CCNA Nse7 Atp Questions

75 of 169 questions · Page 2/3 · Nse7 Atp topic · Answers revealed

76
MCQhard

You run 'diagnose sys session filter dport 443' and see the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is timed out
B.The session is closing (FIN_WAIT)
C.The session is in SYN_SENT state, waiting for SYN-ACK
D.The session is fully established (proto_state=01 means established)
AnswerC

proto_state=01 indicates SYN_SENT.

Why this answer

The output shows `proto=6` (TCP), `proto_state=01`, `duration=3600`, and `expire=3599`. In Fortinet's session table, `proto_state=01` for TCP indicates the session is in the SYN_SENT state, meaning the firewall has forwarded a SYN packet and is waiting for a SYN-ACK from the remote host. The session is not yet established, as the three-way handshake has not completed.

Exam trap

The trap here is that candidates often misinterpret `proto_state=01` as an established session because they associate '01' with a binary 'on' or 'active' state, but in Fortinet's TCP state encoding, 01 specifically means SYN_SENT, not established.

How to eliminate wrong answers

Option A is wrong because the session has an expire value of 3599 seconds, meaning it is still active and not timed out. Option B is wrong because a FIN_WAIT state would be represented by a different proto_state value (e.g., 04 or 05), not 01; proto_state=01 specifically indicates SYN_SENT, not a closing state. Option D is wrong because proto_state=01 does not mean established; an established TCP session would show proto_state=02 (SYN_RCVD) or proto_state=03 (ESTABLISHED) in Fortinet's session table.

77
Multi-Selectmedium

An administrator is investigating a security incident where a workstation is communicating with a known command and control (C2) server. The FortiGate has IPS enabled but did not block the traffic. Which TWO configuration issues could explain why the IPS did not detect the C2 communication? (Choose two.)

Select 2 answers
A.The firewall policy does not have SSL deep inspection enabled
B.The IPS sensor is configured in 'Inline' mode
C.The IPS sensor has 'Logging' disabled
D.The IPS sensor does not include signatures for the C2 protocol or pattern
E.The FortiGate is operating in 'Transparent' mode
AnswersA, D

Without SSL inspection, encrypted C2 traffic is invisible to IPS.

Why this answer

Option A is correct because without SSL deep inspection, the FortiGate cannot decrypt HTTPS traffic to inspect the payload for C2 signatures. IPS operates on decrypted content; if the C2 communication uses TLS, the IPS engine only sees encrypted packets and cannot match application-layer signatures. Enabling SSL deep inspection with a valid CA certificate is required to decrypt and inspect the traffic.

Exam trap

The trap here is that candidates often assume 'Inline' mode or 'Transparent' mode inherently affect detection capability, when in fact they only affect traffic flow or logging, not the IPS engine's ability to inspect decrypted content.

78
MCQmedium

An administrator configures an automation stitch on FortiGate to automatically block an IP address when a specific IPS signature triggers. What must be configured as the trigger and action?

A.Trigger: 'Event Log' with filter for the IPS signature; Action: 'Add IP to Blocklist'
B.Trigger: 'Incoming Webhook'; Action: 'CLI Script'
C.Trigger: 'FortiOS CLI'; Action: 'Alert Email'
D.Trigger: 'Schedule'; Action: 'Banned IP'
AnswerA

Event log triggers on specific log IDs; action adds IP to blocklist.

Why this answer

Option A is correct because an automation stitch in FortiGate requires a trigger that defines the event that starts the automation, and an action that defines what happens when the trigger fires. For automatically blocking an IP when a specific IPS signature triggers, the trigger must be 'Event Log' with a filter for that IPS signature, and the action must be 'Add IP to Blocklist', which directly adds the source IP to the FortiGate's blocklist (banned IP list). This combination ensures that when the IPS signature is logged, the stitch extracts the source IP and applies a block.

Exam trap

The trap here is that candidates confuse 'Banned IP' (a status or list) with the actual action name 'Add IP to Blocklist', or they mistakenly think a CLI script or webhook can directly react to an IPS event without the proper log-based trigger.

How to eliminate wrong answers

Option B is wrong because 'Incoming Webhook' is a trigger that waits for an external HTTP request, not for an IPS signature event; it cannot directly react to local IPS logs. Option C is wrong because 'FortiOS CLI' is not a valid trigger type in automation stitches; triggers are events like 'Event Log', 'Incoming Webhook', or 'Schedule', not CLI commands. Option D is wrong because 'Schedule' is a time-based trigger (e.g., daily at 2 AM), not an event-driven trigger for an IPS signature; 'Banned IP' is not a valid action name—the correct action is 'Add IP to Blocklist'.

79
Multi-Selectmedium

A company wants to use FortiMail to implement email authentication to prevent spoofing. Which THREE mechanisms should be configured in FortiMail's Authentication Profile?

Select 3 answers
A.DMARC
B.DKIM
C.S/MIME
D.TLS
E.SPF
AnswersA, B, E

Domain-based Message Authentication, Reporting & Conformance.

Why this answer

SPF, DKIM, and DMARC are the three standard email authentication methods.

80
MCQhard

An administrator configures a WAF profile on FortiGate to protect a web application. They notice that SQL injection attacks are not being blocked. What is the MOST likely reason?

A.The web application uses HTTPS without SSL inspection
B.The FortiGuard Web Filtering subscription is inactive
C.The WAF profile is set to monitor mode
D.The WAF profile is applied to the wrong firewall policy
AnswerB

WAF signatures are part of FortiGuard Web Filtering; without subscription, updates stop.

Why this answer

Option B is correct because the FortiGuard Web Filtering subscription provides the signature database required to detect and block SQL injection attacks within a WAF profile. Without an active subscription, the WAF profile cannot update or use the latest attack signatures, rendering it unable to identify SQL injection patterns even if the profile is enabled and applied correctly.

Exam trap

The trap here is that candidates often assume a WAF profile in monitor mode is the most likely cause of attacks not being blocked, but the question emphasizes 'most likely' and the inactive subscription is a more fundamental prerequisite for signature-based detection to function at all.

How to eliminate wrong answers

Option A is wrong because HTTPS without SSL inspection does not prevent the WAF from inspecting HTTP traffic; FortiGate can still inspect the decrypted traffic if SSL inspection is configured, but the WAF operates on the application layer and can block SQL injection regardless of encryption as long as the traffic is decrypted. Option C is wrong because a WAF profile set to monitor mode would log attacks but not block them, which would be a plausible reason for SQL injection not being blocked, but the question asks for the 'most likely' reason, and an inactive FortiGuard subscription is a more fundamental issue that prevents signature-based detection entirely. Option D is wrong because applying the WAF profile to the wrong firewall policy would mean the profile is not applied to the traffic at all, but the administrator has already configured the profile and noticed it is not blocking attacks, implying the profile is applied; the issue is with the signature database, not policy application.

81
MCQhard

During a security incident, the SOC team receives an alert from FortiSIEM about a user accessing a known malicious IP. The team wants to automatically block the IP on the FortiGate. Which FortiGate feature can be used to create an automated response based on a threat intelligence feed?

A.Automation Stitch
B.Local-in Policy
C.FortiGuard Outbreak Prevention
D.FortiGate VPN
AnswerA

Automation Stitches combine triggers (e.g., threat feed update) with actions (e.g., add address to block list) to automate responses.

Why this answer

Option A is correct because Automation Stitch in FortiOS allows you to create automated responses triggered by events such as threat intelligence feeds. By configuring an Automation Stitch with a trigger from FortiSIEM (e.g., via a webhook or syslog) and an action to add a block entry to the FortiGate's local address group or dynamic block list, the SOC team can automatically block the malicious IP without manual intervention.

Exam trap

The trap here is that candidates often confuse Automation Stitch with FortiGuard Outbreak Prevention, thinking the latter can be directly triggered by a third-party alert, when in fact Outbreak Prevention is a passive, subscription-based feed that does not support custom automation from external sources like FortiSIEM.

How to eliminate wrong answers

Option B is wrong because Local-in Policy controls traffic destined to the FortiGate itself (e.g., management access), not traffic passing through the FortiGate, so it cannot block outbound traffic to a malicious IP. Option C is wrong because FortiGuard Outbreak Prevention is a subscription service that provides real-time threat intelligence and blocking for known outbreaks, but it does not allow custom automated responses based on a specific alert from FortiSIEM; it operates independently via FortiGuard updates. Option D is wrong because FortiGate VPN is a feature for secure remote access and site-to-site connectivity, not for automated threat response or IP blocking based on threat intelligence feeds.

82
MCQmedium

Which FortiMail advanced feature allows the administrator to rewrite URLs in email bodies to redirect users to a safe scanning service when they click on a link?

A.URL Rewriting
B.Attachment Filtering
C.Bounce Verification
D.Anti-Spam
AnswerA

URL Rewriting replaces links with rewritten URLs that go through FortiMail's link scanning.

Why this answer

URL Rewriting is the correct answer because it is a FortiMail advanced feature specifically designed to replace URLs in email bodies with rewritten links that redirect users through FortiMail's scanning service. When a user clicks the rewritten URL, FortiMail inspects the destination in real time for malicious content, such as phishing or malware sites, before allowing the redirect. This provides proactive protection against zero-hour threats by leveraging FortiGuard's web filtering and threat intelligence.

Exam trap

The trap here is that candidates often confuse URL Rewriting with Attachment Filtering, assuming both deal with malicious content, but URL Rewriting specifically targets links in the email body, not file attachments.

How to eliminate wrong answers

Option B (Attachment Filtering) is wrong because it focuses on scanning email attachments for malware or prohibited file types, not on rewriting URLs in email bodies. Option C (Bounce Verification) is wrong because it validates the authenticity of bounce messages to prevent backscatter spam, not URL manipulation. Option D (Anti-Spam) is wrong because it uses techniques like RBLs, greylisting, and heuristic analysis to filter unwanted bulk email, not to rewrite or scan URLs for malicious content.

83
MCQmedium

A network admin configures FortiGate to submit files to FortiSandbox for analysis. After submission, the FortiGate logs show that files are being sent but no verdict is returned. The FortiSandbox is reachable and licensed. What is the most likely cause?

A.The FortiGate is using proxy-based inspection instead of flow-based
B.The FortiSandbox server's IP is not added to the FortiGate's trusted hosts
C.The FortiGate does not have a FortiGuard Security Rating subscription
D.The antivirus profile is set to block without scanning
AnswerC

FortiSandbox verdicts are delivered via FortiGuard rating; without the subscription, verdicts are not returned.

Why this answer

Option C is correct because FortiGate requires a valid FortiGuard Security Rating subscription to receive verdicts from FortiSandbox. Without this subscription, the FortiGate can submit files and see them as sent in logs, but it cannot process the returned verdicts, resulting in no action taken on the files. The Security Rating subscription enables the communication channel for verdict retrieval, distinct from the basic FortiSandbox license.

Exam trap

The trap here is that candidates assume a licensed FortiSandbox alone is sufficient for verdict delivery, overlooking that FortiGate requires an additional FortiGuard Security Rating subscription to consume those verdicts.

How to eliminate wrong answers

Option A is wrong because proxy-based inspection does not prevent verdict retrieval; FortiGate can receive and act on FortiSandbox verdicts regardless of inspection mode, as verdicts are handled at the FortiGate-FortiSandbox communication level, not the inspection engine. Option B is wrong because trusted hosts are used for administrative access control to the FortiGate GUI/CLI, not for FortiSandbox communication; FortiSandbox connectivity relies on IP reachability and API keys, not trusted host lists. Option D is wrong because setting an antivirus profile to block without scanning would prevent file submission entirely, not cause a scenario where files are sent but no verdict is returned; the logs confirm submission occurred, ruling out this option.

84
MCQmedium

A FortiGate administrator is troubleshooting an issue where a legitimate application is being blocked by the IPS. The administrator wants to ensure the application works while maintaining protection for other traffic. What is the best action?

A.Disable the IPS sensor on the firewall policy
B.Apply an application control profile to allow the application
C.Create a custom IPS signature to pass the specific application traffic
D.Change the IPS signature action to 'monitor' for all signatures
AnswerC

Custom signature with 'pass' action allows the application while keeping other protections.

Why this answer

Option C is correct. Creating a custom IPS signature with a 'pass' action for the specific application traffic will allow it, while the default action (block) applies to others.

85
MCQmedium

An administrator needs to create a custom IPS signature to detect a specific exploit that sends a unique string 'EXPLOIT_2024' in the HTTP User-Agent header. Which IPS signature syntax should the administrator use?

A.F-SBID(--name "Custom_Exploit"; --protocol tcp; --pattern "EXPLOIT_2024"; --context http-header;)
B.F-SBID(--name "Custom_Exploit"; --protocol tcp; --pattern "User-Agent: EXPLOIT"; --service HTTP;)
C.F-SBID(--name "Custom_Exploit"; --protocol tcp; --pattern "EXPLOIT_2024"; --service HTTP;)
D.F-SBID(--name "Custom_Exploit"; --protocol tcp; --pattern "User-Agent: EXPLOIT_2024"; --service HTTP;)
AnswerD

This pattern matches the exact User-Agent header content.

Why this answer

Option D is correct because it uses the `--pattern` to match the exact string 'User-Agent: EXPLOIT_2024' within the HTTP header context, and `--service HTTP` ensures the signature only inspects HTTP traffic. This syntax precisely detects the exploit string in the User-Agent header as required.

Exam trap

The trap here is that candidates often assume `--context http-header` is a valid keyword (like in Snort), but FortiGate IPS uses `--service HTTP` to scope header inspection, and the pattern must include the full header field to match precisely.

How to eliminate wrong answers

Option A is wrong because `--context http-header` is not a valid keyword in FortiGate IPS signatures; the correct approach is to use `--service HTTP` to scope the signature to HTTP traffic. Option B is wrong because the pattern 'User-Agent: EXPLOIT' is incomplete—it does not include the full string 'EXPLOIT_2024', so it would fail to detect the specific exploit. Option C is wrong because the pattern 'EXPLOIT_2024' alone would match the string anywhere in the HTTP payload, not specifically in the User-Agent header, leading to false positives or missed detections.

86
MCQmedium

A network admin notices that files submitted to FortiSandbox from FortiGate are not being analyzed. The FortiGate has a valid FortiSandbox license and the device is reachable. What configuration step is most likely missing?

A.The FortiSandbox feature is not enabled in the VDOM settings
B.The antivirus profile has 'FortiSandbox Inline Scan' disabled
C.The FortiSandbox server IP is not configured under Security Fabric > Fabric Connectors
D.The FortiGate is not registered with FortiCloud
AnswerB

Inline scan must be enabled in the antivirus profile to send files to FortiSandbox.

Why this answer

FortiSandbox integration requires an antivirus profile with FortiSandbox inline scan enabled and the FortiSandbox server IP configured. If the profile is not applied to the firewall policy or the scan option is disabled, files will not be submitted.

87
MCQeasy

What is the primary function of Content Disarm and Reconstruction (CDR) in FortiGate's antivirus profile?

A.To detect and block zero-day malware using machine learning
B.To reconstruct files that were corrupted during transmission
C.To compress files for faster scanning
D.To remove active content and rebuild files to eliminate hidden threats
AnswerD

CDR strips potentially malicious elements and reconstructs a sanitized file.

Why this answer

CDR removes potentially dangerous content (like macros, scripts) from documents and then reconstructs a safe version, preventing exploits that might bypass signature-based detection.

88
MCQmedium

A network administrator wants to ensure that files downloaded from the internet are analyzed by FortiSandbox before being delivered to the client. The FortiGate is configured with a FortiSandbox connection and an antivirus profile. Which setting must be enabled in the antivirus profile to submit files to FortiSandbox?

A.FortiSandbox inline scanning
B.Enable Content Disarm and Reconstruction (CDR)
C.Enable Outbreak Prevention
D.Submit files to FortiSandbox
AnswerD

The antivirus profile includes a setting to submit files to FortiSandbox for analysis.

89
MCQhard

An administrator runs 'diagnose ips anomaly list' and sees many 'data_leak' events from a specific internal IP address. The IPS sensor has the default pre-defined signatures enabled. What additional step should the administrator take to block this specific anomaly?

A.Enable protocol anomaly detection in the antivirus profile
B.Create a custom IPS signature to match the anomaly pattern and apply it to the IPS sensor
C.Enable the 'data_leak' signature in the IPS sensor and set action to 'block'
D.Configure a firewall policy with application control to block the traffic
AnswerB

Custom signatures allow precise detection of protocol anomalies beyond pre-defined signatures.

Why this answer

Option B is correct because protocol anomalies require custom signatures to define the precise pattern or threshold, as pre-defined signatures may not cover specific behavior.

90
Multi-Selectmedium

An administrator needs to enable automation stitches to automatically block a malicious IP address detected by FortiSandbox. Which two components are required? (Choose two.)

Select 2 answers
A.A trigger that detects the FortiSandbox verdict
B.A static route to the malicious IP
C.An SSL certificate for the FortiGate
D.An action that adds the IP to a local threat feed
E.A firewall policy that allows the traffic
AnswersA, D

Trigger initiates the automation stitch.

Why this answer

Option A is correct because automation stitches require a trigger to initiate the workflow. In this scenario, the trigger must detect the FortiSandbox verdict (e.g., malicious or clean) to start the automated response. Without a trigger, the stitch has no event to react to, making it non-functional.

Exam trap

The trap here is that candidates often confuse the trigger requirement with other network components like routing or certificates, or mistakenly think a firewall policy allowing traffic is needed for the automation to work, when in fact the action modifies security policies to block the IP.

91
MCQhard

An administrator runs 'diagnose sys session filter dport 443' and sees the following output: proto=6 proto_state=01 duration=3600 expire=3599 What does this indicate about the session?

A.The session is a TCP connection that has been active for 3600 seconds and will expire in 3599 seconds
B.The session is a UDP DNS request
C.The session is being blocked by a firewall policy
D.The session is an SSL VPN tunnel
AnswerA

Correct interpretation of fields.

Why this answer

Option A is correct because the output shows 'proto=6' which indicates TCP (protocol 6), 'duration=3600' means the session has been active for 3600 seconds (1 hour), and 'expire=3599' means the session will expire in 3599 seconds. The 'proto_state=01' is a TCP state code indicating an established connection. This is a standard FortiGate diagnostic session output.

Exam trap

The trap here is that candidates may misinterpret 'proto=6' as a generic protocol number without recalling that protocol 6 is specifically TCP, leading them to incorrectly associate the output with UDP-based services like DNS or SSL VPN tunnels.

How to eliminate wrong answers

Option B is wrong because UDP uses protocol 17, not protocol 6, and DNS requests typically use UDP port 53, not TCP port 443. Option C is wrong because the output shows an active session with a duration and expiry, indicating the session is allowed and tracked, not blocked; a blocked session would not have a duration or expire value. Option D is wrong because an SSL VPN tunnel is typically encapsulated in UDP (port 443) or uses a different session type, and the output shows a raw TCP session (proto=6) with no indication of VPN encapsulation or tunnel ID.

92
MCQeasy

Which FortiGate IPS feature allows administrators to create rules that detect network traffic patterns deviating from normal protocol behavior?

A.Rate-based signatures
B.Custom signatures
C.Protocol anomaly
D.Geo-IP blocking
AnswerC

Protocol anomaly detection is specifically for detecting deviations from protocol standards.

Why this answer

Protocol anomaly detection in FortiGate IPS allows administrators to define rules that identify deviations from standard protocol behavior as defined by RFCs. Unlike signature-based detection, which matches known attack patterns, protocol anomaly detection flags traffic that violates expected protocol structures, such as malformed packets or illegal flag combinations. This enables the detection of zero-day exploits and protocol abuse without requiring a pre-existing signature.

Exam trap

The trap here is that candidates confuse 'protocol anomaly' with 'custom signatures' or 'rate-based signatures,' assuming any custom rule or threshold-based detection can identify protocol deviations, but FortiGate specifically reserves protocol anomaly for RFC-based behavioral analysis, not pattern matching or volumetric thresholds.

How to eliminate wrong answers

Option A is wrong because rate-based signatures are designed to detect traffic patterns based on thresholds (e.g., connections per second) rather than deviations from normal protocol behavior; they focus on volume anomalies, not protocol compliance. Option B is wrong because custom signatures are user-defined patterns (e.g., using the FSL language) that match specific content or byte sequences, not protocol deviations; they rely on known attack signatures, not behavioral analysis. Option D is wrong because Geo-IP blocking filters traffic based on geographic source or destination IP addresses, which is unrelated to protocol behavior or anomaly detection.

93
MCQmedium

A company uses FortiMail for email security. They want to prevent email spoofing by verifying that incoming emails originate from authorized servers. Which email authentication method should be configured on FortiMail to check the sending server's IP against a published SPF record?

A.SPF verification
B.DKIM verification
C.DMARC verification
D.Sender Policy Framework (SPF) is not supported on FortiMail
AnswerA

SPF checks if the sending IP is authorized by the domain's SPF record.

94
MCQmedium

An administrator is deploying FortiClient with ATP features. They want to ensure that if a process is detected as malicious by the FortiClient machine learning engine, the endpoint is isolated from the network. Which configuration should they use?

A.Create a firewall policy to block traffic from that endpoint
B.Enable 'auto-network-access' in the FortiClient profile
C.Configure an automation stitch with trigger 'FortiClient event' and action 'quarantine endpoint'
D.Enable 'FortiClient quarantine' in the antivirus profile
AnswerC

Automation stitches can respond to FortiClient events and isolate the endpoint.

Why this answer

Option A is correct. Automation stitches allow triggering an action (like endpoint isolation) when a specific event (malicious process detected) occurs. The ML engine can generate a log event that triggers the stitch.

95
MCQhard

A FortiGate administrator runs the following CLI command: 'diagnose ips anomaly log' The output shows numerous 'tcp_syn_flood' events from a single source IP. To mitigate this, the administrator wants to block the source IP automatically. Which feature should be used?

A.IPS Custom Signature
B.Local-in Policy
C.IP Block List
D.Automation Stitch
AnswerD

Automation stitches can automate responses to events like syn flood.

Why this answer

Automation stitches can trigger an action (like adding the source IP to a threat feed or blocking it) based on a condition such as IPS anomaly events.

96
Multi-Selecthard

A network security team is evaluating options for web application security. They need to protect a critical web application from SQL injection and cross-site scripting (XSS) attacks, and they require granular control over HTTP request parameters. Which THREE factors should influence their decision between using FortiGate's WAF profiles versus deploying a dedicated FortiWeb appliance?

Select 3 answers
A.FortiGate's WAF supports integration with FortiSandbox for file upload inspection
B.FortiGate's WAF profiles offer the same level of customization as FortiWeb for signature creation
C.FortiWeb can perform SSL offloading and load balancing, reducing load on the web servers
D.FortiWeb provides dedicated hardware and software optimized for web application security, offering higher throughput and lower latency for WAF processing
E.FortiWeb allows creation of custom signatures for application-layer attacks like SQL injection and XSS with greater flexibility
AnswersC, D, E

FortiWeb can handle SSL termination and distribute traffic, which is beneficial for performance.

Why this answer

FortiWeb provides deep application-layer inspection, custom signatures, and high throughput for WAF without impacting other security functions. FortiGate's built-in WAF is limited in comparison.

97
MCQhard

An administrator runs 'diagnose ips anomaly http' and sees many entries with 'type=SQLi' and 'score=0'. What does a score of 0 indicate?

A.The anomaly detection is disabled
B.The traffic showed suspicious patterns but did not meet the threshold
C.The IPS sensor is not applied to any policy
D.The traffic is definitely an SQL injection attack
AnswerB

Score 0 means no anomaly above threshold; it's a low-confidence event.

Why this answer

In Fortinet's IPS anomaly detection, a score of 0 indicates that the traffic exhibited suspicious patterns (e.g., SQLi signatures) but did not accumulate enough anomaly points to meet the configured threshold for triggering an action. This means the traffic was flagged as potentially malicious but was not deemed severe enough to warrant logging or blocking, so it remains in a 'monitoring' state without enforcement.

Exam trap

The trap here is that candidates assume a score of 0 means 'no threat' or 'disabled', but Fortinet uses 0 to indicate a sub-threshold detection that is still tracked, not a lack of detection.

How to eliminate wrong answers

Option A is wrong because a score of 0 does not indicate that anomaly detection is disabled; if detection were disabled, the 'diagnose ips anomaly http' command would not show any entries for that traffic. Option C is wrong because the IPS sensor not being applied to any policy would result in no IPS inspection at all, not a score of 0 with SQLi type entries; the presence of entries proves the sensor is applied. Option D is wrong because a score of 0 explicitly means the traffic did not meet the threshold to be classified as a definite attack; a score above the threshold would indicate a confirmed SQL injection attempt.

98
MCQhard

A FortiGate admin runs 'diagnose ips anomaly list' and sees many 'tcp_src_session' events from a single internal IP. The admin suspects a scanning attack. What action should be taken to block this traffic without affecting legitimate traffic?

A.Create a firewall rule to block the IP address entirely
B.Create a custom IPS signature to detect and block the scanning pattern
C.Enable 'tcp_src_session' anomaly action to 'block' in the IPS sensor
D.Use a WAF profile to block the IP based on rate
AnswerB

A custom signature can precisely target the scan behavior.

Why this answer

Option B is correct because creating a custom IPS signature allows you to define specific patterns (e.g., multiple TCP SYN packets to different ports from the same source) that match scanning behavior, and then set the action to 'block'. This granular approach blocks only the malicious scanning traffic while permitting legitimate traffic from the same IP, unlike a blanket IP block or a global anomaly action that could impact normal sessions.

Exam trap

The trap here is that candidates often confuse anomaly-based detection (which triggers on aggregate session counts) with signature-based detection (which matches specific packet patterns), leading them to choose Option C, not realizing that blocking the anomaly would indiscriminately drop all traffic from the source IP, including legitimate sessions.

How to eliminate wrong answers

Option A is wrong because blocking the entire IP address would also drop any legitimate traffic from that host, which is too aggressive and not required if only scanning behavior needs to be stopped. Option C is wrong because enabling 'tcp_src_session' anomaly action to 'block' in the IPS sensor would block all traffic from that source IP once the anomaly threshold is exceeded, including legitimate sessions, and does not differentiate between scanning and normal traffic. Option D is wrong because a WAF profile is designed for HTTP/HTTPS web application traffic and cannot block TCP-based scanning patterns at the network layer; it would not inspect or rate-limit raw TCP SYN floods or port scans.

99
Multi-Selecthard

An administrator is configuring FortiMail to improve email security. Which three of the following features are part of FortiMail's advanced threat protection? (Choose three.)

Select 3 answers
A.Web Filtering
B.Application Control
C.Email Authentication (SPF, DKIM, DMARC)
D.Content Disarm and Reconstruction (CDR)
E.Sandboxing (integration with FortiSandbox)
AnswersC, D, E

FortiMail supports email authentication protocols.

Why this answer

Email Authentication (SPF, DKIM, DMARC) is part of FortiMail's advanced threat protection because it verifies sender identity and prevents email spoofing and phishing. SPF checks the sending server's IP against authorized records, DKIM uses cryptographic signatures to ensure message integrity, and DMARC provides policy enforcement for alignment. These mechanisms collectively reduce the risk of domain impersonation and are integral to FortiMail's anti-phishing capabilities.

Exam trap

The trap here is that candidates confuse FortiGate's UTM features (Web Filtering, Application Control) with FortiMail's specialized email security features, leading them to select options that are not part of FortiMail's advanced threat protection.

100
Multi-Selectmedium

A FortiGate administrator wants to use threat intelligence feeds to block known malicious IP addresses. Which TWO steps are required to accomplish this? (Choose two.)

Select 2 answers
A.Create an external threat feed connector pointing to the IoC source
B.Enable IPS on all policies
C.Configure FortiGuard to push feeds automatically
D.Create a firewall policy with the threat feed as the source or destination
E.Subscribe to FortiSandbox
AnswersA, D

The connector fetches the list of malicious IPs.

Why this answer

Options D and E are correct because first the feed must be configured (D), then a firewall policy using that feed must be created (E) to block traffic.

101
MCQmedium

An administrator configures a WAF profile on FortiGate to protect a web application. However, the administrator notices that SQL injection attacks are not being blocked. What should the administrator check first?

A.The SQL injection signatures are enabled in the WAF profile
B.The WAF profile is attached to the correct firewall policy
C.The FortiGate has a valid Advanced Web Protection subscription
D.The web application is using HTTPS and SSL inspection is configured
AnswerA

WAF profiles have signature sets; SQL injection must be enabled.

Why this answer

WAF signatures must be enabled in the WAF profile. If SQL injection signatures are disabled, they will not be detected.

102
MCQmedium

A network administrator has configured FortiGate to send files to FortiSandbox for analysis. However, files are not being submitted. The administrator checks the FortiGate configuration and sees that the FortiSandbox server IP is correctly entered. What is the most likely cause of the issue?

A.A firewall policy is blocking communication to FortiSandbox on port 514
B.The FortiSandbox is not licensed for file submission
C.The file type is not supported by FortiSandbox
D.The FortiGate antivirus profile is set to flow-based inspection
AnswerA

FortiGate communicates with FortiSandbox via TCP port 514 (or custom). A missing or blocking policy would prevent file submission.

Why this answer

The most likely cause is that a firewall policy is blocking communication to FortiSandbox on port 514. FortiGate uses port 514 (syslog) to submit files to FortiSandbox, and if this port is blocked by an intermediate firewall or an implicit deny policy, the submission will fail even if the server IP is correctly configured. The administrator should verify that traffic to the FortiSandbox IP on UDP/TCP 514 is permitted by all relevant policies.

Exam trap

The trap here is that candidates often assume the issue is with the FortiSandbox configuration (licensing or file support) rather than a basic network connectivity problem, especially since the FortiGate's own policy may not show a block if the blocking occurs upstream.

How to eliminate wrong answers

Option B is wrong because FortiSandbox licensing is not required for file submission; licensing is only needed for cloud-based FortiSandbox or advanced features, and the question does not specify a cloud deployment. Option C is wrong because unsupported file types would be skipped or logged, not prevent all files from being submitted; the issue is that no files are being submitted at all. Option D is wrong because flow-based inspection does not block file submission to FortiSandbox; it affects how antivirus scanning is performed but does not impact the connectivity or submission protocol to the sandbox.

103
MCQeasy

Which of the following best describes the function of FortiDeceptor in an enterprise network?

A.It provides endpoint detection and response (EDR) capabilities on workstations.
B.It deploys decoys and lures to detect attackers inside the network.
C.It acts as a web application firewall for protecting web servers.
D.It provides sandboxing for advanced malware analysis.
AnswerB

FortiDeceptor uses deception technology to detect lateral movement.

104
Multi-Selecthard

Which THREE actions should be taken to optimize FortiGate ATP performance while maintaining security?

Select 3 answers
A.Implement allow lists for trusted IP addresses to bypass scanning
B.Disable unnecessary security profiles to reduce CPU load
C.Enable proxy-based inspection for all traffic
D.Enable flow-based inspection for antivirus and IPS
E.Use SSL certificate inspection only for trusted categories
AnswersA, D, E

Bypassing scanning for trusted sources improves performance.

Why this answer

Implementing allow lists for trusted IP addresses to bypass scanning (Option A) reduces unnecessary processing of traffic that is known to be safe, thereby optimizing FortiGate ATP performance without compromising security. This approach leverages the FortiGate's ability to exempt trusted sources from deep inspection, which lowers CPU and memory load while maintaining protection for untrusted traffic.

Exam trap

The trap here is that candidates often assume disabling security profiles (Option B) is acceptable for performance optimization, but the question explicitly requires maintaining security, making this a violation of the core constraint.

105
MCQeasy

Which Fortinet product is designed specifically to detect and deceive attackers by creating decoy systems and luring them away from real assets?

A.FortiDeceptor
B.FortiSandbox
C.FortiEDR
D.FortiWeb
AnswerA

FortiDeceptor uses decoys to detect and divert attackers.

Why this answer

FortiDeceptor is Fortinet's dedicated deception-based threat detection solution. It creates realistic decoy systems (honeypots) and lures attackers away from real assets, providing early detection and threat intelligence without relying on signatures. This aligns with the question's specific requirement for a product designed to detect and deceive attackers using decoys.

Exam trap

The trap here is that candidates often confuse FortiSandbox's sandboxing (which also uses isolated environments) with deception technology, but sandboxing analyzes files while deception lures attackers with decoys.

How to eliminate wrong answers

Option B (FortiSandbox) is wrong because it is a malware analysis and detection platform that executes suspicious files in a sandboxed environment to identify threats, not a deception technology that creates decoy systems. Option C (FortiEDR) is wrong because it focuses on endpoint detection, response, and real-time threat hunting on endpoints, not on deploying decoys to lure attackers. Option D (FortiWeb) is wrong because it is a web application firewall (WAF) that protects web servers from application-layer attacks, not a deception-based system for luring attackers away from assets.

106
MCQmedium

An organization uses FortiWeb to protect its web applications. The security team wants to block requests that contain a specific custom pattern in the URL. Which feature should be used?

A.Inline Protection Profile
B.Custom Attack Signature
C.URL Access Rule
D.Web Application Firewall Policy
AnswerB

Custom signatures define patterns to block.

Why this answer

FortiWeb allows creating custom attack signatures to match specific patterns in requests.

107
MCQeasy

What is the primary purpose of Content Disarm and Reconstruction (CDR) in advanced antivirus protection?

A.To detect and block known malware using signature-based detection
B.To reconstruct files by removing potentially malicious active content such as macros and scripts
C.To submit files to FortiSandbox for behavioral analysis
D.To encrypt files in transit to prevent interception
AnswerB

CDR strips active content and rebuilds files to prevent exploits.

108
MCQmedium

An organization wants to implement a solution that can detect and automatically respond to threats across multiple Fortinet security products. Which product should they use?

A.FortiManager
B.FortiSIEM
C.FortiSOAR
D.FortiAnalyzer
AnswerC

FortiSOAR orchestrates and automates incident response workflows across security tools.

Why this answer

Option C is correct because FortiSOAR provides security orchestration, automation, and response (SOAR) to coordinate responses across different products.

109
MCQeasy

What is the primary purpose of FortiGuard Outbreak Prevention service?

A.To provide proactive protection against zero-day and fast-spreading threats
B.To provide real-time threat intelligence feeds to third-party SIEM systems
C.To automatically patch vulnerabilities in FortiGate firmware
D.To block all traffic from IP addresses listed in a community-based blocklist
AnswerA

Outbreak Prevention uses AI and heuristics to detect and block emerging threats quickly.

Why this answer

FortiGuard Outbreak Prevention is designed to provide proactive protection against zero-day and fast-spreading threats by leveraging real-time threat intelligence from FortiGuard Labs. It automatically updates security policies and signatures to block emerging threats before they become widespread, reducing the window of vulnerability.

Exam trap

The trap here is that candidates often confuse Outbreak Prevention with general threat intelligence feeds or community blocklists, but the service specifically targets automated, proactive blocking of fast-spreading threats before signatures are fully developed.

How to eliminate wrong answers

Option B is wrong because FortiGuard Outbreak Prevention is not primarily for feeding threat intelligence to third-party SIEM systems; that function is served by FortiSIEM or FortiAnalyzer via syslog or API integrations. Option C is wrong because FortiGuard Outbreak Prevention does not patch FortiGate firmware; firmware patching is handled through FortiGuard Firmware Update service or manual upgrade processes. Option D is wrong because it does not rely on a community-based blocklist; instead, it uses curated, dynamic threat intelligence from FortiGuard Labs, not user-contributed lists.

110
MCQeasy

An organization wants to prevent users from downloading malicious files from the internet. Which FortiGate security profile should be applied to the outbound firewall policy to block files based on their hash if they have been identified as malicious by FortiSandbox?

A.Application Control profile
B.IPS profile
C.Antivirus profile
D.Web Filter profile
AnswerC

Antivirus profile can use FortiSandbox verdicts to block files by hash.

Why this answer

FortiSandbox verdicts (malicious/clean) are stored and checked by the antivirus profile. When a file hash matches a malicious verdict, the antivirus profile blocks it.

111
Multi-Selecthard

A FortiGate administrator is troubleshooting why a custom IPS signature is not triggering on traffic matching the pattern. Which TWO checks should be performed?

Select 2 answers
A.Check the signature's severity level in the IPS sensor
B.Ensure the FortiGate is in proxy-based inspection mode
C.Confirm the IPS sensor is applied to the correct firewall policy
D.Verify the signature uses correct protocol decoder
E.Verify that the custom signature is enabled in the IPS sensor
AnswersC, E

Without policy attachment, no inspection occurs.

Why this answer

Custom IPS signatures must be enabled in the IPS sensor and applied to a firewall policy that processes the traffic.

112
MCQhard

A FortiGate admin sees the following log: 'Action=blocked, Service=HTTP, Application=Outbreak, File=invoice.doc, ThreatScore=95'. What is the MOST likely explanation for this block?

A.The file was blocked by FortiGuard outbreak prevention
B.The file was blocked by the machine learning engine
C.The file was blocked by FortiSandbox verdict
D.The file was blocked by a custom IPS signature
AnswerA

Outbreak prevention uses threat scores and is logged as 'Outbreak' in the application field.

Why this answer

The log entry shows 'Application=Outbreak' and 'ThreatScore=95', which are specific indicators of FortiGuard outbreak prevention. FortiGuard outbreak prevention uses real-time threat intelligence to block files associated with widespread malware campaigns before traditional signatures are updated. The 'Outbreak' application tag and high threat score directly correspond to this feature, not to machine learning, sandbox verdicts, or custom IPS signatures.

Exam trap

The trap here is that candidates confuse 'Outbreak' with a generic malware detection term, not realizing it is a specific FortiGuard feature with its own log field, distinct from machine learning, sandbox, or IPS-based blocks.

How to eliminate wrong answers

Option B is wrong because the machine learning engine in FortiGate uses behavioral analysis and static file analysis to detect unknown malware, but it does not generate an 'Application=Outbreak' tag; that tag is specific to FortiGuard outbreak prevention. Option C is wrong because a FortiSandbox verdict would appear in logs as 'Action=blocked' with 'Application=Sandbox' or 'Verdict=malicious', not 'Application=Outbreak'. Option D is wrong because a custom IPS signature would log 'Action=blocked' with 'Signature=...' or 'IPS=...', not 'Application=Outbreak' or 'ThreatScore=95'.

113
Multi-Selecthard

A FortiGate administrator wants to use automation stitches to respond to a detected threat. The trigger is 'event' and the action is to quarantine the source IP. Which TWO actions can be used in FortiGate automation stitches to achieve IP quarantine?

Select 2 answers
A.Send an email to the administrator
B.CLI script that runs 'diagnose user quarantine add'
C.Execute a CLI script that adds a firewall address object and policy to block the IP
D.Use the 'execute fortishield' command in a CLI script
E.Log the event to FortiAnalyzer
AnswersB, C

This command adds an IP to the quarantine list.

114
MCQeasy

Which Fortinet product is designed to deploy decoy systems to lure attackers and detect lateral movement within the network?

A.FortiSandbox
B.FortiDeceptor
C.FortiSOAR
D.FortiEDR
AnswerB

FortiDeceptor deploys decoys to detect and deceive attackers.

Why this answer

Option A is correct because FortiDeceptor creates decoys (honeypots) to attract and detect attackers, providing early warning of breaches.

115
MCQmedium

An administrator wants to create an automation stitch that sends a webhook notification when an IPS attack is detected. Which trigger and action should be used?

A.Trigger: 'IPS Event'; Action: 'Webhook'
B.Trigger: 'FortiGuard'; Action: 'Quarantine'
C.Trigger: 'System Event'; Action: 'Email'
D.Trigger: 'Incoming Webhook'; Action: 'IPS Event'
AnswerA

IPS event triggers the stitch, and webhook action sends the notification.

Why this answer

The correct answer is A because an automation stitch requires a trigger that matches the event type and an action that performs the desired response. 'IPS Event' is the correct trigger for detecting an IPS attack, and 'Webhook' is the action that sends an HTTP POST request to a configured endpoint, which is the standard method for webhook notifications in FortiOS.

Exam trap

The trap here is that candidates confuse 'IPS Event' with 'System Event' or 'FortiGuard', or mistakenly think 'Incoming Webhook' is a trigger for outbound notifications, when in fact it is for receiving external triggers.

How to eliminate wrong answers

Option B is wrong because 'FortiGuard' is a trigger for FortiGuard threat intelligence updates, not for IPS events, and 'Quarantine' is an action for isolating compromised hosts, not for sending webhook notifications. Option C is wrong because 'System Event' is a trigger for system-level events like interface status changes, not for IPS attacks, and 'Email' is an action for sending email alerts, not webhook notifications. Option D is wrong because 'Incoming Webhook' is a trigger for receiving external webhooks, not for detecting IPS attacks, and 'IPS Event' is a trigger, not an action.

116
MCQmedium

Refer to the exhibit. A user reports that accessing a legitimate HTTPS website is blocked. The FortiGate logs show that the connection was denied by the antivirus profile. What is the most likely cause?

A.The antivirus profile detected a false positive in the encrypted traffic
B.The application list blocked the HTTPS application
C.The IPS profile blocked a vulnerability in the website
D.The protocol options profile blocked the SSL handshake
AnswerA

Deep inspection decrypts traffic, and antivirus may incorrectly flag legitimate content.

Why this answer

Option A is correct because the antivirus (AV) profile on FortiGate performs deep inspection of HTTPS traffic by decrypting it, scanning the content, and re-encrypting it. If the AV signature database contains a false positive for a legitimate website's content (e.g., a benign JavaScript file matching a malware signature), the connection will be denied. The log explicitly states the denial was by the AV profile, not by any other security profile, making a false positive in encrypted traffic the most likely cause.

Exam trap

The trap here is that candidates may confuse the security profile that generated the log entry (antivirus) with other profiles (application control, IPS, protocol options) that could also block HTTPS traffic, but the log's explicit attribution to the AV profile eliminates those possibilities.

How to eliminate wrong answers

Option B is wrong because the log shows the connection was denied by the antivirus profile, not by an application control profile; the application list blocking HTTPS would generate a log entry from the application control module, not the AV module. Option C is wrong because an IPS profile blocking a vulnerability would generate a log entry from the IPS sensor, not the antivirus profile, and the log explicitly attributes the denial to the AV profile. Option D is wrong because the protocol options profile blocking the SSL handshake would produce a log from the SSL inspection module or a protocol violation, not from the antivirus profile, and the connection was denied after inspection, not during the handshake.

117
MCQeasy

Which FortiGate security feature removes potentially malicious active content from files (e.g., macros, scripts) before delivering them to end users?

A.Antivirus
B.Data Leak Prevention
C.File Filter
D.Content Disarm and Reconstruction
AnswerD

CDR removes active content to neutralize threats.

Why this answer

Content Disarm and Reconstruction (CDR) sanitizes files by removing active content.

118
MCQeasy

What is the role of FortiGuard Outbreak Prevention in FortiGate's security suite?

A.To deliver real-time threat intelligence and block fast-spreading outbreaks
B.To provide offline signature updates for antivirus
C.To perform sandbox analysis of files
D.To manage endpoint security policies
AnswerA

Outbreak Prevention uses FortiGuard's real-time data.

Why this answer

FortiGuard Outbreak Prevention is a real-time threat intelligence service that proactively blocks fast-spreading outbreaks by delivering immediate signature updates and threat data to FortiGate devices. Unlike scheduled updates, it uses a push mechanism to rapidly deploy protections against emerging threats, reducing the window of vulnerability during zero-day or widespread attacks.

Exam trap

The trap here is that candidates often confuse Outbreak Prevention with regular antivirus signature updates or sandboxing, but the key distinction is that Outbreak Prevention is a real-time, push-based service for fast-spreading threats, not a scheduled or offline update mechanism.

How to eliminate wrong answers

Option B is wrong because offline signature updates are handled by FortiGuard's regular antivirus update service, not Outbreak Prevention, which requires an active internet connection for real-time intelligence. Option C is wrong because sandbox analysis is performed by FortiSandbox, a separate product that integrates with FortiGate but is not part of Outbreak Prevention's role. Option D is wrong because managing endpoint security policies is the function of FortiClient or FortiEDR, not FortiGate's Outbreak Prevention service.

119
MCQmedium

An administrator configures an automation stitch to respond to a high severity event. The trigger is 'event' and the action is 'CLI script'. What must be defined for the action to execute properly?

A.An API token for authentication
B.A FortiManager to execute the script
C.An email server to send the script output
D.A valid CLI script that contains commands to be executed on the FortiGate
AnswerD

The action type 'CLI script' requires a script to be defined with the commands.

120
MCQhard

A company uses an advanced antivirus profile with machine learning engine enabled. After a recent outbreak, several files that were previously undetected are now flagged. How does the outbreak prevention feature help in this situation?

A.It downloads the latest ML models from FortiGuard to detect new threats
B.It sends all files to FortiSandbox for analysis
C.It quarantines all files for 24 hours until a signature is released
D.It blocks all executable files from being downloaded
AnswerA

Outbreak prevention provides immediate updates to ML models to catch new outbreaks.

Why this answer

Option A is correct because outbreak prevention uses FortiGuard to push real-time updates, including new ML models, to detect emerging threats quickly.

121
MCQhard

A company uses FortiMail to protect email. They set up DMARC with a policy of 'quarantine' for emails failing SPF and DKIM checks. However, legitimate emails from a third-party service are being quarantined. What should the admin do?

A.Add the sender domain to a whitelist in FortiMail
B.Change the DMARC policy to 'none'
C.Disable DMARC checking for that specific sender
D.Update the SPF record to include the third-party mail server IP
AnswerD

Adding the IP to SPF allows the service to pass SPF check, reducing false quarantines.

Why this answer

Option A is correct because the admin should identify and add the third-party service's IPs to the SPF record or configure DKIM for that service to align with DMARC.

122
MCQeasy

An administrator wants to secure email traffic by ensuring that incoming emails are verified against the sender's domain SPF record. Which email authentication method provides this verification?

A.DKIM
B.SPF
C.DMARC
D.S/MIME
AnswerB

SPF verifies sender IP against domain's authorized servers.

Why this answer

Option B is correct. SPF (Sender Policy Framework) checks if the sending IP is authorized by the domain's SPF record in DNS.

123
MCQeasy

Which feature in FortiMail provides an additional layer of protection by analyzing the behavior of email attachments in a sandbox environment?

A.Outbreak Prevention
B.Anti-spam
C.Content Disarm and Reconstruction
D.FortiSandbox integration
AnswerD

FortiSandbox integration sends attachments to the sandbox for dynamic analysis.

Why this answer

Option C is correct. FortiMail integrates with FortiSandbox to analyze attachment behavior in a sandbox, providing advanced threat detection beyond signature-based methods.

124
MCQhard

An administrator configures a custom IPS signature to detect traffic to a specific malicious domain. Which syntax is correct for a custom IPS signature in FortiGate?

A.config ips custom signature edit "malicious_domain" set signature "alert tcp any any -> any any (msg:"malicious"; content:"example.com";)" end
B.config firewall policy edit 1 set ips-filter "malicious_domain" end
C.set ips-sensor custom-signature "malicious_domain" pattern "example.com"
D.F-SBID( --name "malicious_domain"; --pattern "example.com"; --service HTTP; )
AnswerD

This is the correct FortiGate custom IPS signature syntax using F-SBID.

125
MCQhard

Refer to the exhibit. An administrator notices that some malware files are not being detected by FortiGate. The antivirus profile uses flow-based scanning with FortiSandbox disabled. What is the most likely reason for missed detections?

A.Flow-based scanning is less thorough than proxy-based
B.FortiSandbox inline-scan is disabled, so unknown malware is not analyzed
C.Quarantine is enabled, which causes files to be dropped before scanning
D.The antivirus profile is not applied to the firewall policy
AnswerB

Without FortiSandbox, new malware may not be detected by signatures alone.

Why this answer

Flow-based scanning inspects files as they traverse the firewall, but it relies on signatures and heuristics for detection. Without FortiSandbox inline-scan enabled, unknown or zero-day malware that does not match existing signatures will not be sent to the sandbox for behavioral analysis, so it can pass undetected. Option B correctly identifies that disabling FortiSandbox removes the ability to analyze unknown threats, which is the most likely reason for missed detections.

Exam trap

The trap here is that candidates often assume flow-based scanning is always less thorough than proxy-based, but the real issue is the lack of FortiSandbox integration for unknown malware analysis, not the scanning mode itself.

How to eliminate wrong answers

Option A is wrong because flow-based scanning is not inherently less thorough than proxy-based; it uses a single-pass, low-latency approach that can still detect known malware effectively, and the question specifies that FortiSandbox is disabled, not that flow-based scanning is the cause. Option C is wrong because quarantine is a post-detection action that stores files after they are flagged as malicious; it does not cause files to be dropped before scanning, and enabling quarantine would not prevent detection. Option D is wrong because the question states that the antivirus profile is applied to the firewall policy (the administrator notices missed detections, implying the profile is in use), and if it were not applied, no malware would be detected at all, not just some files.

126
Multi-Selectmedium

An organization uses FortiMail and wants to validate that incoming emails are from legitimate senders by checking the sender's domain against a published policy. Which two email authentication mechanisms can FortiMail use? (Choose two.)

Select 1 answer
A.DKIM and DMARC
B.STARTTLS and SPF
C.DMARC and SPF
D.SPF and DKIM
AnswersD

SPF verifies the sending IP, DKIM verifies the signature.

Why this answer

FortiMail can use SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to validate that incoming emails originate from legitimate senders by checking the sender's domain against a published policy. SPF verifies that the sending IP address is authorized by the domain's DNS TXT record, while DKIM uses a digital signature in the email header that can be validated against a public key published in the sender's DNS. Both mechanisms allow FortiMail to authenticate the sender's domain before accepting the message.

Exam trap

The trap here is that candidates often confuse DMARC as an authentication mechanism when it is actually a policy framework that relies on SPF and DKIM results, leading them to select options that include DMARC instead of the two core authentication protocols.

127
Multi-Selectmedium

Which TWO email authentication mechanisms does FortiMail support to verify sender identity and reduce spoofing? (Choose two.)

Select 2 answers
A.DMARC (Domain-based Message Authentication, Reporting & Conformance)
B.SPF (Sender Policy Framework)
C.STARTTLS
D.S/MIME
E.DKIM (DomainKeys Identified Mail)
AnswersB, E

Checks if the sending IP is authorized.

Why this answer

FortiMail supports SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) as email authentication mechanisms to verify sender identity and reduce spoofing. SPF allows the domain owner to publish authorized sending IP addresses in DNS TXT records, while DKIM uses a digital signature added to the email header, verified against a public key in the sender's DNS. Both are core components of email authentication that FortiMail can enforce or validate.

Exam trap

The trap here is that candidates confuse DMARC as an authentication mechanism rather than a policy framework that relies on SPF and DKIM results, and they may also mistake STARTTLS or S/MIME for sender verification when they are actually transport or message security protocols.

128
Multi-Selecthard

An administrator is investigating an alert from FortiEDR indicating a suspicious process on an endpoint. The administrator wants to gather more context. Which TWO sources can provide threat intelligence to enrich the investigation?

Select 2 answers
A.Local antivirus signature database
B.FortiGate traffic logs
C.FortiGuard Outbreak Prevention
D.Third-party threat intelligence feeds
E.FortiClient local cache
AnswersC, D

FortiGuard Outbreak Prevention provides real-time threat intelligence about outbreaks.

Why this answer

Options C and D are correct. FortiGuard Outbreak Prevention and third-party threat feeds provide external threat intelligence about indicators of compromise.

129
MCQhard

A FortiGate administrator receives a report that a user downloaded a malicious PDF file. The antivirus profile has machine learning engine enabled, CDR enabled, and FortiSandbox integration. However, the file was allowed. The log shows: 'file=malicious.pdf, action=allow, ml_score=85, cd_result=clean, sandbox=not_submitted'. What is the most likely reason the file was not submitted to FortiSandbox?

A.The file size exceeded the maximum file size for FortiSandbox submission
B.CDR reconstructed the file, making it appear clean
C.The machine learning engine scored the file as clean (score below threshold)
D.The file was excluded by a file type filter in the antivirus profile
AnswerA

FortiSandbox has a configurable file size limit; files larger than that are not submitted.

Why this answer

FortiSandbox submission is controlled by file size limits. If the PDF exceeds the maximum file size configured for submission, it will not be sent. The default limit is often around 10 MB, but can be configured.

130
MCQhard

A large enterprise uses FortiGate as their perimeter firewall with ATP features enabled. They have a mix of internal users and remote VPN users. Recently, several remote users reported that their machines became infected with ransomware after connecting to the VPN. The IT team suspects that the ransomware entered through the VPN tunnel. The FortiGate has an antivirus profile applied to the VPN policy with SSL inspection enabled for all traffic. However, the logs show that no malware was detected. Upon investigation, the team finds that the remote users' machines are not managed by the company and do not have any endpoint protection. The ransomware was delivered via a spear-phishing email that the users opened on their remote machines. The email traffic passed through the VPN tunnel to the corporate mail server first, then back to the user. The FortiGate antivirus profile is configured to scan SMTP traffic but the email was sent from an external source to the corporate mail server, and the mail server uses STARTTLS to receive emails. The FortiGate does not perform SSL inspection on the SMTP traffic because the SMTP service is not included in the SSL inspection profile. What action should the administrator take to prevent this in the future?

A.Disable STARTTLS on the corporate mail server to force plaintext SMTP
B.Add SMTP to the SSL inspection profile to decrypt and scan email traffic
C.Require remote users to install endpoint protection with FortiClient
D.Block all SMTP traffic from remote VPN users
AnswerB

This allows the antivirus to inspect encrypted SMTP traffic and detect malware.

Why this answer

Option B is correct because the FortiGate's antivirus profile is configured to scan SMTP traffic, but the email was encrypted via STARTTLS, and SMTP is not included in the SSL inspection profile. By adding SMTP to the SSL inspection profile, the FortiGate can decrypt the SMTP traffic, allowing the antivirus engine to inspect the email content for malware, including ransomware delivered via spear-phishing.

Exam trap

The trap here is that candidates assume the antivirus profile is sufficient because it is applied to the VPN policy and includes SMTP scanning, but they overlook that SSL inspection must be explicitly configured for the SMTP service to decrypt STARTTLS-encrypted traffic before scanning can occur.

How to eliminate wrong answers

Option A is wrong because disabling STARTTLS on the mail server would force plaintext SMTP, but this does not address the root cause—the FortiGate is already configured to scan SMTP traffic; the issue is that the traffic is encrypted and not being decrypted for inspection. Option C is wrong because requiring remote users to install FortiClient endpoint protection is a good security practice but does not solve the immediate problem of the FortiGate not inspecting encrypted SMTP traffic; the ransomware entered through the VPN tunnel and was not detected due to lack of SSL inspection on SMTP. Option D is wrong because blocking all SMTP traffic from remote VPN users would prevent legitimate email communication and is an overly restrictive measure; the goal is to inspect the traffic, not block it entirely.

131
MCQeasy

Which FortiGate security feature can reconstruct files to remove potentially malicious content while preserving the file's usability?

A.Antivirus outbreak prevention
B.Content Disarm and Reconstruction
C.FortiSandbox
D.IPS application control
AnswerB

CDR disinfects files by removing active content and rebuilding them.

Why this answer

Content Disarm and Reconstruction (CDR) is the correct answer because it actively removes potentially malicious content—such as macros, scripts, or embedded objects—from files (e.g., Office documents, PDFs) and then reconstructs a clean, usable version. Unlike detection-based approaches, CDR eliminates threats by sanitizing the file structure itself, ensuring the file remains functional for the end user while blocking exploits.

Exam trap

The trap here is that candidates often confuse FortiSandbox's detection capabilities with CDR's proactive sanitization, mistakenly thinking sandboxing can reconstruct files when it only analyzes and blocks them.

How to eliminate wrong answers

Option A is wrong because Antivirus outbreak prevention relies on signature-based detection and blocking of known malware patterns, not on file reconstruction or sanitization. Option C is wrong because FortiSandbox uses behavioral analysis and sandboxing to detect unknown threats, but it does not reconstruct files to remove malicious content; it only provides verdicts and can block or quarantine files. Option D is wrong because IPS application control focuses on detecting and preventing network-level attacks and application misuse, not on file-level content sanitization or reconstruction.

132
Multi-Selecthard

An administrator is configuring automation stitches to respond to a detected ransomware outbreak. Which THREE components are essential for an automation stitch?

Select 3 answers
A.Schedule
B.Condition
C.Log device
D.Action
E.Trigger
AnswersB, D, E

Conditions refine when the action should be taken.

Why this answer

Options A, C, and D are correct. An automation stitch requires a trigger (event), a condition (optional but often used), and an action (response).

133
Multi-Selecteasy

An administrator is configuring FortiMail to be more secure against advanced email threats. Which THREE features should they enable to protect against email-based phishing attacks?

Select 3 answers
A.DKIM signing/verification
B.CDR (Content Disarm and Reconstruction)
C.FortiSandbox inline scanning
D.SPF verification
E.DMARC policy enforcement
AnswersA, D, E

DKIM verifies message integrity and sender domain.

Why this answer

Options A, B, and E are correct. SPF, DKIM, and DMARC are email authentication standards that help verify sender identity and prevent spoofing/phishing.

134
MCQmedium

A network administrator notices that several endpoints are infected with ransomware despite having FortiGate ATP enabled. The logs show that the files were downloaded over HTTPS, and the antivirus profile did not detect them. What is the most likely reason?

A.SSL inspection was not enabled on the antivirus profile
B.Application control profile blocked the download
C.FortiSandbox was not configured to analyze the files
D.IPS signature database was outdated
AnswerA

Without SSL inspection, encrypted traffic bypasses antivirus scanning.

Why this answer

FortiGate ATP's antivirus engine cannot inspect encrypted HTTPS traffic unless SSL inspection is explicitly enabled on the antivirus profile. Without SSL inspection, the antivirus profile only sees encrypted payloads and cannot match file signatures or heuristics, allowing ransomware to pass undetected. The logs confirm files were downloaded over HTTPS, making this the most likely root cause.

Exam trap

The trap here is that candidates assume FortiGate's antivirus can automatically inspect HTTPS traffic because it is part of the ATP suite, but FortiGate requires explicit SSL inspection configuration to decrypt and scan encrypted downloads.

How to eliminate wrong answers

Option B is wrong because an application control profile blocks applications or categories, not files; it would not prevent the download of a ransomware file over HTTPS unless the application itself (e.g., a specific browser) was blocked, which is unrelated to the antivirus detection failure. Option C is wrong because FortiSandbox is an additional analysis layer that can detect unknown threats, but the primary reason the file was not detected is that the antivirus profile never saw the decrypted content; even if FortiSandbox were configured, it would not receive the file for analysis without SSL inspection. Option D is wrong because an outdated IPS signature database affects intrusion prevention, not antivirus file scanning; IPS signatures are for network-level attacks, not for detecting malware in downloaded files, and the antivirus engine uses its own signature database.

135
MCQmedium

A network administrator notices that FortiGate is not blocking a known malicious file that was submitted to FortiSandbox and received a 'malicious' verdict. The firewall policy includes a FortiSandbox inline scan profile. What is the MOST likely cause?

A.The antivirus signature database is outdated
B.The FortiSandbox license has expired
C.The FortiSandbox is not configured as an inline scanner in the antivirus profile
D.The file is larger than the maximum file size allowed for scanning
AnswerC

Inline scanning requires configuration in the antivirus profile to forward files to FortiSandbox for real-time analysis and enforce blocking based on verdict.

Why this answer

Option A is correct because inline scanning requires the FortiSandbox to be configured as the inline scanner in the antivirus profile. If only a scheduled scan or a separate FortiSandbox is used for analysis, the inline blocking will not occur.

136
MCQhard

A security analyst is investigating a phishing email that bypassed email security. The email's headers show SPF=pass, DKIM=pass, but DMARC=quarantine. The email was delivered to the inbox. What is the most likely reason DMARC did not block or quarantine the email?

A.The email was sent from a subdomain not covered by DMARC
B.The SPF and DKIM alignment checks passed, so DMARC treated the email as authentic
C.The DMARC record had a pct (percentage) of less than 100
D.The DMARC policy was set to 'none'
AnswerB

DMARC uses alignment of SPF and DKIM. If both pass, DMARC passes, and the policy (quarantine) is not triggered.

Why this answer

Option B is correct because DMARC uses SPF and DKIM alignment to determine authenticity. When both SPF and DKIM pass and are aligned (i.e., the domain in the From header matches the domain used in SPF/DKIM), DMARC considers the email authentic and applies the policy accordingly. In this case, the DMARC policy was set to 'quarantine', but because alignment checks passed, DMARC treated the email as legitimate and allowed delivery to the inbox, rather than quarantining it.

Exam trap

Fortinet often tests the misconception that a DMARC policy of 'quarantine' or 'reject' will always block or quarantine emails that fail SPF or DKIM, but the trap here is that DMARC only applies its policy when both SPF and DKIM fail alignment; if either passes alignment, DMARC considers the email authentic and does not enforce the policy.

How to eliminate wrong answers

Option A is wrong because if the email was sent from a subdomain not covered by DMARC, DMARC would not apply at all, and the email would be subject to the parent domain's policy only if the subdomain is explicitly included; however, the question states DMARC=quarantine, indicating DMARC did apply. Option C is wrong because a pct value less than 100 would only reduce the percentage of emails subject to the DMARC policy, but the email still passed alignment, so DMARC would not quarantine it regardless of the pct setting. Option D is wrong because if the DMARC policy was set to 'none', DMARC would not quarantine or reject the email, but the header shows DMARC=quarantine, meaning the policy was indeed set to quarantine, yet the email was delivered because alignment passed.

137
MCQeasy

What is the primary function of FortiDeceptor in a network security architecture?

A.To provide network access control for endpoints
B.To aggregate logs from multiple security devices
C.To lure attackers into interacting with decoys and generate alerts
D.To detect and block malware at the endpoint
AnswerC

FortiDeceptor uses decoys to detect lateral movement.

Why this answer

FortiDeceptor is a deception-based threat detection solution that deploys decoys (fake assets) across the network to lure attackers. When an attacker interacts with a decoy, FortiDeceptor generates a high-fidelity alert, enabling early detection of lateral movement or reconnaissance without relying on signatures.

Exam trap

The trap here is that candidates confuse FortiDeceptor's deception-based detection with endpoint protection or log aggregation, but the exam specifically tests that its primary function is to lure attackers into interacting with decoys and generate alerts.

How to eliminate wrong answers

Option A is wrong because network access control for endpoints is the function of FortiNAC, not FortiDeceptor, which focuses on deception rather than admission control. Option B is wrong because log aggregation from multiple security devices is the role of FortiAnalyzer or a SIEM, not FortiDeceptor, which generates its own alerts from decoy interactions. Option D is wrong because detecting and blocking malware at the endpoint is the domain of FortiEDR or endpoint security solutions, whereas FortiDeceptor does not execute or block code on endpoints.

138
Multi-Selectmedium

An organization wants to implement email authentication to prevent spoofing. Which TWO standards should they configure? (Choose two.)

Select 2 answers
A.SPF
B.DMARC
C.TLS
D.STARTTLS
E.DKIM
AnswersA, E

SPF specifies which servers are authorized to send email.

Why this answer

SPF (Sender Policy Framework) is correct because it allows the domain owner to publish a list of authorized sending IP addresses in a DNS TXT record, enabling receiving mail servers to verify that the email originated from an approved source. DKIM (DomainKeys Identified Mail) is correct because it adds a digital signature to email headers, which the receiving server validates against a public key published in DNS, ensuring the message was not tampered with and truly came from the claimed domain. Together, SPF and DKIM form the foundational layers of email authentication that DMARC builds upon.

Exam trap

Fortinet often tests the distinction between authentication standards (SPF, DKIM) and transport security protocols (TLS, STARTTLS), leading candidates to mistakenly select TLS or STARTTLS as anti-spoofing measures when they only provide encryption, not sender verification.

139
MCQhard

A FortiGate administrator wants to block a custom protocol anomaly where a client sends an HTTP request with a malformed header containing a null byte. Which advanced IPS feature should be used?

A.Create a custom IPS signature to match the null byte pattern
B.Enable 'Outbreak Prevention' in the IPS sensor
C.Use the 'http-policy' setting in the WAF profile
D.Enable Protocol Anomaly Detection in the IPS sensor
AnswerD

Protocol anomaly detection identifies malformed packets that violate protocol standards.

Why this answer

Protocol Anomaly Detection in the IPS sensor is designed to identify deviations from standard protocol behavior, such as malformed headers or null bytes in HTTP requests. This feature inspects traffic for known protocol violations without requiring custom signatures, making it the correct choice for blocking a null byte anomaly in HTTP headers.

Exam trap

The trap here is that candidates often confuse custom IPS signatures with protocol anomaly detection, assuming any pattern match requires a signature, when in fact FortiGate's IPS engine includes built-in protocol decoders that automatically detect RFC violations like null bytes.

How to eliminate wrong answers

Option A is wrong because creating a custom IPS signature to match a null byte pattern is unnecessary and less efficient; Protocol Anomaly Detection already handles such protocol violations natively. Option B is wrong because Outbreak Prevention is a feature for blocking emerging threats based on real-time intelligence, not for detecting protocol anomalies like malformed headers. Option C is wrong because the 'http-policy' setting in a WAF profile is used for web application firewall rules (e.g., SQL injection, XSS), not for low-level protocol anomaly detection like null bytes in headers.

140
MCQhard

A FortiGate administrator runs 'diagnose ips anomaly list' and sees many entries with 'protocol anomaly - tcp_port_scan'. The administrator wants to reduce false positives. Which action should be taken in the IPS sensor configuration?

A.Increase the threshold for the port scan detection in the IPS sensor.
B.Add the trusted server IPs to an exemption list in the IPS sensor.
C.Disable the TCP port scan filter entirely.
D.Change the action from 'block' to 'monitor' for all IPS filters.
AnswerA

Increasing the threshold reduces false positives by requiring more ports to be scanned in the time window.

141
MCQmedium

An admin wants to ensure that office documents (e.g., Word, Excel) downloaded from the internet are safe before users open them. Which feature should be used to remove potentially malicious macros and active content?

A.Machine learning engine
B.Content Disarm and Reconstruction (CDR)
C.Antivirus pattern matching
D.FortiSandbox file submission
AnswerB

CDR strips active content like macros, scripts, and embedded objects from documents.

Why this answer

Option D is correct because Content Disarm and Reconstruction (CDR) removes active content from documents to neutralize threats while preserving usability.

142
MCQeasy

What is the purpose of FortiDeceptor in an enterprise security architecture?

A.To simulate real assets and detect attackers attempting to interact with decoys
B.To provide VPN access for remote users
C.To encrypt all data at rest on endpoints
D.To block all inbound traffic from suspicious IP addresses
AnswerA

FortiDeceptor creates decoys to attract and detect attackers.

Why this answer

FortiDeceptor is a deception-based threat detection solution that deploys decoys (simulated real assets like servers, databases, or IoT devices) across the network. When an attacker probes or interacts with these decoys, FortiDeceptor generates high-fidelity alerts, enabling early detection of lateral movement or reconnaissance without relying on signatures. This aligns with the Advanced Threat Protection domain by shifting from reactive blocking to proactive deception.

Exam trap

The trap here is that candidates confuse FortiDeceptor's deception-based detection with traditional prevention mechanisms like firewalls or VPNs, assuming it blocks threats directly rather than detecting them through interaction with decoys.

How to eliminate wrong answers

Option B is wrong because FortiDeceptor does not provide VPN access; that is the function of FortiClient or FortiGate's IPsec/SSL VPN capabilities. Option C is wrong because FortiDeceptor does not encrypt data at rest on endpoints; endpoint encryption is typically handled by solutions like FortiClient with full disk encryption or third-party tools. Option D is wrong because FortiDeceptor does not block inbound traffic from suspicious IPs; that is the role of FortiGate's firewall policies, IPS, or FortiGuard IP reputation filtering.

143
MCQmedium

An admin receives an email from FortiMail regarding a message that was rejected due to SPF failure. What does this indicate about the email?

A.The email's From address domain does not match the sending server's IP per the domain's SPF record
B.The email's DKIM signature is invalid
C.The email contains a virus
D.The email is missing a Message-ID header
AnswerA

SPF checks the envelope sender domain against the sending IP.

Why this answer

SPF (Sender Policy Framework) validates that the sending server IP is authorized to send mail for the domain in the envelope sender. A failure means the IP is not authorized.

144
MCQeasy

What is the primary benefit of using FortiClient with ATP features in conjunction with FortiGate?

A.It allows users to bypass security policies
B.It replaces the need for a firewall
C.It enables endpoint detection and response with automated quarantine through FortiGate
D.It provides a single sign-on portal for all users
AnswerC

FortiClient ATP can detect threats and trigger FortiGate to isolate the endpoint.

Why this answer

FortiClient ATP (Advanced Threat Protection) integrates with FortiGate to share telemetry and enable coordinated response, such as quarantining an endpoint when a threat is detected.

145
MCQmedium

An administrator wants to prevent users from downloading known malicious files from the internet. The administrator has enabled FortiGuard Outbreak Prevention and applied an antivirus profile to the outbound policy. However, some malicious files are still reaching users. What configuration step is most likely missing?

A.The antivirus profile has 'FortiGuard Outbreak Prevention' enabled
B.The FortiGuard subscription has expired
C.The antivirus profile does not have 'FortiGuard Outbreak Prevention' enabled
D.The security policy is not configured for proxy-based inspection
AnswerC

Outbreak prevention is an additional toggle in the antivirus profile; without it, the feature does not activate.

Why this answer

Option C is correct because FortiGuard Outbreak Prevention is a separate toggle within the antivirus profile that must be explicitly enabled to leverage real-time outbreak intelligence. Even if the administrator believes they have enabled it, the profile may have the feature disabled by default or inadvertently left off, allowing known malicious files to bypass detection. Without this toggle, the antivirus engine relies only on static signatures and cannot block files flagged by FortiGuard's outbreak database.

Exam trap

The trap here is that candidates assume enabling FortiGuard Outbreak Prevention at the system or global level automatically applies it to all antivirus profiles, when in fact it must be explicitly enabled within each antivirus profile's settings.

How to eliminate wrong answers

Option A is wrong because stating that the antivirus profile has 'FortiGuard Outbreak Prevention' enabled would contradict the scenario where malicious files are still reaching users; if it were enabled, the outbreak prevention would block those files. Option B is wrong because an expired FortiGuard subscription would affect all FortiGuard services, not just outbreak prevention, and the question specifies that the administrator enabled FortiGuard Outbreak Prevention, implying the subscription is active. Option D is wrong because proxy-based inspection is not a prerequisite for FortiGuard Outbreak Prevention; the feature works with both proxy-based and flow-based inspection modes as long as the antivirus profile is applied and the toggle is enabled.

146
MCQmedium

An administrator wants to detect lateral movement and early stages of an attack using decoy systems that mimic production assets. Which Fortinet product should they deploy?

A.FortiSIEM
B.FortiEDR
C.FortiNDR
D.FortiDeceptor
AnswerD

FortiDeceptor uses decoys to detect attacks.

Why this answer

FortiDeceptor is specifically designed to detect lateral movement and early-stage attacks by deploying decoy systems (honeypots) that mimic production assets. It uses deception technology to lure attackers away from real targets and trigger alerts when decoys are probed or compromised, enabling early threat detection without impacting production systems.

Exam trap

The trap here is that candidates may confuse FortiDeceptor with FortiNDR or FortiEDR because all three involve threat detection, but only FortiDeceptor uses active decoy systems to mimic production assets for deception-based detection.

How to eliminate wrong answers

Option A is wrong because FortiSIEM is a security information and event management solution that aggregates logs and correlates events, but it does not deploy decoy systems or actively mimic production assets for deception. Option B is wrong because FortiEDR is an endpoint detection and response solution that protects endpoints via behavioral analysis and threat hunting, but it does not create decoy systems or honeypots to simulate production assets. Option C is wrong because FortiNDR is a network detection and response solution that analyzes network traffic for anomalies and threats using machine learning, but it does not deploy decoy systems or mimic production assets for deception-based detection.

147
MCQhard

A company uses FortiWeb to protect its web application. They want to block SQL injection attempts. Which FortiWeb feature should be configured to inspect HTTP requests for malicious SQL patterns?

A.URL Access Rule
B.Web Application Firewall (WAF) Signatures
C.HTTP Protocol Constraint
D.IP List
AnswerB

WAF Signatures include pre-defined rules for SQL injection, XSS, etc.

Why this answer

FortiWeb uses Web Application Firewall signatures to detect SQL injection. These are pre-configured signatures that match SQL patterns.

148
Multi-Selectmedium

An administrator is configuring FortiDeceptor to detect threats within the network. Which TWO statements about FortiDeceptor are correct?

Select 2 answers
A.It requires a separate hardware appliance for each network segment
B.It sends alerts to FortiSIEM or FortiSOAR for automated response
C.It uses decoys and lures to attract attackers
D.It uses signature-based detection to identify malware
E.It can replace firewall functionality
AnswersB, C

Integration with SIEM/SOAR enables automated response to detected threats.

Why this answer

Options A and D are correct. FortiDeceptor uses decoys and lures to attract attackers, and it sends alerts to FortiSIEM or FortiSOAR for automated response.

149
Multi-Selectmedium

A FortiGate administrator wants to detect and block protocol anomalies as part of advanced IPS. Which three options are available in FortiGate's custom IPS signatures? (Choose three.)

Select 3 answers
A.Protocol-specific fields
B.Protocol anomaly detection
C.Packet length constraints
D.Application signatures
E.URL filtering
AnswersA, B, C

Can specify fields like TCP flags, HTTP headers.

Why this answer

Correct answers: A, B, D. Custom IPS signatures can target specific protocol fields, packet length, and protocol anomalies. Application control is separate.

150
Multi-Selectmedium

A company has deployed FortiClient with advanced threat protection (ATP) features. Which TWO capabilities does FortiClient ATP provide beyond basic antivirus?

Select 2 answers
A.Exploit prevention and vulnerability scanning
B.Application control and inventory
C.Real-time malware protection using machine learning
D.VPN connectivity
E.Web filtering and URL rating
AnswersA, C

FortiClient ATP includes exploit prevention and vulnerability assessment.

← PreviousPage 2 of 3 · 169 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Nse7 Atp questions.