CCNA Nse4 Security Profiles Questions

7 of 232 questions · Page 4/4 · Nse4 Security Profiles topic · Answers revealed

226
MCQmedium

An administrator configures an IPS profile to block SQL injection attacks. However, SQL injection traffic is still passing through the FortiGate. The administrator confirms the IPS profile is applied to the correct policy. What is the most likely reason?

A.The firewall policy is in proxy-based mode
B.The IPS profile is configured for anomaly detection only
C.IPS signatures for SQL injection are disabled in the profile
D.Deep inspection is required for IPS to work
AnswerC

If the specific signatures are not enabled or set to 'pass', the attack will not be blocked.

Why this answer

Option A is correct. The administrator must verify that the relevant IPS signatures are enabled and set to an action like 'block' or 'reset'.

227
MCQmedium

A FortiGate administrator wants to integrate with FortiSandbox to analyze suspicious files detected by antivirus. The administrator configures the FortiSandbox settings under Security Fabric. However, files are not being sent to FortiSandbox. The antivirus profile is set to 'flow-based' inspection. What could be the reason?

A.The antivirus profile is set to 'Monitor' instead of 'Block'.
B.The firewall policy is using NAT, which interferes with FortiSandbox connectivity.
C.The FortiGate does not have a valid FortiSandbox license.
D.Flow-based inspection does not support FortiSandbox integration; proxy-based inspection is required.
AnswerD

FortiSandbox integration for file submission requires proxy-based inspection mode. Flow mode can use FortiSandbox for outbreak prevention but not for file submission.

228
MCQeasy

What is the function of an IPS 'protocol decoder'?

A.Encode traffic to prevent attacks
B.Parse and normalize protocol traffic to improve detection accuracy
C.Rate-limit traffic based on protocol
D.Decrypt SSL traffic for inspection
AnswerB

Decoders help identify protocol-specific attacks.

Why this answer

Option D is correct: Protocol decoders parse application layer protocols to normalize traffic before signature matching, enabling detection of evasion techniques.

229
MCQmedium

An administrator configures a web filter profile to block the 'Phishing' category. Users still report receiving phishing emails with links that bypass the filter. What is the most likely reason?

A.The users are accessing the phishing sites via IP address, not URL.
B.The email traffic is not subject to SSL inspection, so URLs in encrypted emails are not filtered.
C.The web filter profile is not applied to the firewall policy governing email traffic.
D.The FortiGate's URL database is outdated.
AnswerB

Without SSL inspection, the FortiGate cannot see the URLs in the encrypted email.

Why this answer

Option B is correct because web filtering operates at the application layer and inspects HTTP/HTTPS URLs. If SSL inspection is not enabled, the FortiGate cannot decrypt the encrypted SMTP or IMAP/POP3 traffic to extract URLs from the body of emails. Without decryption, the web filter profile cannot see the phishing links inside encrypted email messages, so they bypass the filter regardless of the category being blocked.

Exam trap

The trap here is that candidates assume web filtering applies to all traffic equally, forgetting that encrypted email traffic requires SSL inspection to extract URLs from the message body, whereas web filtering for HTTP traffic works without decryption.

How to eliminate wrong answers

Option A is wrong because even if users access phishing sites via IP address, the FortiGate's web filter can still block the connection if the IP is categorized in the 'Phishing' category or if the web filter profile is configured to block by IP reputation. Option C is wrong because the question states the web filter profile is configured, and the issue is that phishing links in emails bypass the filter; if the profile were not applied to the firewall policy, no web filtering would occur at all, but the scenario implies other web traffic might be filtered, so the most specific reason is the lack of SSL inspection for email traffic. Option D is wrong because an outdated URL database would cause false negatives for known phishing URLs, but the core issue here is that the URLs are hidden inside encrypted email content, which the FortiGate cannot inspect without SSL decryption.

230
MCQmedium

A network administrator notices that HTTP traffic to a specific website is being blocked by the web filter profile, but the website is categorized as 'General – Personal' in FortiGuard, which is allowed. What could cause this block?

A.The web filter profile has an incorrect FortiGuard category override
B.The antivirus profile is blocking the website
C.A URL filter entry is blocking the specific website
D.DNS filter is blocking the domain
AnswerC

URL filter entries take precedence over FortiGuard categories. A block entry for that domain would cause the block.

Why this answer

The URL filter is applied before FortiGuard categories and can override the category rating. A static URL filter entry blocking the specific website would cause the block even if the category is allowed.

231
MCQeasy

What is the primary difference between flow-based and proxy-based Antivirus inspection on a FortiGate?

A.Flow-based inspection is only available on hardware models with CP8
B.Proxy-based inspection reassembles the file before scanning, while flow-based scans as the file passes through
C.Proxy-based inspection uses fewer resources than flow-based
D.Flow-based inspection supports virus outbreak detection, but proxy-based does not
AnswerB

This is the key architectural difference: proxy mode buffers the whole object, flow mode streams.

Why this answer

Flow-based inspection uses the FortiASIC for accelerated scanning and has lower latency, while proxy-based inspection reassembles the entire content before scanning, allowing for more thorough detection but with higher resource usage.

232
Multi-Selecthard

A FortiGate admin is troubleshooting email filtering. Legitimate emails from a specific external domain are being marked as spam. Which THREE steps should the admin take to resolve this?

Select 3 answers
A.Check the spam filter logs to see why the email was flagged
B.Disable the spam filter entirely
C.Add the sender domain to the email filter allowlist
D.Enable deep inspection for SMTP traffic
E.Verify the sender’s domain reputation on FortiGuard
AnswersA, C, E

Logs provide details on the filtering decision.

Why this answer

Options A, B, and C are correct. Checking the spam filter logs, adding the domain to the allowlist, and verifying the FortiGuard reputation can all help resolve false positives.

← PreviousPage 4 of 4 · 232 questions total

Ready to test yourself?

Try a timed practice session using only Nse4 Security Profiles questions.