NSE7 · topic practice

Advanced Threat Protection practice questions

Practise Fortinet NSE 7 Advanced Security NSE7 Advanced Threat Protection practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Advanced Threat Protection

What the exam tests

What to know about Advanced Threat Protection

Advanced Threat Protection questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Advanced Threat Protection exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Advanced Threat Protection questions

20 questions · select your answer, then reveal the explanation

A company is deploying FortiGate with Advanced Threat Protection (ATP) and wants to block advanced malware that uses encrypted C2 communications. Which security profile should be configured to perform SSL inspection and detect malicious traffic?

A network administrator notices that several endpoints are infected with ransomware despite having FortiGate ATP enabled. The logs show that the files were downloaded over HTTPS, and the antivirus profile did not detect them. What is the most likely reason?

A security engineer is troubleshooting a scenario where FortiGate is not blocking a known malicious URL categorized as 'Malware'. The web filtering profile is configured with 'monitor all' for the Malware category. What change should be made to block the URL?

A company wants to detect and block phishing emails that contain malicious links. Which FortiGate security profile should be used?

A FortiGate administrator receives alerts about a device communicating with a known botnet C2 server. The traffic is encrypted with TLS. Which ATP feature is most effective to block this communication?

Which TWO features are part of FortiGate's Advanced Threat Protection (ATP) suite?

Which THREE actions should be taken to optimize FortiGate ATP performance while maintaining security?

Refer to the exhibit. An administrator notices that some malware files are not being detected by FortiGate. The antivirus profile uses flow-based scanning with FortiSandbox disabled. What is the most likely reason for missed detections?

Exhibit

Refer to the exhibit.

config antivirus profile
    edit "default"
        set comment "Default antivirus"
        config http
            set options scan
            set av-scan mode=flow-based
            set fortisandbox inline-scan disable
            set quarantine enable
        end
        config ftp
            set options scan
            set av-scan mode=flow-based
            set fortisandbox inline-scan disable
            set quarantine enable
        end
        config smb
            set options scan
            set av-scan mode=flow-based
            set fortisandbox inline-scan disable
            set quarantine enable
        end
    next
end

Refer to the exhibit. A user reports that accessing a legitimate HTTPS website is blocked. The FortiGate logs show that the connection was denied by the antivirus profile. What is the most likely cause?

Exhibit

Refer to the exhibit.

config firewall policy
    edit 1
        set name "Web Access"
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "10.0.1.0/24"
        set dstaddr "10.0.2.0/24"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set utm-status enable
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection"
        set av-profile "default"
        set ips-profile "default"
        set application-list "default"
    next
end
Question 10hardmultiple choice
Read the full VPN explanation →

A large enterprise uses FortiGate as their perimeter firewall with ATP features enabled. They have a mix of internal users and remote VPN users. Recently, several remote users reported that their machines became infected with ransomware after connecting to the VPN. The IT team suspects that the ransomware entered through the VPN tunnel. The FortiGate has an antivirus profile applied to the VPN policy with SSL inspection enabled for all traffic. However, the logs show that no malware was detected. Upon investigation, the team finds that the remote users' machines are not managed by the company and do not have any endpoint protection. The ransomware was delivered via a spear-phishing email that the users opened on their remote machines. The email traffic passed through the VPN tunnel to the corporate mail server first, then back to the user. The FortiGate antivirus profile is configured to scan SMTP traffic but the email was sent from an external source to the corporate mail server, and the mail server uses STARTTLS to receive emails. The FortiGate does not perform SSL inspection on the SMTP traffic because the SMTP service is not included in the SSL inspection profile. What action should the administrator take to prevent this in the future?

Question 11mediumdrag order
Review the full OSPF breakdown →

Drag and drop the steps to configure OSPF on a FortiGate firewall into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each FortiGate security profile to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Malware protection

URL and content filtering

DNS-based threat protection

Application visibility and control

Intrusion prevention

A network admin configures FortiGate to submit files to FortiSandbox for analysis. After submission, the FortiGate logs show that files are being sent but no verdict is returned. The FortiSandbox is reachable and licensed. What is the most likely cause?

An organization wants to protect against unknown malware by using machine learning on FortiGate. Which antivirus setting should be enabled to achieve this?

A FortiGate administrator wants to block a custom protocol anomaly where a client sends an HTTP request with a malformed header containing a null byte. Which advanced IPS feature should be used?

What is the primary purpose of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus features?

An organization uses FortiMail and wants to validate that incoming emails are from legitimate senders by checking the sender's domain against a published policy. Which two email authentication mechanisms can FortiMail use? (Choose two.)

A FortiGate admin runs 'diagnose ips anomaly list' and sees many 'tcp_src_session' events from a single internal IP. The admin suspects a scanning attack. What action should be taken to block this traffic without affecting legitimate traffic?

What is the primary function of FortiDeceptor in a network security architecture?

Question 20mediummultiple choice
Read the full NAT/PAT explanation →

An administrator configures an automation stitch on FortiGate to automatically block an IP address when a specific IPS signature triggers. What must be configured as the trigger and action?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Advanced Threat Protection sessions

Start a Advanced Threat Protection only practice session

Every question in these sessions is drawn from the Advanced Threat Protection domain — nothing else.

Related practice questions

Related NSE7 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the NSE7 exam test about Advanced Threat Protection?
Advanced Threat Protection questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Advanced Threat Protection questions in a focused session?
Yes — the session launcher on this page draws every question from the Advanced Threat Protection domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other NSE7 topics?
Use the topic links above to move to related areas, or go back to the NSE7 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the NSE7 exam covers. They are not copied from any real exam or dump site.