivirus profile to the firewall policy that handles SMTP traffic.
C.Apply an email filter profile to the firewall policy that handles SMTP traffic.
D.Configure the FortiGate to route SMTP traffic through FortiMail using a policy-based routing or VIP.
E.Disable SMTP inspection on the FortiGate to avoid double scanning.
AnswersA, D

FortiMail should perform spam and virus scanning before delivering to the internal mail server.

← PreviousPage 2 of 4 · 232 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Nse4 Security Profiles questions.