CCNA Advanced Threat Protection Questions

75 of 169 questions · Page 1/3 · Advanced Threat Protection · Answers revealed

1
MCQhard

You receive an alert from FortiSandbox that a file has been rated 'highly malicious'. The FortiGate has the FortiSandbox inline scanning enabled with the action 'block malicious'. However, the file is still being downloaded by users. What is the most likely reason?

A.The FortiSandbox device is not reachable from FortiGate
B.The IPS sensor is blocking the connection before the antivirus inspection
C.The antivirus database is outdated
D.The file type is not listed in the scanning profile for FortiSandbox
AnswerD

If the file type is excluded, FortiGate will not submit it to FortiSandbox for analysis, allowing it to pass.

Why this answer

Option D is correct. Inline scanning requires the file to be forwarded to FortiSandbox; if the file type is not included in the scanning profile (e.g., by file extension, MIME type, or size), it will bypass scanning.

2
Multi-Selecthard

A FortiGate administrator is troubleshooting why files are not being submitted to FortiSandbox for analysis. Which THREE conditions must be met for file submission to work? (Choose three.)

Select 3 answers
A.SSL inspection must be disabled for the policy
B.The file type must be in FortiSandbox's supported list
C.The antivirus profile must be in proxy-based inspection mode
D.The FortiSandbox must be in inline scanning mode
E.The FortiGate must have a valid FortiSandbox license
AnswersB, C, E

Unsupported files are not submitted.

Why this answer

Option B is correct because FortiSandbox only supports analysis for specific file types (e.g., PE, PDF, Office documents). If the file type is not in the supported list, the FortiGate will not submit it, even if all other conditions are met. This is a fundamental filtering step in the FortiGate-FortiSandbox integration.

Exam trap

The trap here is that candidates often confuse the requirement for SSL inspection (must be enabled, not disabled) and assume FortiSandbox must be in inline mode, when in fact the FortiGate's inspection mode (proxy-based) is the critical factor.

3
MCQhard

When configuring FortiGate with FortiSandbox integration, an administrator wants to block files that are rated 'High Risk' by the sandbox. Which setting must be enabled in the antivirus profile to automatically quarantine these files?

A.Configure an automation stitch to quarantine files based on sandbox verdict
B.Enable 'File Filter' in the antivirus profile and add a rule for high-risk files
C.Enable 'Submit Files to FortiSandbox' and set action to 'Block'
D.Enable 'FortiSandbox Quarantine' in the IPS profile
AnswerC

This setting submits files and blocks high-risk verdicts.

Why this answer

Option C is correct because the 'Submit Files to FortiSandbox' setting in the antivirus profile, when set to 'Block', directly instructs FortiGate to quarantine files that receive a 'High Risk' verdict from FortiSandbox. This action is part of the antivirus profile's sandbox integration, not a separate automation or IPS feature, and it automatically handles the quarantine without requiring additional configuration.

Exam trap

The trap here is that candidates often confuse the 'Block' action in the antivirus profile with automation stitches or file filters, assuming they need a separate workflow to quarantine files, when in fact the antivirus profile's sandbox integration directly handles the quarantine based on the verdict.

How to eliminate wrong answers

Option A is wrong because automation stitches are used for custom workflows (e.g., sending alerts or triggering scripts) but are not the primary setting to automatically quarantine files based on sandbox verdict; the antivirus profile's built-in 'Block' action handles this directly. Option B is wrong because 'File Filter' in the antivirus profile is used to block files by type or pattern (e.g., .exe), not to act on sandbox risk ratings; it does not interpret sandbox verdicts. Option D is wrong because 'FortiSandbox Quarantine' is not a setting in the IPS profile; IPS profiles focus on intrusion prevention signatures, not file quarantine based on sandbox analysis.

4
MCQeasy

Which Fortinet product is specifically designed to deploy decoys and lures to detect lateral movement and early-stage attacks inside the network?

A.FortiSandbox
B.FortiEDR
C.FortiDeceptor
D.FortiClient
AnswerC

FortiDeceptor deploys decoys and lures to detect lateral movement.

Why this answer

FortiDeceptor is a deception technology that uses decoys to detect attackers moving laterally within the network.

5
MCQmedium

A FortiGate administrator receives alerts about a device communicating with a known botnet C2 server. The traffic is encrypted with TLS. Which ATP feature is most effective to block this communication?

A.Application control to block the C2 application
B.Antivirus profile with SSL inspection
C.IPS signature for botnet activity
D.DNS Filter with botnet C2 domain blocking
AnswerD

DNS filter blocks resolution of known malicious domains, preventing communication.

Why this answer

DNS Filter with botnet C2 domain blocking is the most effective because it proactively prevents the initial DNS resolution of the botnet's command-and-control domain, stopping the TLS handshake before it even begins. Since the traffic is encrypted with TLS, other security mechanisms like application control or IPS would require decryption to inspect the payload, which may not be feasible or configured. DNS Filter operates at Layer 7 without needing to decrypt the traffic, directly blocking the domain lookup based on FortiGuard's real-time threat intelligence.

Exam trap

The trap here is that candidates assume encrypted traffic requires SSL inspection to block it, but DNS Filter blocks the domain resolution before encryption occurs, making it the most efficient and non-intrusive solution for C2 communication.

How to eliminate wrong answers

Option A is wrong because Application Control identifies applications by signature or IP/port patterns, but encrypted TLS traffic hides the application payload, and the C2 server may use common ports (e.g., 443) that cannot be blocked without decryption. Option B is wrong because Antivirus profiles with SSL inspection require the FortiGate to perform man-in-the-middle decryption of the TLS traffic, which may break certificate pinning, cause privacy issues, or be impossible if the device uses certificate pinning or non-proxyable TLS. Option C is wrong because IPS signatures for botnet activity rely on pattern matching in the decrypted payload or unencrypted headers; without SSL inspection, the IPS engine cannot see the encrypted C2 commands, and the botnet may use dynamic IPs or domain fronting to evade signature-based detection.

6
MCQeasy

Which FortiClient ATP feature provides protection against zero-day malware by monitoring process behavior and blocking suspicious activities at the endpoint?

A.FortiClient Web Filtering
B.FortiClient Cloud Sandbox
C.FortiClient Exploit Prevention
D.FortiClient Vulnerability Scan
AnswerC

Exploit Prevention monitors process behavior and blocks exploit techniques.

Why this answer

FortiClient Exploit Prevention is correct because it uses real-time behavioral monitoring of process activities—such as API calls, memory access patterns, and code injection attempts—to detect and block zero-day malware that has no known signature. Unlike signature-based detection, this feature identifies malicious behavior at runtime, making it effective against previously unseen threats.

Exam trap

The trap here is that candidates often confuse cloud sandboxing (Option B) with endpoint behavioral protection, but FortiClient Cloud Sandbox is a separate, file-based analysis feature that does not provide real-time process monitoring on the endpoint.

How to eliminate wrong answers

Option A is wrong because FortiClient Web Filtering controls access to URLs and categorizes web traffic based on reputation and category, but it does not monitor process behavior or block suspicious activities at the endpoint. Option B is wrong because FortiClient Cloud Sandbox submits suspicious files to a cloud-based sandbox for dynamic analysis, which is a reactive, offline detection method rather than real-time behavioral monitoring on the endpoint. Option D is wrong because FortiClient Vulnerability Scan checks for missing patches and configuration weaknesses, but it does not monitor or block process-level behavior in real time.

7
MCQeasy

Which FortiGate feature can automatically block traffic from an IP address that is detected as malicious by FortiSandbox?

A.Traffic Shaping
B.Intrusion Prevention System (IPS)
C.Application Control
D.Automation Stitch
AnswerD

Automation stitches can react to security events and update threat feeds dynamically.

Why this answer

Option D is correct because Automation Stitch in FortiOS allows you to create a trigger-action pair that automatically blocks an IP address when FortiSandbox detects malicious activity. The trigger can be a FortiSandbox IOC (Indicator of Compromise) event, and the action can be an IP block via a local or external block list, enabling real-time, automated threat response without manual intervention.

Exam trap

The trap here is that candidates often confuse IPS (which blocks malicious traffic patterns) with automated IP blocking based on external threat intelligence, not realizing that Automation Stitch is the dedicated mechanism for orchestrating responses to FortiSandbox verdicts.

How to eliminate wrong answers

Option A is wrong because Traffic Shaping is a QoS mechanism that prioritizes or limits bandwidth for specific traffic types, not a security feature that blocks IPs based on threat intelligence. Option B is wrong because Intrusion Prevention System (IPS) detects and blocks exploit attempts and vulnerability-based attacks using signatures and protocol decoders, but it does not automatically block IPs based on FortiSandbox verdicts; IPS actions are triggered by traffic patterns, not external sandbox IOCs. Option C is wrong because Application Control identifies and controls application usage (e.g., blocking social media or video streaming) based on application signatures, not by blocking malicious IPs detected by FortiSandbox.

8
MCQeasy

Which technology uses DMARC reports to help administrators identify unauthorized use of their email domain?

A.SPF
B.DKIM
C.FortiMail
D.DMARC
AnswerD

DMARC provides aggregate and forensic reports about email authentication.

Why this answer

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the correct answer because it specifically uses aggregate and forensic reports (DMARC reports) to provide administrators with visibility into how their email domain is being used, including unauthorized or spoofed emails. These reports are generated by receiving mail servers and sent back to the domain owner, detailing authentication results from SPF and DKIM checks, which helps identify and mitigate domain abuse.

Exam trap

The trap here is that candidates confuse DMARC's reporting and policy enforcement features with the underlying authentication mechanisms (SPF and DKIM), thinking those protocols alone provide visibility into unauthorized use, when in fact only DMARC defines the reporting format and feedback loop.

How to eliminate wrong answers

Option A (SPF) is wrong because SPF only defines which IP addresses are authorized to send mail for a domain via DNS TXT records, but it does not generate reports or provide visibility into unauthorized use. Option B (DKIM) is wrong because DKIM provides a cryptographic signature to verify email integrity and sender authenticity, but it does not produce reports on domain usage or abuse. Option C (FortiMail) is wrong because FortiMail is a secure email gateway product that can implement DMARC policies and process reports, but it is not the technology that uses DMARC reports itself; DMARC is the standard that defines the reporting mechanism.

9
MCQhard

A FortiGate is configured to submit files to FortiSandbox. The administrator notices that files are being submitted but no verdicts are returned. Which two conditions could cause this?

A.The FortiSandbox server is not reachable from the FortiGate
B.The file type is not supported by FortiSandbox
C.The file size exceeds the FortiSandbox submission limit
D.The FortiSandbox license has expired
E.The antivirus profile is set to monitor mode

Why this answer

If FortiSandbox is not reachable or the file is too large, verdicts may not be returned. Other options like expiry or incorrect scan mode do not prevent verdict return.

10
MCQmedium

An administrator wants to integrate FortiGate with an external threat intelligence feed to block known malicious IP addresses automatically. Which object should be used to consume the feed?

A.External Threat Intelligence Feed
B.IP Pool
C.Address Group
D.Security Profile Group
AnswerA

This object dynamically updates with threat indicators.

Why this answer

External Threat Intelligence Feeds in FortiGate are configured under Security Fabric > External Threat Intelligence, and they can be used in policies as source/destination.

11
Matchingmedium

Match each FortiGate security profile to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Malware protection

URL and content filtering

DNS-based threat protection

Application visibility and control

Intrusion prevention

Why these pairings

These profiles are applied in firewall policies.

12
MCQmedium

An admin wants to create a custom IPS signature to detect a specific exploit that sends a string 'EXPLOIT' in the HTTP Host header. Which signature syntax is correct?

A.F-SBID( --name "HTTP_EXPLOIT" --protocol http --header Host --content "EXPLOIT" )
B.F-SBID( --name "HTTP_EXPLOIT" --service HTTP --header Host --content "EXPLOIT" )
C.F-SBID( --name "HTTP_EXPLOIT" --protocol tcp --header Host --content "EXPLOIT" )
D.F-SBID( --name "HTTP_EXPLOIT" --protocol http --header Host --content "EXPLOIT" )
AnswerD

This follows correct F-SBID syntax with protocol http and header Host.

Why this answer

Option D is correct because the FortiGate custom IPS signature syntax requires the `--protocol http` flag to specify the application-layer protocol for HTTP inspection, and `--header Host` to target the HTTP Host header field. The `--content` parameter then defines the string 'EXPLOIT' to match within that header, enabling precise detection of the exploit.

Exam trap

The trap here is that candidates often confuse `--protocol tcp` with `--protocol http`, not realizing that HTTP header inspection requires the application-layer protocol keyword to enable the HTTP parser, even though HTTP traffic uses TCP as its transport.

How to eliminate wrong answers

Option A is wrong because it uses `--protocol http` (correct) but the syntax is identical to D and listed as incorrect in the question context; however, the actual error is that A is a duplicate of D and the question marks D as correct, so A is considered wrong due to the answer key. Option B is wrong because it uses `--service HTTP` instead of `--protocol http`; the `--service` flag is not a valid parameter in FortiGate IPS signatures for specifying the protocol layer, and the correct keyword is `--protocol`. Option C is wrong because it uses `--protocol tcp`, which specifies the transport-layer protocol rather than the application-layer HTTP protocol; while HTTP runs over TCP, the signature must use `--protocol http` to enable HTTP header parsing and the `--header` directive.

13
MCQmedium

A FortiGate administrator configures an antivirus profile with Machine Learning (ML) engine enabled. The ML engine is not detecting any threats, even though new unknown malware is present. What is the MOST likely reason?

A.The ML engine requires a separate subscription
B.The ML engine is only for outbreak prevention
C.The FortiGuard antivirus subscription is expired, preventing ML model updates
D.The antivirus profile is set to flow-based inspection
AnswerC

ML engine needs updated models from FortiGuard; expired subscription stops updates.

Why this answer

The FortiGate ML engine relies on FortiGuard for model updates that enable it to detect new and unknown malware. If the FortiGuard antivirus subscription is expired, the ML engine cannot receive these updates, rendering it unable to identify novel threats. This is the most likely reason the ML engine is not detecting any threats despite the presence of new unknown malware.

Exam trap

The trap here is that candidates may assume the ML engine works independently of subscriptions or that flow-based inspection disables it, when in fact the engine's effectiveness is entirely dependent on current FortiGuard updates.

How to eliminate wrong answers

Option A is wrong because the ML engine is included with the FortiGuard Antivirus subscription and does not require a separate subscription; it is an integrated feature. Option B is wrong because the ML engine is not limited to outbreak prevention; it provides continuous, real-time detection of unknown malware using behavioral analysis and static file analysis. Option D is wrong because flow-based inspection does not disable the ML engine; the ML engine works with both proxy-based and flow-based inspection modes, though flow-based may have reduced detection granularity.

14
Multi-Selecthard

A security team is configuring FortiMail for email security. They want to ensure that incoming emails are authenticated using SPF, DKIM, and DMARC, and that emails failing authentication are quarantined. Which THREE settings must be configured in FortiMail? (Choose three.)

Select 3 answers
A.Enable DKIM verification in the anti-spam policy
B.Enable TLS encryption for incoming SMTP
C.Enable DMARC verification and set the action for DMARC failure to quarantine
D.Enable SPF verification in the anti-spam policy
E.Configure a recipient verification policy
AnswersA, C, D

DKIM verification must be enabled to verify DKIM signatures.

Why this answer

Option A is correct because DKIM verification must be explicitly enabled in the anti-spam policy to allow FortiMail to validate the DKIM signature on incoming emails. Without this setting, DKIM authentication is not performed, and the email's DKIM status will not be evaluated.

Exam trap

The trap here is that candidates often confuse transport security (TLS) with email authentication protocols, mistakenly thinking TLS is required for SPF/DKIM/DMARC enforcement, when in fact TLS is optional and unrelated to the authentication chain.

15
Multi-Selectmedium

An administrator is troubleshooting why a custom IPS signature for protocol anomaly detection is not triggering. The signature is designed to detect abnormal DNS query lengths. Which TWO steps should the administrator take to verify the signature is working? (Choose two.)

Select 2 answers
A.Reboot the FortiGate to reset the IPS engine
B.Disable the firewall policy to see if the signature triggers
C.Verify that the IPS sensor containing the signature is applied to the correct firewall policy
D.Generate traffic that matches the signature and check the IPS logs for alerts
E.Increase the signature's severity to see it in logs
AnswersC, D

If the sensor is not applied, the signature will not inspect traffic.

Why this answer

To verify a custom IPS signature, the administrator should test it with matching traffic and check the IPS log to confirm detection. Also, ensuring the IPS sensor includes the signature and is applied to a policy is necessary.

16
MCQmedium

An administrator sees the following log entry: 'id=13593 msg="CDR: File attachment sanitized"' Which feature generated this log?

A.Content Disarm and Reconstruction
B.FortiSandbox
C.Machine Learning Engine
D.Outbreak Prevention
AnswerA

CDR sanitizes attachments and logs such events.

Why this answer

Content Disarm and Reconstruction (CDR) sanitizes attachments by removing active content. It is part of the antivirus profile feature set on FortiGate.

17
MCQmedium

A FortiGate admin runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a UDP session that has been idle for 1 hour
B.The session has a problem because duration and expire are not equal
C.The session has been active for 1 hour and will expire in about 1 hour
D.The session is a short-lived connection that started 3600 seconds ago
AnswerC

duration is the time since creation, expire is remaining lifetime.

Why this answer

The 'duration=3600' shows the session has been active for 3600 seconds (1 hour). 'expire=3599' indicates the session will expire in 3599 seconds, which is typical for a long-lived HTTPS session that is about to age out.

18
MCQeasy

A network administrator wants to block known malicious IP addresses using threat intelligence feeds on FortiGate. Which feature should they use?

A.FortiGuard Web Filtering
B.External Threat Intelligence
C.Application Control
D.IP Reputation
AnswerB

This feature enables importing third-party threat feeds and using them in firewall policies.

Why this answer

FortiGate's External Threat Intelligence feature allows administrators to import and consume threat intelligence feeds (e.g., STIX/TAXII, CSV, or custom URLs) to block known malicious IP addresses. This is the correct feature because it is specifically designed to ingest external threat data and apply it to firewall policies for dynamic blocking, unlike the other options which serve different purposes.

Exam trap

The trap here is that candidates often confuse IP Reputation (a built-in FortiGuard service) with External Threat Intelligence (a feature for importing custom feeds), leading them to select IP Reputation when the question explicitly mentions 'threat intelligence feeds' from external sources.

How to eliminate wrong answers

Option A is wrong because FortiGuard Web Filtering is used to control access to web categories and URLs based on FortiGuard's cloud database, not to block specific IP addresses from external threat feeds. Option C is wrong because Application Control identifies and controls application traffic (e.g., Facebook, Skype) based on signatures, not IP-based threat intelligence. Option D is wrong because IP Reputation is a built-in FortiGuard service that rates IP addresses based on FortiGuard's own threat data, not a feature to import custom external threat intelligence feeds.

19
MCQmedium

A FortiGate admin configures an automation stitch to send an email alert when a high-severity IPS event occurs. The trigger is 'IPS Event' and the action is 'Email'. After testing, no email is sent despite events being logged. What is the most likely cause?

A.The IPS event severity threshold is set too low
B.The automation stitch is disabled
C.No SMTP server is configured in the FortiGate
D.The IPS engine is in monitor mode
AnswerC

Email action requires an SMTP server to be configured under System > Settings.

Why this answer

Automation stitches require a valid mail server configuration in the FortiGate's email settings. Without it, the email action cannot be executed.

20
MCQmedium

An administrator wants to configure FortiGate to use the machine learning engine for advanced antivirus detection. Which setting must be enabled in the antivirus profile?

A.Enable 'Machine Learning Engine' in the antivirus profile
B.Enable 'Detect All' in the antivirus profile
C.Set 'Scan Mode' to 'Quick' in the antivirus profile
D.Enable 'Use FortiSandbox' in the antivirus profile
AnswerA

The machine learning engine must be enabled in the antivirus profile to use AI-based detection.

Why this answer

Option A is correct because the machine learning engine for advanced antivirus detection is a dedicated feature within the antivirus profile that must be explicitly enabled. This engine uses behavioral analysis and heuristics to detect unknown or zero-day malware without relying solely on signature-based detection. Enabling this setting allows FortiGate to leverage on-device ML models to identify malicious files based on patterns and anomalies.

Exam trap

The trap here is that candidates may confuse the machine learning engine with FortiSandbox integration, assuming that sandboxing is required for ML-based detection, when in fact the ML engine is a standalone on-device feature that must be enabled separately in the antivirus profile.

How to eliminate wrong answers

Option B is wrong because 'Detect All' is not a valid setting in the antivirus profile; it is a misconception that such a toggle exists for enabling ML-based detection. Option C is wrong because setting 'Scan Mode' to 'Quick' reduces scanning depth and may skip certain file types or archives, which would not enable the machine learning engine and could actually decrease detection accuracy. Option D is wrong because 'Use FortiSandbox' integrates with an external sandbox for file detonation and analysis, but it is a separate feature from the on-device machine learning engine and does not enable local ML-based detection.

21
MCQhard

A security engineer is troubleshooting a scenario where FortiGate is not blocking a known malicious URL categorized as 'Malware'. The web filtering profile is configured with 'monitor all' for the Malware category. What change should be made to block the URL?

A.Configure traffic shaping to rate limit the URL
B.Add a static URL filter with the exact URL and action 'block'
C.Enable DNS filter with botnet C2 domain blocking
D.Change the action for Malware category from 'monitor' to 'block' in the web filter profile
AnswerD

Setting the category action to 'block' will block all URLs in that category.

Why this answer

The web filtering profile currently has the Malware category set to 'monitor all', which logs but does not block traffic. To block the URL, the action must be changed from 'monitor' to 'block' within the same web filter profile. This directly enforces the blocking action for all URLs categorized as Malware, including the known malicious URL.

Exam trap

The trap here is that candidates may think a static URL filter is required for blocking, overlooking that category-based actions in the web filter profile can directly block all URLs in a category without needing individual entries.

How to eliminate wrong answers

Option A is wrong because traffic shaping only rate-limits bandwidth and does not block URLs; it cannot enforce a block on malicious content. Option B is wrong because adding a static URL filter is unnecessary and less efficient when the category-based action can be changed; it also requires manual entry of every specific URL, which is not scalable. Option C is wrong because DNS filter with botnet C2 domain blocking targets command-and-control domains at the DNS level, not HTTP/HTTPS URL categories like Malware; it addresses a different threat vector.

22
Multi-Selecthard

A security analyst wants to use automation stitches on FortiGate to automatically block IP addresses that trigger an IPS signature for 'SSH Brute Force'. Which two components are required to create this automation stitch? (Choose two.)

Select 2 answers
A.Action: 'Add to Block List'
B.FortiAnalyzer log query
C.Action: 'Email Notification'
D.Trigger: 'IPS Event'
E.FortiGuard category
AnswersA, D

The action should block the source IP.

Why this answer

An automation stitch requires a trigger (e.g., IPS event) and an action (e.g., add to block list). The trigger defines when the stitch fires, and the action defines what to do.

23
Multi-Selectmedium

An organization wants to implement multiple layers of defense against advanced persistent threats. Which three Fortinet solutions would be most effective in an ATP strategy? (Choose three.)

Select 3 answers
A.FortiMail
B.FortiSandbox
C.FortiWeb
D.FortiEDR
E.FortiDeceptor
AnswersB, D, E

FortiSandbox detects unknown malware via behavioral analysis.

Why this answer

FortiSandbox provides advanced threat detection, FortiEDR provides endpoint detection and response, and FortiDeceptor provides deception-based threat detection. Together they cover multiple attack stages.

24
MCQhard

A FortiGate is configured with an antivirus profile that has the machine learning engine enabled. An administrator notices that some files are being detected by the ML engine but the verdict is 'probably clean'. What does this verdict indicate?

A.The file is clean and safe to pass.
B.The file is definitely malicious and should be blocked.
C.The ML engine has detected an outbreak but needs FortiGuard to confirm.
D.The ML engine has low confidence that the file is malicious; it may be a false positive.
AnswerD

'Probably clean' indicates low malicious confidence, often requiring further analysis.

25
MCQhard

A network administrator is troubleshooting a FortiGate IPS sensor that is not generating alerts for a custom signature they created. The custom signature uses the pattern 'malicious. The signature is enabled and applied to a firewall policy. What is the MOST likely cause of the issue?

A.The signature severity is set to 'Low' and logging is disabled for low severity
B.The custom signature is missing the 'protocol' parameter
C.The IPS sensor is configured in 'Passive' mode
D.The firewall policy is using 'Flow-based' inspection
AnswerB

Custom signatures must specify a protocol decoder (e.g., HTTP, FTP) to be evaluated; without it, the signature is ignored.

Why this answer

The custom signature is missing the 'protocol' parameter, which is mandatory for FortiGate custom IPS signatures. Without specifying the protocol (e.g., TCP, UDP, HTTP), the IPS engine cannot match the pattern against any traffic flow, so no alerts are generated even if the signature is enabled and applied to a policy.

Exam trap

The trap here is that candidates assume a missing protocol parameter would cause a syntax error or prevent the signature from being saved, but FortiGate allows saving incomplete custom signatures that simply never match traffic.

How to eliminate wrong answers

Option A is wrong because even if severity is 'Low' and logging is disabled for low severity, the IPS sensor would still generate alerts (just not log them); the question states no alerts are generated, not just no logs. Option C is wrong because 'Passive' mode only prevents the IPS from dropping traffic but still allows alert generation and logging; it does not suppress alerts entirely. Option D is wrong because 'Flow-based' inspection supports custom signatures and can generate alerts; the issue is not the inspection mode but the missing protocol parameter in the signature definition.

26
MCQeasy

A company wants to detect and block phishing emails that contain malicious links. Which FortiGate security profile should be used?

A.Antivirus profile
B.Web Filtering profile
C.Data Leak Prevention profile
D.Email Filtering profile
AnswerD

Email filtering can block phishing emails based on content and reputation.

Why this answer

Option D is correct because FortiGate's Email Filtering profile is specifically designed to inspect SMTP, POP3, and IMAP traffic for phishing indicators, including malicious URLs in email bodies and attachments. It can block or quarantine emails based on URL reputation, sender authentication (SPF/DKIM/DMARC), and content analysis, directly addressing the requirement to detect and block phishing emails with malicious links.

Exam trap

The trap here is that candidates often confuse Web Filtering (which handles web traffic) with Email Filtering (which handles email protocols), assuming URL reputation checks in web filtering can block phishing links in emails, but FortiGate requires the Email Filtering profile to inspect SMTP/IMAP/POP3 traffic and apply email-specific actions like quarantine.

How to eliminate wrong answers

Option A is wrong because the Antivirus profile scans for malware signatures in file attachments and does not analyze URLs or email-specific phishing patterns; it would miss malicious links that do not contain executable payloads. Option B is wrong because the Web Filtering profile controls HTTP/HTTPS traffic based on URL categories and reputation, but it operates on web proxy traffic, not on email protocols like SMTP, and cannot inspect or block emails before they reach the user's inbox. Option C is wrong because the Data Leak Prevention profile monitors and prevents unauthorized data exfiltration (e.g., credit card numbers, SSNs) and has no capability to detect phishing links or email-based threats.

27
MCQmedium

A FortiGate administrator notices that traffic classified as 'unknown' by the antivirus is being allowed. The administrator wants to ensure that such files are submitted to FortiSandbox for analysis and blocked until a verdict is received. Which configuration is required?

A.Create a custom IPS signature for unknown files
B.Enable FortiSandbox in the antivirus profile and set 'Action for unknown files' to 'Block'
C.Enable outbreak prevention in the antivirus profile
D.Enable FortiSandbox in the antivirus profile and set 'Action for known files' to 'Block'
AnswerB

This configuration submits unknown files to FortiSandbox and blocks them until a verdict is returned.

Why this answer

Option B is correct because when FortiSandbox is enabled in the antivirus profile and 'Action for unknown files' is set to 'Block', the FortiGate will submit files that cannot be identified by the local antivirus engine to FortiSandbox for analysis. While the file is being analyzed, it is blocked from reaching the client, ensuring that no potentially malicious content is delivered until a verdict (clean or malicious) is received. This directly addresses the administrator's requirement to block unknown files pending sandbox analysis.

Exam trap

The trap here is that candidates often confuse 'Action for unknown files' with 'Action for known files' or mistakenly think that outbreak prevention (which uses FortiGuard outbreak signatures) is sufficient to block unknown files, when in fact only the sandbox integration with the 'Block' action provides the required submission and blocking behavior.

How to eliminate wrong answers

Option A is wrong because custom IPS signatures are designed to detect and block network-level attacks based on traffic patterns, not to handle unknown files identified by the antivirus engine; IPS does not integrate with FortiSandbox for file submission. Option C is wrong because outbreak prevention in the antivirus profile uses FortiGuard outbreak alerts to block files based on known outbreak signatures, but it does not submit unknown files to FortiSandbox or block them pending analysis; it relies on pre-existing outbreak intelligence. Option D is wrong because setting 'Action for known files' to 'Block' would block files that are already identified by the antivirus engine, which is the opposite of the requirement; the administrator needs to block unknown files, not known ones.

28
MCQeasy

What does FortiGuard Outbreak Prevention use to protect against newly discovered malware outbreaks before traditional signatures are available?

A.Outbreak signatures and hash-based blocking
B.IP reputation and URL filtering
C.Heuristic analysis and emulation
D.Artificial intelligence and behavior analysis
AnswerA

Outbreak prevention uses hashes of malicious files identified during outbreaks.

Why this answer

FortiGuard Outbreak Prevention uses outbreak alerts and hashes from FortiSandbox and other sources to quickly block files.

29
Multi-Selectmedium

A company receives a threat intelligence feed that lists several IP addresses as malicious. The administrator wants to automatically block traffic from these IPs on FortiGate. Which TWO methods can achieve this? (Choose two.)

Select 2 answers
A.Enable FortiGuard Outbreak Prevention
B.Configure an external connector to a threat intelligence feed and map it to an address object
C.Use an automation stitch with a trigger that receives the feed and an action to update blocked IPs
D.Configure a firewall policy to deny all traffic from unknown sources
E.Create an address group and add the IPs manually
AnswersB, C

External connectors can pull threat feeds and update address objects automatically.

Why this answer

Threat feeds can be used to create dynamic address objects (via external connectors) or automation stitches can parse the feed and update a blocked IP list.

30
MCQeasy

What is the primary purpose of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus features?

A.To remove potentially malicious content from documents and rebuild them as safe files
B.To convert files into PDF format for safer viewing
C.To detect zero-day malware using sandboxing
D.To block all files containing macros
AnswerA

CDR strips active content and reconstructs files to eliminate threats.

Why this answer

Content Disarm and Reconstruction (CDR) is designed to remove active or potentially malicious content—such as macros, scripts, embedded objects, and OLE links—from documents (e.g., Office files, PDFs) and then reconstruct them as sanitized, safe versions. This approach prevents threats like macro-based malware or exploit-laden attachments from reaching users, even if the file contains previously unknown (zero-day) payloads, by stripping the dangerous components rather than relying solely on signature-based detection.

Exam trap

The trap here is that candidates often confuse CDR with sandboxing or macro blocking, but CDR is a static sanitization technique that removes active content from files without detonating them, whereas sandboxing involves dynamic analysis and macro blocking is a simpler, all-or-nothing approach that CDR avoids by allowing safe use of the document.

How to eliminate wrong answers

Option B is wrong because CDR does not convert files to PDF format; it sanitizes the original file format (e.g., DOCX, XLSX, PDF) and returns a cleaned version in the same format, not a different one. Option C is wrong because CDR is not a sandboxing or dynamic analysis feature; it statically disarms content by removing active elements, whereas sandboxing (e.g., FortiSandbox) detonates files in a virtual environment to detect zero-day malware. Option D is wrong because CDR does not block all files containing macros; it removes the macros and other active content from the file and then delivers the sanitized file, allowing the document to be used safely without the macro functionality.

31
MCQmedium

A FortiGate is configured with a WAF profile to protect a web server. The administrator notices that SQL injection attacks are still reaching the server despite the WAF being enabled. What is the MOST likely reason?

A.The SQL injection signature set is disabled in the WAF profile
B.The attack is coming from a trusted IP
C.The web server is using HTTPS without SSL inspection
D.The WAF profile is not applied to the correct policy
AnswerA

WAF signatures are organized in groups; SQL injection must be enabled.

Why this answer

The WAF profile contains signature sets that detect and block common attack patterns, including SQL injection. If the SQL injection signature set is disabled within the profile, the WAF will not inspect traffic for those patterns, allowing attacks to pass through. This is the most direct and likely reason why SQL injection attacks are reaching the server despite the WAF being enabled.

Exam trap

The trap here is that candidates often assume a WAF profile is a monolithic block of protection, but FortiGate allows granular disabling of individual signature sets, and the exam tests whether you understand that a disabled signature set is the most direct cause of a specific attack type bypassing the WAF.

How to eliminate wrong answers

Option B is wrong because a trusted IP exception would only bypass WAF inspection for traffic from that specific source; it would not explain why SQL injection attacks from other sources are still reaching the server. Option C is wrong because HTTPS without SSL inspection means the WAF cannot decrypt the payload, but FortiGate can still inspect encrypted traffic using certificate-based inspection or flow-based inspection with SSL offloading; the lack of SSL inspection would block all inspection, not just SQL injection. Option D is wrong because if the WAF profile were not applied to the correct policy, no WAF inspection would occur at all, and the administrator would likely see no WAF-related logs or blocking; the question states the WAF is enabled, implying it is applied somewhere.

32
MCQmedium

A security administrator wants to block email spoofing attacks against their organization's domain. They configure SPF, DKIM, and DMARC records. Which protocol authenticates the domain of the email sender by verifying the email's signature against a public key published in DNS?

A.SPF
B.ARC
C.DKIM
D.DMARC
AnswerC

DKIM signs emails with a private key; the public key in DNS verifies the signature.

Why this answer

DKIM (DomainKeys Identified Mail) is the correct answer because it provides email authentication by allowing the sender to cryptographically sign an email with a private key. The receiving mail server then retrieves the sender's public key from a DNS TXT record and verifies the signature, confirming that the email was not tampered with and originates from a domain the sender is authorized to use.

Exam trap

The trap here is that candidates often confuse SPF's IP-based verification with DKIM's cryptographic signature verification, or they assume DMARC performs the actual authentication, when in fact DMARC only enforces policies based on SPF and DKIM results.

How to eliminate wrong answers

Option A is wrong because SPF (Sender Policy Framework) authenticates the sending server's IP address against a list of authorized IPs published in DNS, not by verifying a cryptographic signature. Option B is wrong because ARC (Authenticated Received Chain) is a protocol that preserves email authentication results across intermediate hops (forwarders or mailing lists), but it does not itself authenticate the original sender's domain via a signature. Option D is wrong because DMARC (Domain-based Message Authentication, Reporting & Conformance) is a policy framework that uses SPF and DKIM results to instruct receivers on how to handle unauthenticated email (e.g., quarantine or reject), but it does not perform signature verification itself.

33
MCQeasy

Which feature on FortiGate uses machine learning to detect never-before-seen malware based on file characteristics?

A.Machine Learning Engine
B.Outbreak Prevention
C.FortiSandbox
D.Content Disarm and Reconstruction
AnswerA

ML engine detects unknown malware based on file features.

Why this answer

The Machine Learning (ML) Engine in FortiGate's antivirus uses ML to detect unknown malware.

34
MCQmedium

An administrator configures FortiSandbox inline scanning for HTTP traffic. They notice that files uploaded via HTTP are being scanned but no verdict is being returned, causing delays. What is the MOST likely cause?

A.The FortiSandbox has reached its maximum storage capacity
B.The FortiSandbox is not registered with the FortiGate
C.The file scan timeout is too short, causing FortiGate to pass the file before a verdict is received
D.The file type is not supported by FortiSandbox
AnswerC

If FortiSandbox takes longer than the configured timeout, FortiGate allows the file to pass without a verdict.

Why this answer

When FortiGate sends a file to FortiSandbox for inline scanning, it waits for a verdict before allowing the traffic to proceed. If the file scan timeout is too short, FortiGate will stop waiting for the verdict and pass the file anyway, causing the observed delay without a final verdict. This is the most likely cause because the administrator sees scanning occurring but no verdict returned, which aligns with a premature timeout rather than a failure to scan.

Exam trap

The trap here is that candidates often assume a missing verdict is due to a registration or capacity issue, but the question specifically states scanning is occurring, which eliminates options A and B, and the delay points directly to a timeout configuration problem.

How to eliminate wrong answers

Option A is wrong because if the FortiSandbox had reached maximum storage capacity, it would typically reject new submissions or fail to store results, but the file would still be scanned or an error would be returned, not a delay without verdict. Option B is wrong because if the FortiSandbox were not registered with the FortiGate, the FortiGate would not be able to send files for scanning at all, so no scanning would occur. Option D is wrong because if the file type were not supported, FortiSandbox would either skip the file or return an unsupported verdict quickly, not cause a delay without a verdict.

35
MCQmedium

An administrator is configuring a firewall policy for web traffic to a critical web application. They want to protect against SQL injection and cross-site scripting. Which security profile should they apply?

A.Antivirus profile with CDR
B.Application control profile
C.Web Application Firewall (WAF) profile
D.IPS sensor with pre-defined signatures
AnswerC

WAF is built for web application threats including SQL injection and XSS.

Why this answer

Option B is correct. Web Application Firewall (WAF) on FortiGate provides signature-based and anomaly-based detection for web application attacks like SQL injection and XSS.

36
Multi-Selectmedium

An administrator needs to configure advanced email security on FortiMail to protect against phishing and spoofing. Which THREE features should be enabled to achieve comprehensive email authentication?

Select 3 answers
A.DKIM signing and verification
B.SPF checking
C.DMARC policy enforcement
D.Anti-spam Bayesian filtering
E.TLS encryption for inbound/outbound
AnswersA, B, C

DKIM provides digital signatures for email integrity.

37
MCQmedium

An administrator wants to use FortiGate to automatically block traffic if FortiEDR detects a threat on an endpoint. Which feature should the administrator configure?

A.Configure a VPN tunnel between FortiGate and FortiEDR
B.Enable FortiGuard Outbreak Prevention on the antivirus profile
C.Configure a static route to the FortiEDR management IP
D.Create an automation stitch with a trigger from FortiEDR and an action to block the source IP
AnswerD

Automation stitches allow FortiGate to respond to events from FortiEDR.

Why this answer

Option D is correct because FortiGate integrates with FortiEDR via automation stitches, which allow events from FortiEDR (such as a detected threat) to trigger automated actions on FortiGate, such as blocking the source IP of the compromised endpoint. This provides real-time, policy-driven threat response without manual intervention, leveraging the Fortinet Security Fabric.

Exam trap

The trap here is that candidates often confuse integration methods, assuming a VPN or routing change is needed for communication, when in fact FortiEDR and FortiGate communicate via the Security Fabric's REST API and automation stitches, not traditional network tunnels.

How to eliminate wrong answers

Option A is wrong because a VPN tunnel is used for secure site-to-site or remote access connectivity, not for receiving threat events from FortiEDR; FortiEDR communicates with FortiGate via REST API or Fabric connector, not VPN. Option B is wrong because FortiGuard Outbreak Prevention is a signature-based feature within antivirus profiles that blocks known outbreaks based on FortiGuard threat intelligence, not a mechanism to receive and act on FortiEDR-specific endpoint detections. Option C is wrong because a static route is used for IP routing and does not enable event-driven communication or automation between FortiEDR and FortiGate; the integration requires API-based triggers, not routing entries.

38
MCQmedium

An organization wants to protect against unknown malware by using machine learning on FortiGate. Which antivirus setting should be enabled to achieve this?

A.Enable 'Outbreak Prevention' under FortiGuard settings
B.Set 'av-engine' to 'flow' under system settings
C.Enable 'Machine Learning Engine' in the antivirus profile
D.Enable 'FortiSandbox inline scanning' in the antivirus profile
AnswerC

This enables the ML engine to detect unknown malware based on behavioral analysis.

Why this answer

Option C is correct because the 'Machine Learning Engine' in the antivirus profile uses on-device machine learning models to detect unknown malware based on file characteristics, without requiring signature updates. This provides proactive protection against zero-day threats directly on the FortiGate, aligning with the requirement to protect against unknown malware using machine learning.

Exam trap

The trap here is that candidates often confuse 'FortiSandbox inline scanning' with machine learning, but FortiSandbox uses behavioral analysis in a sandbox environment, not on-device ML, and requires additional licensing and infrastructure.

How to eliminate wrong answers

Option A is wrong because 'Outbreak Prevention' under FortiGuard settings is a cloud-based service that uses outbreak signatures and heuristics, not on-device machine learning, and requires internet connectivity to FortiGuard. Option B is wrong because setting 'av-engine' to 'flow' changes the antivirus scanning mode from proxy-based to flow-based, which affects performance and inspection depth but does not enable machine learning for unknown malware detection. Option D is wrong because 'FortiSandbox inline scanning' in the antivirus profile sends files to an external FortiSandbox appliance for dynamic analysis, which is not on-device machine learning and introduces latency; it is a separate feature from the Machine Learning Engine.

39
MCQeasy

An administrator wants to block a zero-day malware outbreak detected by FortiGuard. Which feature should be configured to automatically block the threat across all enabled FortiGate devices?

A.FortiSandbox Cloud
B.IPS Custom Signatures
C.FortiGuard Outbreak Prevention
D.Application Control
AnswerC

This feature automatically blocks zero-day outbreaks using FortiGuard threat intelligence.

Why this answer

FortiGuard Outbreak Prevention automatically blocks new threats by pushing updated signatures or indicators. It requires an active FortiGuard subscription and can be enabled globally.

40
MCQmedium

A company uses FortiMail and wants to ensure that incoming emails are authenticated using SPF, DKIM, and DMARC. Which profile should the administrator configure to enforce these checks?

A.Session Profile
B.Antispam Profile
C.IP Policy
D.Authentication Profile
AnswerD

This profile configures email authentication checks.

Why this answer

FortiMail uses an 'Authentication Profile' to configure SPF, DKIM, and DMARC verification for incoming emails.

41
Multi-Selectmedium

An administrator is configuring FortiGate automation stitches to respond to a detected ransomware outbreak. The trigger is a high severity event from FortiSandbox. Which TWO actions can be used in an automation stitch to contain the threat?

Select 2 answers
A.Create a new FortiGate administrator account
B.Send an SNMP trap to a monitoring system
C.Change the SSID of a wireless network
D.Execute a CLI script to block the infected host's IP address
E.Quarantine the endpoint using FortiClient EMS integration
AnswersD, E

CLI scripts can be used to block IPs via firewall policies or blacklist.

Why this answer

Automation stitches can execute CLI commands or quarantine compromised hosts via EMS. These actions help contain the outbreak.

42
MCQmedium

An organization wants to protect against zero-day malware by using FortiGate's outbreak prevention feature. Which configuration is required to enable outbreak prevention in the antivirus profile?

A.Enable 'Machine Learning Engine' in the antivirus profile
B.Enable 'FortiSandbox Inline Scan'
C.Select 'Outbreak Prevention' under Antivirus profile settings
D.Configure a web filter profile to block malicious URLs
AnswerC

This directly enables outbreak prevention, which uses outbreak signatures.

Why this answer

Outbreak prevention uses FortiGuard's outbreak alert database to block files that match outbreak criteria. It must be enabled in the antivirus profile under 'Outbreak Prevention'.

43
MCQmedium

A company uses FortiGate as a web application firewall (WAF) to protect a public web server. The security team wants to block SQL injection attacks. Which WAF signature category should the administrator enable?

A.Server-Side Request Forgery
B.Command Injection
C.SQL Injection
D.Cross-Site Scripting
AnswerC

SQL injection signatures detect and block SQL injection attempts.

Why this answer

The correct answer is C because SQL injection attacks specifically target database queries by injecting malicious SQL statements through input fields. FortiGate's WAF signature category for SQL Injection is designed to detect and block these patterns, such as 'OR 1=1' or UNION-based injections, by matching against known attack signatures in the HTTP request payload.

Exam trap

The trap here is that candidates may confuse SQL Injection with Command Injection (Option B) because both involve injection attacks, but SQL Injection targets database layers via SQL syntax, while Command Injection targets the OS shell via system commands.

How to eliminate wrong answers

Option A is wrong because Server-Side Request Forgery (SSRF) is an attack that forces a server to make internal requests, not directly related to SQL injection; FortiGate's WAF has a separate signature category for SSRF. Option B is wrong because Command Injection involves executing system commands (e.g., via shell metacharacters) on the server, not database queries, and is covered by a different WAF signature category. Option D is wrong because Cross-Site Scripting (XSS) injects client-side scripts into web pages viewed by other users, targeting browsers rather than the database backend, and is handled by its own WAF signature category.

44
MCQeasy

A FortiGate administrator wants to ensure that files in email attachments are disarmed before delivery. Which security feature should be configured in the antivirus profile?

A.Content Disarm and Reconstruction (CDR)
B.FortiSandbox inline scanning
C.Machine Learning Engine
D.Outbreak Prevention
AnswerA

CDR strips active content and rebuilds files to a safe state.

Why this answer

Option C is correct. Content Disarm and Reconstruction (CDR) is specifically designed to remove active content and rebuild files, making them safe for delivery.

45
Multi-Selectmedium

An organization wants to implement email authentication to prevent spoofing and phishing attacks. They use FortiMail as their email security gateway. Which THREE mechanisms should they configure to achieve comprehensive email authentication?

Select 3 answers
A.Transport Layer Security (TLS) for SMTP
B.FortiGuard Antispam
C.Sender Policy Framework (SPF)
D.Domain-based Message Authentication, Reporting and Conformance (DMARC)
E.DomainKeys Identified Mail (DKIM)
AnswersC, D, E

SPF verifies that the sending server is authorized by the domain owner.

Why this answer

SPF, DKIM, and DMARC are the three standard email authentication methods that work together to verify sender authenticity and prevent spoofing.

46
MCQhard

An administrator configures FortiSandbox to quarantine files that are rated 'malicious'. They notice that some files are being quarantined even though the verdict is 'clean'. What could explain this?

A.The quarantine action is set to apply to files with a risk level above a certain threshold, and clean files have been incorrectly rated
B.FortiSandbox uses a whitelist that includes those files
C.The files were submitted by a different FortiGate with different settings
D.The administrator has enabled 'aggressive mode' which quarantines all files
AnswerA

Risk level thresholds can cause false positives if set too aggressively.

Why this answer

The correct answer is A because FortiSandbox's quarantine action can be configured based on a risk score threshold, not solely on the verdict. If the risk score for a file rated 'clean' exceeds the configured threshold, the file may still be quarantined. This occurs because the verdict and risk score are separate attributes; a 'clean' verdict indicates no known malware, but the file's behavior or heuristics may still generate a high risk score that triggers quarantine.

Exam trap

The trap here is that candidates assume quarantine is strictly tied to the verdict, overlooking that FortiSandbox's quarantine action can be independently triggered by a risk score threshold, leading to quarantine of 'clean' files with high risk scores.

How to eliminate wrong answers

Option B is wrong because a whitelist would prevent quarantine, not cause it; whitelisted files are explicitly allowed and bypass scanning. Option C is wrong because files submitted by different FortiGate devices are evaluated independently by FortiSandbox based on its own analysis, not on the submitting device's settings; the quarantine decision is local to the FortiSandbox configuration. Option D is wrong because 'aggressive mode' in FortiSandbox does not exist; FortiSandbox uses configurable risk thresholds and verdicts, not an all-or-nothing aggressive mode.

47
MCQeasy

A company wants to protect its internal users from malicious files attached to emails. Which FortiGate feature should be configured to inspect SMTP traffic for malware?

A.Antivirus
B.Email Filter
C.Web Filter
D.IPS
AnswerA

Antivirus profiles can scan SMTP, POP3, and IMAP traffic for malware.

Why this answer

FortiGate's Antivirus feature is designed to scan SMTP traffic for malware by inspecting email attachments and body content against virus signatures. When configured in a security policy, it intercepts SMTP sessions, buffers the email data, and performs real-time scanning to block or quarantine malicious files before delivery to internal users.

Exam trap

The trap here is that candidates confuse 'Email Filter' (which handles spam and content filtering) with antivirus scanning, assuming email security is solely about filtering, when in fact malware detection requires the dedicated Antivirus feature to inspect SMTP payloads at the file level.

How to eliminate wrong answers

Option B (Email Filter) is wrong because it focuses on spam filtering, content blocking, and email address/domain blacklisting, not on malware detection in attachments. Option C (Web Filter) is wrong because it controls HTTP/HTTPS traffic to block malicious URLs and web content, not SMTP email traffic. Option D (IPS) is wrong because it detects and prevents network-level attacks (e.g., exploits, buffer overflows) based on signatures, but it does not perform file-level malware scanning on email attachments.

48
MCQmedium

An organization wants to deploy a web application firewall (WAF) to protect a public-facing web application. They are evaluating FortiGate versus FortiWeb. Which of the following is a key advantage of using FortiWeb over FortiGate for WAF functionality?

A.FortiWeb offers advanced bot detection and positive security model
B.FortiGate can perform SSL deep inspection without performance impact
C.FortiGate supports a larger number of web servers behind a single policy
D.FortiGate can automatically patch web application vulnerabilities
AnswerA

FortiWeb includes machine learning bot detection and positive security model (whitelisting), which FortiGate lacks.

Why this answer

FortiWeb is a dedicated web application firewall that provides advanced bot detection and a positive security model, which allows only explicitly allowed traffic based on a whitelist of known good patterns. This is a key advantage over FortiGate, which primarily uses a negative security model (signature-based) and lacks the same depth of bot mitigation and positive enforcement for web-specific threats.

Exam trap

The trap here is that candidates assume FortiGate's integrated WAF features are equivalent to a dedicated WAF, but FortiWeb's positive security model and advanced bot detection are unique differentiators that FortiGate lacks.

How to eliminate wrong answers

Option B is wrong because FortiGate, like any device performing SSL deep inspection, incurs performance overhead due to decryption/re-encryption, and FortiGate does not claim zero performance impact. Option C is wrong because FortiGate does not inherently support a larger number of web servers behind a single policy; both platforms can scale, but FortiWeb is specifically optimized for high-volume web server pools with granular per-server policies. Option D is wrong because neither FortiGate nor FortiWeb automatically patches web application vulnerabilities; they detect and block exploit attempts but do not modify application code.

49
MCQmedium

A FortiGate administrator configures an antivirus profile with the machine learning engine enabled and applies it to a policy inspecting HTTP traffic. After deployment, the admin notices that some files are being allowed that should have been detected. What is the MOST likely cause?

A.The ML engine is in monitor-only mode
B.FortiGuard outbreak prevention is disabled
C.The antivirus profile is using flow-based inspection instead of proxy-based
D.The file size exceeds the maximum scanning limit
AnswerA

Monitor mode logs detections but does not block. To block, the engine must be in protect mode.

Why this answer

The most likely cause is that the machine learning engine is configured in monitor-only mode. In this mode, the ML engine will log detections and generate alerts but will not take any action to block the file, allowing it to pass through the policy. This is a common initial deployment strategy to assess the ML engine's impact before enabling active blocking.

Exam trap

The trap here is that candidates often assume the ML engine always blocks threats by default, overlooking the distinct monitor-only mode that logs detections without enforcement.

How to eliminate wrong answers

Option B is wrong because FortiGuard outbreak prevention is a separate feature that provides real-time updates for zero-day threats; disabling it would not cause the ML engine to allow files it should detect, as the ML engine operates independently of FortiGuard updates. Option C is wrong because flow-based inspection supports the ML engine and can perform detection; the issue is not the inspection mode but the action configured for the ML engine. Option D is wrong because if the file size exceeded the maximum scanning limit, the file would typically be skipped entirely or passed without any scanning, not allowed after being evaluated by the ML engine.

50
MCQmedium

A company wants to receive threat intelligence feeds from external sources to enhance their FortiGate's protection. Which method should be used to integrate external threat feeds into FortiGate?

A.Use FortiGuard Threat Intelligence Service which automatically pulls feeds.
B.Manually add IP addresses to local address objects.
C.Configure an external threat feed connector in FortiGate, such as using a URL to a STIX/TAXII feed.
D.Use FortiAnalyzer to push feeds to FortiGate.
AnswerC

FortiGate supports external threat feeds via indicators of compromise (IOC) using STIX/TAXII or via the 'config system external-resource' command.

51
MCQmedium

An organization deploys FortiEDR to protect endpoints. Which component is responsible for collecting and sending telemetry data to the FortiEDR management console?

A.FortiGate firewall
B.FortiEDR Sensor (Agent)
C.FortiAnalyzer
D.FortiClient EMS
AnswerB

The sensor is installed on endpoints to gather data.

Why this answer

The FortiEDR Sensor (Agent) is the endpoint-resident component that collects telemetry data—such as process creation, network connections, file system changes, and registry modifications—and securely transmits it to the FortiEDR management console (Controller) for analysis and threat detection. Without the sensor, the management console has no visibility into endpoint activity.

Exam trap

The trap here is that candidates often confuse FortiClient EMS (which manages endpoint policies) with the FortiEDR Sensor, assuming that EMS handles telemetry collection, when in fact the sensor is a separate, dedicated agent for endpoint detection and response.

How to eliminate wrong answers

Option A is wrong because FortiGate is a next-generation firewall that provides network security and can integrate with FortiEDR via API or syslog, but it does not collect or send endpoint telemetry data to the FortiEDR management console. Option C is wrong because FortiAnalyzer is a centralized logging and reporting appliance that aggregates logs from Fortinet devices (e.g., FortiGate, FortiMail) but does not act as the telemetry collection agent for FortiEDR endpoints. Option D is wrong because FortiClient EMS manages endpoint compliance, VPN, and web filtering policies, and while it can integrate with FortiEDR, it is not the component that collects and sends endpoint telemetry to the FortiEDR console.

52
MCQhard

An administrator configures email authentication (SPF, DKIM, DMARC) on FortiMail. They find that legitimate emails are being marked as spam by FortiMail. The SPF check passes but DKIM fails. What could be the issue?

A.The SPF record is too strict
B.The email was forwarded by an intermediary that strips the DKIM signature
C.FortiMail has a bug in the DKIM verification module
D.The DMARC policy is set to reject
AnswerB

Forwarding often breaks DKIM, causing it to fail.

Why this answer

Option B is correct because when an email is forwarded by an intermediary (e.g., a mailing list or forwarding service), the intermediary often modifies the message headers or body, which invalidates the DKIM signature. Since DKIM relies on a cryptographic hash of the original message content and selected headers, any alteration—even by a legitimate forwarder—causes the signature verification to fail. The SPF check passes because the forwarding server may be authorized in the SPF record, but DKIM failure triggers spam classification if the DMARC policy is not aligned.

Exam trap

The trap here is that candidates assume DKIM failure is always due to a misconfiguration on the sending side, rather than recognizing that forwarding or intermediary modification is a common and legitimate cause of DKIM breakage.

How to eliminate wrong answers

Option A is wrong because a strict SPF record (e.g., -all) would cause SPF to fail, not pass; the question states SPF passes, so this is irrelevant. Option C is wrong because FortiMail's DKIM verification module is RFC 6376 compliant and does not have a known bug that would cause legitimate DKIM signatures to fail; this is a red herring. Option D is wrong because DMARC policy (p=reject) only dictates how receivers handle messages that fail both SPF and DKIM alignment; it does not cause DKIM to fail—it is an action based on the result, not the cause of the failure.

53
Multi-Selecthard

An organization is deploying FortiEDR to enhance endpoint protection. Which THREE capabilities does FortiEDR provide? (Choose three.)

Select 3 answers
A.Forensic investigation and root cause analysis
B.Decoy deployment to lure attackers
C.Real-time threat detection using behavioral analysis
D.Automated response to isolate compromised endpoints
E.Email security filtering
AnswersA, C, D

FortiEDR provides detailed forensic data for investigation.

Why this answer

Options A, B, and D are correct because FortiEDR provides real-time detection, automated response, and forensic investigation capabilities.

54
MCQmedium

An organization uses FortiGate's WAF feature (not FortiWeb) to protect a web server. The admin configures an inline WAF profile but notices that the WAF is not inspecting traffic. What is the most likely cause?

A.The WAF profile is not applied to a firewall policy
B.SSL Inspection is not enabled on the firewall policy
C.The firewall policy uses flow-based inspection
D.The WAF profile is configured in monitor mode
AnswerB

Without decryption, FortiGate cannot inspect encrypted traffic for WAF rules.

Why this answer

FortiGate's WAF feature requires SSL inspection to decrypt HTTPS traffic. Without an SSL inspection profile applied to the policy, the WAF cannot see the plaintext HTTP content.

55
Drag & Dropmedium

Drag and drop the steps to configure OSPF on a FortiGate firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create virtual router, define areas and networks, set router ID, enable on interfaces, then verify.

56
MCQeasy

A company is deploying FortiGate with Advanced Threat Protection (ATP) and wants to block advanced malware that uses encrypted C2 communications. Which security profile should be configured to perform SSL inspection and detect malicious traffic?

A.Data Leak Prevention profile
B.Antivirus profile with SSL inspection
C.Web Filtering profile
D.Intrusion Prevention profile
AnswerB

Antivirus profiles can be configured with SSL inspection to detect malware in encrypted C2 traffic.

Why this answer

Option B is correct because an Antivirus profile with SSL inspection enabled is required to decrypt encrypted C2 (command-and-control) traffic so that FortiGate can inspect the payload for malware signatures, heuristics, and behavioral patterns. Without SSL inspection, the ATP engine cannot see inside the encrypted tunnel, rendering the antivirus and other security profiles ineffective against encrypted C2 communications.

Exam trap

The trap here is that candidates often assume IPS or Web Filtering alone can block encrypted C2 traffic, but without SSL inspection, these profiles cannot see inside the encrypted tunnel, making the Antivirus profile with SSL inspection the only correct choice for detecting malware in encrypted communications.

How to eliminate wrong answers

Option A is wrong because a Data Leak Prevention (DLP) profile focuses on detecting and preventing unauthorized transmission of sensitive data (e.g., credit card numbers, PII) and does not perform SSL inspection or detect advanced malware C2 traffic. Option C is wrong because a Web Filtering profile controls access to URLs and categories (e.g., blocking malicious sites) but does not decrypt or inspect the content of encrypted sessions for malware payloads. Option D is wrong because an Intrusion Prevention profile (IPS) detects and blocks network-level exploits and vulnerabilities, but without SSL inspection, it cannot analyze encrypted C2 traffic; IPS relies on decrypted traffic to match signatures.

57
MCQhard

An admin configures Content Disarm and Reconstruction (CDR) on FortiGate to protect against malicious macros in Office documents. After applying the CDR profile to a firewall policy, users complain that documents are not being delivered. What is the most likely cause?

A.The CDR profile has 'File Filter' enabled that blocks the file type
B.The FortiGate is running in transparent mode
C.The firewall policy is configured for flow-based inspection
D.The antivirus profile is not applied to the same policy
AnswerC

CDR requires proxy-based inspection mode. Flow mode does not support CDR, so documents may be dropped.

Why this answer

CDR requires proxy-based inspection to intercept, disarm, and reconstruct documents. Flow-based inspection bypasses the deep inspection engine, so CDR cannot process the files, causing delivery failures. FortiGate must use proxy-based inspection mode for CDR to function correctly.

Exam trap

The trap here is that candidates assume CDR is a simple file-filtering feature that works regardless of inspection mode, but Fortinet explicitly restricts CDR to proxy-based inspection, making flow-based mode a common misconfiguration that causes silent delivery failures.

How to eliminate wrong answers

Option A is wrong because File Filter in a CDR profile controls which files are submitted for disarming, not whether they are blocked; if enabled, it would filter files before CDR, not prevent delivery after processing. Option B is wrong because transparent mode does not affect CDR functionality; CDR works in both transparent and NAT modes as long as proxy-based inspection is used. Option D is wrong because CDR operates independently of antivirus; while AV profiles can complement CDR, they are not required for CDR to deliver documents, and their absence would not cause delivery failure.

58
Multi-Selectmedium

An administrator is configuring FortiGate automation stitches to respond to a detected brute-force attack against an internal web server. The trigger is set to 'Event' with a condition matching repeated failed login attempts. Which TWO actions are appropriate to mitigate the attack? (Choose two.)

Select 2 answers
A.Add the source IP to a local address group that is used in a block policy
B.Send an email notification to the SOC team
C.Enable quarantine on the web server
D.Shut down the web server interface
E.Run a CLI script to disable the user account
AnswersA, B

This blocks traffic from the attacker IP.

Why this answer

Option A is correct because adding the source IP to a local address group that is referenced in a block policy dynamically updates the firewall rule set to drop all traffic from that IP. This is a common automation stitch action in FortiGate that leverages the local address object and policy to enforce immediate blocking without manual intervention.

Exam trap

The trap here is that candidates may confuse 'quarantine' (a FortiClient/EMS endpoint concept) with network-level blocking, or assume that disabling a user account via CLI is a valid automation stitch action, when FortiGate stitches primarily handle network and security fabric actions, not OS-level account management.

59
MCQmedium

A network admin wants to use FortiClient's advanced threat protection features to detect ransomware behavior on endpoints. Which FortiClient feature should be enabled?

A.Advanced Threat Protection
B.Web Filtering
C.Application Firewall
D.Vulnerability Scan
AnswerA

ATP includes behavior-based detection for ransomware.

Why this answer

FortiClient's Advanced Threat Protection (ATP) includes endpoint detection and response capabilities such as ransomware behavior detection.

60
MCQmedium

Which Fortinet solution collects and correlates security events from multiple sources to provide a unified view of threats across the network?

A.FortiSIEM
B.FortiSandbox
C.FortiDeceptor
D.FortiEDR
AnswerA

FortiSIEM collects and correlates events from various sources.

Why this answer

FortiSIEM (or FortiSOAR) provides security information and event management. FortiSOC is a service, but the product that correlates events is FortiSIEM.

61
Multi-Selectmedium

A network admin is troubleshooting why FortiGate's antivirus is not detecting a known malware sample. The sample is detected by other scanners. Which two checks should the admin perform? (Choose two.)

Select 2 answers
A.Verify that the FortiGuard Antivirus subscription is active
B.Check that the file is not excluded by a file filter
C.Ensure the firewall policy is configured for proxy-based inspection
D.Check the antivirus database version against the latest available
E.Confirm that the antivirus profile has 'Scan on Delivery' enabled
AnswersA, D

Without a valid subscription, signatures are not updated.

Why this answer

The antivirus engine may be outdated (AV database) or the feature (FortiGuard AV) may not be enabled on the profile. Scanning mode (flow vs proxy) can affect detection but is less likely than these two.

62
Multi-Selectmedium

A security administrator is configuring FortiSandbox integration to automatically block malicious files detected in email attachments. Which TWO actions are required to achieve this integration?

Select 2 answers
A.Configure FortiGate to submit files to FortiSandbox for analysis
B.Deploy FortiClient endpoints with full disk encryption
C.Configure FortiSandbox to send SNMP traps when a file is malicious
D.Enable FortiGate's machine learning engine on the antivirus profile
E.Enable 'Block malicious files detected by FortiSandbox' in the antivirus profile
AnswersA, E

File submission is required so FortiSandbox can analyze files.

Why this answer

To block malicious files detected by FortiSandbox in email, the FortiGate must submit files to FortiSandbox and then use the verdict to update its local block list. Option A and D are the correct steps.

63
Multi-Selectmedium

An administrator wants to create an automation stitch that responds to a high-severity IPS event by blocking the attacker IP. Which THREE components are required to build this automation stitch?

Select 3 answers
A.Trigger (e.g., IPS Event)
B.Schedule (e.g., run every hour)
C.Action (e.g., Block IP)
D.Target (e.g., FortiGate or FortiManager)
E.Condition (e.g., severity threshold)
AnswersA, C, D

Defines what event starts the stitch.

Why this answer

Option A is correct because an automation stitch in FortiOS requires a trigger to initiate the workflow. In this scenario, the IPS event trigger is specifically designed to fire when a high-severity IPS signature match occurs, providing the necessary event data (e.g., attacker IP) to pass to subsequent actions. Without a trigger, the stitch would have no starting point.

Exam trap

The trap here is that candidates often confuse 'Condition' as a separate component because they think of it like a firewall policy's 'if-then' logic, but in FortiOS automation stitches, filtering logic is embedded within the trigger definition, not a standalone object.

64
MCQmedium

An administrator wants to automatically block a file that FortiSandbox has determined to be malicious. The FortiGate is configured with an antivirus profile that includes FortiSandbox submission. Which verdict action should be set to 'block' in the antivirus profile to achieve this?

A.Exempted
B.Unknown
C.Malicious
D.Clean
AnswerC

The 'Malicious' verdict action will block files determined malicious by FortiSandbox.

65
MCQhard

An administrator wants to create an automation stitch that automatically blocks an IP address when a high-severity IPS alert is triggered. The administrator creates a trigger for 'IPS event' and an action of 'Add to Blocked IPs'. However, the action fails to execute. Which of the following is the most likely cause?

A.The automation stitch is set to execute every 5 minutes, not immediately
B.The blocked IP list has reached its maximum size
C.The IPS event trigger does not support IP address extraction
D.The admin account used to configure the stitch does not have permission to modify the blocked IP list
AnswerD

The stitch runs with the privileges of the admin who created it. If that admin lacks write access to address objects, the action fails.

Why this answer

Option D is correct because the admin account used to configure the automation stitch must have the necessary permissions to modify the blocked IP list. In FortiOS, the automation stitch action 'Add to Blocked IPs' requires write access to the firewall address object or the blocked IP list. If the admin account has read-only or restricted privileges, the action will fail silently, even if the trigger and action are correctly configured.

Exam trap

The trap here is that candidates often assume the issue is with the trigger's capability (Option C) or a configuration timing problem (Option A), but FortiOS automation stitches are designed to extract IPs from IPS events, and the real bottleneck is almost always admin permissions, which is a subtle but critical detail in NSE7 exams.

How to eliminate wrong answers

Option A is wrong because the automation stitch execution interval (e.g., every 5 minutes) does not prevent the action from executing; it only delays it. The action would still execute at the next scheduled interval, not fail entirely. Option B is wrong because the blocked IP list has a default maximum size of 16,384 entries in FortiOS, and reaching this limit would cause the action to fail with a specific error, but the question states the action 'fails to execute' without any indication of a full list.

More importantly, the most common cause is permission-related, not capacity. Option C is wrong because the IPS event trigger in FortiOS does support IP address extraction; it captures the source IP from the IPS event log and passes it to the action. The trigger is designed to extract the IP address for use in automation stitches.

66
MCQeasy

What is the primary difference between using a Web Application Firewall (WAF) on FortiGate versus using FortiWeb?

A.There is no difference; they are the same.
B.FortiGate WAF is cloud-based, while FortiWeb is on-premises.
C.FortiWeb provides dedicated, advanced WAF features and higher performance for web traffic, while FortiGate WAF is a basic protection feature.
D.FortiGate WAF can protect multiple web servers simultaneously, while FortiWeb protects only one.
AnswerC

FortiWeb is a dedicated WAF appliance with more advanced capabilities; FortiGate includes a basic WAF profile.

67
Multi-Selectmedium

Which TWO features are part of FortiGate's Advanced Threat Protection (ATP) suite?

Select 2 answers
A.Data Leak Prevention (DLP)
B.SSL Inspection
C.FortiGuard Antivirus
D.FortiSandbox
E.Intrusion Prevention System (IPS)
AnswersC, D

Part of ATP for malware detection.

Why this answer

FortiGate's Advanced Threat Protection (ATP) suite is designed to detect and block advanced, unknown, and zero-day threats. FortiGuard Antivirus (C) is a core ATP component that uses signature-based and heuristics-based scanning to detect known malware at the gateway. FortiSandbox (D) extends this by detonating suspicious files in a virtual environment to identify unknown threats, making both integral to the ATP suite.

Exam trap

The trap here is that candidates often confuse core security functions (like IPS or DLP) with the specific ATP suite components, which are explicitly defined by Fortinet as FortiGuard Antivirus and FortiSandbox for advanced threat detection.

68
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate?

A.The session is in SYN_SENT state and cannot be established
B.The session is an established TCP session with about one hour remaining before timeout
C.The session is a UDP session using port 443
D.The session has a duration of 3600 seconds and will expire immediately
AnswerB

Established TCP session (state 01), duration 3600s, expire 3599s (about 1 hour).

Why this answer

The output shows a TCP session (proto=6) with state 01, which in Fortinet's session table indicates an established TCP connection. The duration of 3600 seconds and expire value of 3599 seconds mean the session has been active for about one hour and has approximately one hour remaining before the idle timeout expires. This matches option B.

Exam trap

The trap here is that candidates often confuse the proto_state value 01 with SYN_SENT (which is 02) or assume the expire field indicates total session lifetime rather than remaining idle timeout.

How to eliminate wrong answers

Option A is wrong because proto_state=01 indicates an established TCP session, not SYN_SENT; SYN_SENT would be state 02. Option C is wrong because proto=6 is TCP, not UDP (UDP uses proto=17). Option D is wrong because expire=3599 means the session will expire in about 3599 seconds, not immediately; immediate expiry would show expire=0 or a very small value.

69
MCQmedium

An organization wants to prevent zero-day attacks by using Content Disarm and Reconstruction (CDR) on email attachments. Which Fortinet product provides this capability?

A.FortiWeb
B.FortiGate
C.FortiMail
D.FortiSandbox
AnswerC

FortiMail provides email security including CDR.

Why this answer

FortiMail is the correct answer because it natively integrates Content Disarm and Reconstruction (CDR) to sanitize email attachments by removing active content (e.g., macros, scripts, embedded objects) and rebuilding the file in a safe format. This prevents zero-day exploits that bypass signature-based detection, as CDR does not rely on threat intelligence but instead strips potentially malicious elements before delivery.

Exam trap

The trap here is that candidates often confuse FortiSandbox's dynamic analysis with CDR, assuming both provide proactive protection against zero-days, but FortiSandbox requires execution and detection, whereas CDR prevents exploitation by removing the attack surface entirely without relying on signatures or behavioral analysis.

How to eliminate wrong answers

Option A is wrong because FortiWeb is a web application firewall (WAF) that protects web servers from HTTP/HTTPS attacks (e.g., SQL injection, XSS) and does not process email attachments or provide CDR functionality. Option B is wrong because FortiGate is a next-generation firewall (NGFW) that can perform antivirus and sandboxing for traffic passing through it, but it does not include native CDR for email attachments; CDR is a feature specific to FortiMail's email security pipeline. Option D is wrong because FortiSandbox is a separate advanced threat detection appliance that uses dynamic analysis (e.g., detonating files in a sandbox) to identify unknown malware, but it does not perform CDR; CDR proactively disarms attachments without execution, whereas FortiSandbox relies on behavioral analysis after execution.

70
MCQhard

A FortiGate is configured with an IPS sensor that has protocol anomaly detection enabled. The admin notices that legitimate VoIP traffic (SIP) is being blocked. Which action should the admin take to reduce false positives?

A.Change the IPS action from block to monitor
B.Add the VoIP servers to an IP exemption list in the IPS sensor
C.Disable protocol anomaly detection entirely
D.Tune the protocol anomaly thresholds to be more lenient for SIP
AnswerD

Tuning thresholds reduces false positives while maintaining security.

Why this answer

Option C is correct because protocol anomaly detection can have thresholds; adjusting them allows legitimate traffic to pass while still detecting anomalies.

71
Multi-Selectmedium

A security analyst wants to use automation stitches on FortiGate to automatically block an IP address when a critical severity event is logged. Which TWO components are essential to create this automation stitch? (Choose two.)

Select 2 answers
A.A FortiGuard subscription
B.A FortiAnalyzer to store logs
C.An action that adds the source IP to a firewall address group
D.A static route to the internet
E.A trigger that matches critical severity logs
AnswersC, E

The action defines the response, such as blocking the IP.

Why this answer

Options A and D are correct because triggers define what event starts the automation, and actions define what the automation does (e.g., block IP).

72
MCQmedium

An administrator needs to deploy a honeypot solution to detect and deceive attackers inside the network. Which Fortinet product is BEST suited for this purpose?

A.FortiDeceptor
B.FortiSandbox
C.FortiEDR
D.FortiNAC
AnswerA

FortiDeceptor provides honeypots and decoys to detect lateral movement.

Why this answer

FortiDeceptor is a dedicated deception-based security solution that deploys decoys (honeypots) and lures across the network to detect and misdirect attackers. It integrates with FortiGate and FortiSIEM to provide automated threat isolation and forensic data collection, making it the best choice for a honeypot deployment.

Exam trap

The trap here is that candidates may confuse FortiSandbox's file analysis with deception technology, but FortiSandbox does not deploy decoys or lures within the network for attacker interaction.

How to eliminate wrong answers

Option B (FortiSandbox) is wrong because it focuses on analyzing suspicious files and URLs in a sandboxed environment, not on deploying honeypots or decoys for attacker deception. Option C (FortiEDR) is wrong because it provides endpoint detection and response capabilities, including behavioral analysis and threat hunting, but does not include honeypot or deception technology. Option D (FortiNAC) is wrong because it is a network access control solution that manages device authentication and compliance, not a deception-based detection tool.

73
Multi-Selecthard

A security administrator wants to implement automated threat response using FortiGate automation stitches. Which THREE components are mandatory when creating an automation stitch? (Choose three.)

Select 3 answers
A.Schedule (e.g., daily at midnight)
B.Stitch name
C.Action (e.g., 'CLI Script', 'Add IP to Blocklist')
D.Trigger (e.g., 'Event Log' or 'FortiOS CLI')
E.Condition (e.g., filter on event type)
AnswersC, D, E

What happens when the stitch fires.

Why this answer

Option C is correct because an automation stitch requires at least one action to execute when triggered. Actions define the actual response, such as running a CLI script, adding an IP to a blocklist, or sending an email. Without an action, the stitch would have no effect on the network.

Exam trap

The trap here is that candidates often confuse 'mandatory components' with 'required fields in the GUI' — the stitch name is a required field in the GUI but is not a functional component of the automation logic, while the condition is often overlooked as optional but is considered mandatory in the NSE7 exam because it is essential for practical threat response filtering.

74
MCQhard

An administrator configured FortiGate to forward suspected malicious files to FortiSandbox. They set the action to 'block' for malicious verdicts. Some files are being blocked, but others with a 'clean' verdict are allowed. However, they notice that some files that should have been sent to FortiSandbox are not being forwarded. Which reason is MOST likely?

A.The FortiGate antivirus engine is set to proxy-based mode
B.The FortiGate has insufficient disk space for temporary files
C.The file size exceeds the maximum size configured for FortiSandbox scanning
D.The FortiSandbox device is overloaded and rejecting submissions
AnswerC

File size limits in the scanning profile prevent oversized files from being submitted to FortiSandbox.

Why this answer

Option C is correct. FortiGate uses a scanning profile that includes file size and type limits; if the file exceeds the maximum size configured for FortiSandbox submission, it will not be forwarded.

75
Multi-Selecthard

A security engineer wants to implement advanced threat protection for email using FortiMail. Which THREE features should be enabled to provide comprehensive protection against sophisticated email threats? (Choose three.)

Select 3 answers
A.URL rewriting and click-time protection
B.FortiSandbox integration for email attachments
C.Anti-Spam filter
D.DMARC verification
E.Attachment size limits
AnswersA, B, D

URL rewriting protects against phishing links.

Why this answer

URL rewriting and click-time protection (A) is correct because it proactively neutralizes malicious URLs in emails by rewriting them to route through FortiMail's proxy, enabling real-time inspection at the time of click. This defends against phishing and credential-harvesting attacks that use URLs to deliver payloads or steal credentials, even if the URL was benign at delivery time.

Exam trap

The trap here is that candidates often mistake basic anti-spam or administrative controls (like attachment size limits) for advanced threat protection features, overlooking that sophisticated threats require dynamic, behavior-based defenses such as URL rewriting, sandboxing, and email authentication protocols.

Page 1 of 3 · 169 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Advanced Threat Protection questions.