CCNA Nse7 Atp Questions

19 of 169 questions · Page 3/3 · Nse7 Atp topic · Answers revealed

151
MCQmedium

An admin wants to block malicious files detected by FortiSandbox at the FortiGate level. Which configuration is required on the FortiGate to automatically block files based on FortiSandbox verdict?

A.Enable Threat Feeds on FortiGate and subscribe to FortiSandbox feeds
B.Enable 'FortiSandbox inline prevention' in the antivirus profile
C.Configure an Automation Stitch that triggers on malware detected events and blocks the source IP
D.Configure a security policy with a Web Filter profile that blocks malware categories
AnswerB

This setting allows the FortiGate to block files immediately based on FortiSandbox verdicts.

Why this answer

Option C is correct because the antivirus profile must be enabled with FortiSandbox inline prevention to automatically block files based on verdict.

152
MCQmedium

A network admin notices that files submitted to FortiSandbox are not being analyzed. The FortiGate is configured to send files to FortiSandbox. What is the MOST likely cause?

A.FortiSandbox license is expired
B.FortiGate firewall policy is blocking the connection to FortiSandbox on port 443
C.FortiSandbox is in quarantine mode
D.File size exceeds the maximum submission size limit on FortiGate
AnswerA

An expired license prevents analysis. The file submission queue will accumulate.

Why this answer

Option A is correct because FortiSandbox requires a valid license to perform analysis. Without it, files are queued but not analyzed.

153
MCQeasy

Which FortiClient feature is specifically designed to prevent the execution of unknown malware by analyzing behavior in real-time?

A.FortiClient Vulnerability Scan
B.FortiClient Application Firewall
C.FortiClient Web Filter
D.FortiClient AI Engine
AnswerD

The AI engine uses machine learning to analyze behavior and stop unknown malware.

Why this answer

Option B is correct because FortiClient's AI-driven engine uses machine learning to detect unknown threats based on behavior, not signatures.

154
Multi-Selectmedium

An administrator wants to protect against zero-day malware that has not yet been discovered by signature-based detection. Which TWO technologies can help mitigate such threats?

Select 2 answers
A.Machine Learning Engine
B.Outbreak Prevention
C.Signature-based antivirus
D.Web filtering
E.Application control
AnswersA, B

ML engine analyzes file characteristics to detect unknown malware.

Why this answer

Options B and D are correct. Machine learning engine and outbreak prevention use heuristics and behavioral analysis to detect unknown threats.

155
MCQhard

An administrator runs the following CLI output: 'diagnose sys session filter dport 443' and sees 'proto=6 proto_state=01 duration=3600 expire=3599'. Which statement BEST describes the session?

A.The session is in the process of being torn down
B.The session is established and has been active for one hour
C.The session is a UDP session incorrectly classified as TCP
D.The TCP session is still in the SYN-SENT state
AnswerB

proto_state=01 indicates an established TCP session; duration=3600 seconds equals one hour.

Why this answer

The session shows 'proto=6' (TCP), 'proto_state=01' (TCP_ESTABLISHED), and 'duration=3600' seconds, which equals one hour. The 'expire=3599' indicates the session has 3599 seconds left before timeout, confirming it is active and established. Option B correctly identifies this as an established session that has been active for one hour.

Exam trap

The trap here is that candidates may misinterpret 'proto_state=01' as a starting state or teardown state, when in Fortinet's session table it specifically represents TCP_ESTABLISHED, and the combination of duration and expire values confirms the session is active and not in transition.

How to eliminate wrong answers

Option A is wrong because 'proto_state=01' indicates TCP_ESTABLISHED, not a teardown state; a session being torn down would show a state like TCP_FIN_WAIT or TCP_CLOSE. Option C is wrong because 'proto=6' explicitly indicates TCP, not UDP (which would be proto=17), and the state '01' is a valid TCP established state, not a misclassification. Option D is wrong because 'proto_state=01' corresponds to TCP_ESTABLISHED, not SYN-SENT (which would be state '02' or '03' depending on the Fortinet implementation); the session has already completed the three-way handshake.

156
MCQmedium

A FortiGate administrator wants to implement Content Disarm and Reconstruction (CDR) for email attachments. Which security profile must be configured to enable CDR?

A.Web Filter profile
B.Antivirus profile
C.IPS profile
D.Application Control profile
AnswerB

CDR is part of the antivirus profile; it disarms and reconstructs files to remove active content.

Why this answer

Content Disarm and Reconstruction (CDR) is a security feature that removes active content (e.g., macros, scripts, embedded objects) from files and reconstructs them into a safe version. In FortiOS, CDR is configured within the Antivirus profile because it operates as part of the antivirus scanning engine, specifically under the 'File Filter' or 'Content Disarm' tab, where you can enable CDR for supported file types like Office documents and PDFs.

Exam trap

The trap here is that candidates mistakenly associate CDR with Web Filter (thinking it's a web content sanitization feature) or IPS (confusing it with file-based exploit prevention), when in fact CDR is a file-level sanitization feature tightly integrated with the antivirus engine and configured within the Antivirus profile.

How to eliminate wrong answers

Option A is wrong because Web Filter profiles control HTTP/HTTPS URL access and content categorization, not email attachment processing or file-level content sanitization. Option C is wrong because IPS profiles focus on network-based intrusion prevention by inspecting traffic for exploit signatures and anomalies, not on file reconstruction or active content removal. Option D is wrong because Application Control profiles manage application visibility and usage policies (e.g., blocking or allowing specific apps like Skype or Dropbox), not file attachment scanning or CDR operations.

157
MCQmedium

A company uses FortiWeb as a reverse proxy for their web application. They want to protect against SQL injection attacks. Which FortiWeb feature should be configured?

A.Enable 'SQL Injection Prevention' in the Web Protection Profile
B.Enable 'IPS Sensor' with SQL injection signatures
C.Use the FortiGate WAF profile instead
D.Configure a custom HTTP header validation rule
AnswerA

FortiWeb has predefined signatures for SQL injection.

Why this answer

FortiWeb's Web Protection Profile includes a dedicated 'SQL Injection Prevention' module that uses signature-based and behavioral analysis to detect and block SQL injection attempts at the application layer. This is the correct feature because FortiWeb is a web application firewall (WAF) designed specifically for HTTP/HTTPS traffic, and SQL injection protection is a core WAF function, not a general IPS or network-layer feature.

Exam trap

The trap here is that candidates assume IPS signatures can handle SQL injection because they see 'SQL injection' in signature names, but they overlook that FortiWeb's dedicated module provides application-layer decoding and context that a generic IPS sensor lacks.

How to eliminate wrong answers

Option B is wrong because IPS Sensors on FortiGate or FortiWeb are designed for network-layer attack detection (e.g., protocol anomalies, buffer overflows) and lack the application-layer context (e.g., HTTP parameter parsing, URL decoding) needed to reliably detect SQL injection. Option C is wrong because the FortiGate WAF profile is a simplified subset of FortiWeb's capabilities; it does not include the granular SQL injection prevention engine or the dedicated signature database that FortiWeb offers. Option D is wrong because custom HTTP header validation rules only inspect header fields, not the request body or URL parameters where SQL injection payloads typically reside.

158
MCQmedium

An IPS administrator wants to detect a new custom attack that sends malformed HTTP headers. The attack pattern is a specific sequence of bytes that is not covered by existing signatures. What is the BEST way to detect this attack on FortiGate?

A.Use an automation stitch to block traffic with unusual headers
B.Enable protocol anomaly detection in the IPS sensor
C.Deploy FortiWeb as a reverse proxy
D.Create a custom IPS signature
AnswerD

Custom signatures match specific content patterns defined by the administrator.

Why this answer

Option B is correct because custom IPS signatures allow administrators to define unique patterns to detect new attacks not covered by default signatures.

159
MCQmedium

An administrator configures a FortiGate to integrate with FortiSandbox for inline scanning. The policy has an antivirus profile with FortiSandbox enabled. What condition must be met for files to be submitted to FortiSandbox?

A.The antivirus profile must use proxy-based inspection mode
B.The FortiSandbox must be on the same subnet as the FortiGate
C.The FortiGate must be in NAT mode
D.SSL inspection must be disabled
AnswerA

Proxy-based inspection is required for inline FortiSandbox file submission.

Why this answer

For files to be submitted to FortiSandbox during inline scanning, the antivirus profile must use proxy-based inspection mode. This is because proxy-based inspection allows the FortiGate to buffer the entire file, perform deep analysis, and then forward it to FortiSandbox for verdict-based blocking. Flow-based inspection, in contrast, streams packets and cannot hold files for submission, making proxy mode a prerequisite for inline FortiSandbox integration.

Exam trap

The trap here is that candidates assume flow-based inspection is sufficient for inline sandboxing, but FortiGate explicitly requires proxy-based inspection to buffer and submit files for verdict-based blocking.

How to eliminate wrong answers

Option B is wrong because FortiSandbox does not need to be on the same subnet as the FortiGate; it can be located anywhere reachable via network, and communication uses HTTPS (port 443) or FortiSandbox-specific protocols. Option C is wrong because the FortiGate can operate in NAT mode or transparent mode for FortiSandbox integration; NAT mode is not a requirement. Option D is wrong because SSL inspection must be enabled (not disabled) to decrypt HTTPS traffic and allow the antivirus profile to inspect files within encrypted sessions for FortiSandbox submission.

160
MCQhard

A security admin notices that FortiClient ATP is not blocking threats on a managed endpoint. The FortiClient is registered with FortiGate and the ATP feature is enabled in the FortiClient profile. What is the most likely cause?

A.The FortiGate's antivirus signatures are outdated
B.The FortiClient endpoint has a different antivirus product installed that conflicts
C.The FortiGate antivirus profile applied to the FortiClient policy has 'Scan on Access' disabled
D.FortiClient is in standalone mode instead of managed mode
AnswerC

ATP relies on on-access scanning to block threats immediately.

Why this answer

FortiClient ATP uses the FortiGate's antivirus engine to scan files locally. If the endpoint's antivirus profile on FortiGate does not include 'Scan on Access', FortiClient ATP may not intercept file access events.

161
MCQmedium

An email security administrator wants to prevent attackers from spoofing the company's domain. Which email authentication mechanism should be configured to allow receiving servers to verify that emails claiming to be from the domain are sent from authorized mail servers?

A.DMARC
B.SPF
C.TLS for SMTP
D.DKIM
AnswerB

SPF records list authorized sending IPs or hostnames.

Why this answer

Option D is correct because SPF (Sender Policy Framework) allows domain owners to specify which servers are authorized to send emails for their domain.

162
MCQhard

A FortiGate administrator configures a custom IPS signature with the pattern 'attack' in the HTTP request URI. After applying the signature, no alerts are generated even though the traffic matches. What is the MOST likely cause?

A.The signature's protocol decoder is set to 'HTTP'
B.The signature action is set to 'pass'
C.The signature's protocol decoder is not set to 'HTTP'
D.The signature severity is too low
AnswerC

Without proper decoder, the pattern is not matched in HTTP URI.

Why this answer

The custom IPS signature pattern 'attack' will only be inspected against the HTTP request URI if the signature's protocol decoder is explicitly set to 'HTTP'. Without this decoder assignment, the IPS engine does not know which protocol layer to parse, and the pattern is never matched against the URI, resulting in no alerts despite matching traffic.

Exam trap

The trap here is that candidates often assume a signature will automatically inspect all traffic or that the 'pass' action suppresses alerts, when in fact the protocol decoder is a mandatory prerequisite for any application-layer pattern matching in FortiGate IPS.

How to eliminate wrong answers

Option A is wrong because setting the protocol decoder to 'HTTP' is exactly what is required for the signature to inspect HTTP request URIs; this would enable alerts, not prevent them. Option B is wrong because a 'pass' action would allow the traffic but still generate a log entry (alert) by default unless logging is disabled; the question states no alerts are generated, so action alone is not the cause. Option D is wrong because signature severity does not affect whether an alert is generated; severity only influences the event's priority in logs and reports, not the detection or alerting process.

163
Multi-Selectmedium

An administrator wants to configure FortiGate to automatically block a source IP when a high-severity IPS event is detected. Which TWO components must be configured? (Choose two.)

Select 2 answers
A.A firewall policy with IPS enabled
B.A FortiGuard category subscription
C.An automation stitch trigger set to 'IPS Event'
D.A static route to the source IP
E.An automation stitch action set to 'Quarantine'
AnswersC, E

Trigger defines when the stitch runs.

Why this answer

Option C is correct because an automation stitch trigger set to 'IPS Event' is required to detect the high-severity IPS event and initiate the automated response. Option E is correct because the 'Quarantine' action within the automation stitch is the component that actually blocks the source IP by adding a dynamic block entry to the firewall policy.

Exam trap

The trap here is that candidates often assume enabling IPS on a firewall policy (Option A) is sufficient for automatic blocking, but FortiGate requires an explicit automation stitch to convert detection into an automated quarantine action.

164
MCQmedium

A security analyst notices repeated failed login attempts from a specific IP address to the FortiGate management interface. The administrator wants to automatically blacklist the IP after 3 failed attempts within 60 seconds. Which feature should be configured?

A.Intrusion Prevention System (IPS) with custom signature
B.FortiGate's built-in DoS policy and blacklist
C.Admin lockdown and intruder lockout settings
D.Administrative access trusted hosts
AnswerC

FortiGate can be configured to lock out IPs after failed admin login attempts via 'config system admin' settings or via 'config system global' set admin-lockout-threshold and admin-lockout-duration.

165
Multi-Selectmedium

Which TWO of the following are required for FortiGate to successfully obtain file verdicts from FortiSandbox? (Choose two.)

Select 2 answers
A.Proxy-based inspection mode enabled on the policy
B.Valid FortiSandbox license on FortiGate
C.FortiSandbox inline scanning enabled in antivirus profile
D.FortiGuard Security Rating subscription
E.Network connectivity between FortiGate and FortiSandbox
AnswersB, E

Needed to enable the sandbox feature.

Why this answer

A valid FortiSandbox license on the FortiGate is required to authenticate and authorize communication with the FortiSandbox appliance or cloud service. Without this license, the FortiGate cannot register with the FortiSandbox or submit files for verdict analysis, even if network connectivity exists.

Exam trap

The trap here is that candidates often assume proxy-based inspection or inline scanning is mandatory for sandbox integration, but FortiGate can use flow-based inspection and retrieve verdicts asynchronously without inline mode enabled.

166
MCQeasy

Which Fortinet product provides endpoint detection and response (EDR) capabilities, including automated threat containment?

A.FortiClient
B.FortiEDR
C.FortiSandbox
D.FortiGuard
AnswerB

FortiEDR provides EDR functionality.

Why this answer

FortiEDR is the correct answer because it is Fortinet's dedicated endpoint detection and response solution that provides real-time behavioral analysis, automated threat containment, and forensic investigation capabilities. Unlike traditional antivirus, FortiEDR uses machine learning and pre-execution analysis to detect and block advanced threats, and it can automatically isolate compromised endpoints from the network to prevent lateral movement.

Exam trap

The trap here is that candidates often confuse FortiClient's basic endpoint protection features (like antivirus and web filtering) with the advanced EDR capabilities that are exclusive to FortiEDR, especially since FortiClient can be managed by FortiEDR but does not itself provide automated threat containment.

How to eliminate wrong answers

Option A (FortiClient) is wrong because FortiClient is a unified endpoint agent that provides VPN, web filtering, and basic antivirus, but it does not include full EDR capabilities such as automated threat containment or deep forensic analysis; it relies on FortiEDR or FortiSandbox for advanced detection. Option C (FortiSandbox) is wrong because FortiSandbox is a network-based sandboxing appliance that detonates suspicious files and URLs in a virtual environment to identify zero-day threats, but it does not run on endpoints or provide endpoint-level automated containment. Option D (FortiGuard) is wrong because FortiGuard is Fortinet's global threat intelligence and security services subscription (including antivirus signatures, web filtering categories, and IP reputation), not a product that performs endpoint detection or response actions.

167
MCQmedium

A company is deploying FortiClient ATP to protect endpoints. They want to block ransomware behavior in real time. Which FortiClient feature should be enabled?

A.Real-Time Protection
B.Vulnerability Scan
C.Web Filtering
D.Application Firewall
AnswerA

This feature monitors processes and file operations for malicious behavior.

Why this answer

Option C is correct. FortiClient's Real-Time Protection includes behavior-based detection that can identify and block ransomware patterns.

168
MCQmedium

An organization wants to protect a public-facing web application against SQL injection and cross-site scripting (XSS) attacks. They have a FortiGate and a FortiWeb. What is the BEST deployment approach?

A.Place the web server in a DMZ and rely on firewall policies
B.Use FortiGate WAF profile only
C.Deploy FortiWeb in reverse proxy mode in front of the web server
D.Use FortiGate IPS signatures for SQL injection and XSS
AnswerC

FortiWeb provides comprehensive WAF features like signature-based detection, anomaly detection, and bot mitigation.

Why this answer

Option C is correct because FortiWeb is purpose-built for web application security and provides deep inspection and protection against OWASP Top 10 threats like SQLi and XSS.

169
MCQmedium

A FortiGate administrator notices that files submitted to FortiSandbox are receiving verdicts but the firewall is not automatically blocking the detected malware. The FortiSandbox integration is configured under Security Fabric > External Connectors. What additional configuration is required to enforce blocking based on FortiSandbox verdicts?

A.Enable the 'fortisandbox' option in the antivirus profile applied to the firewall policy
B.Enable 'Inline Scan' on the FortiSandbox connector
C.Configure an automation stitch to quarantine files based on verdict
D.Enable 'Block malicious files' in the FortiSandbox connector settings
AnswerA

The antivirus profile with 'fortisandbox' enabled will use FortiSandbox verdicts to block malicious files.

Why this answer

Option A is correct because the FortiSandbox verdict integration requires the antivirus profile applied to the firewall policy to have the 'fortisandbox' option enabled. This option allows the FortiGate to query FortiSandbox for verdicts and automatically block files that are determined to be malicious. Without this setting in the antivirus profile, the FortiGate will receive verdicts but will not enforce blocking actions on the traffic.

Exam trap

The trap here is that candidates often confuse the FortiSandbox connector settings (like 'Block malicious files') with the actual enforcement mechanism, which is the antivirus profile's 'fortisandbox' option that must be explicitly enabled in the policy's security profile.

How to eliminate wrong answers

Option B is wrong because 'Inline Scan' is a feature for FortiGate's local inline scanning of files, not for enforcing blocking based on FortiSandbox verdicts; it controls how files are scanned, not the action taken on verdicts. Option C is wrong because automation stitches can be used to trigger actions like quarantine, but they are not the primary or required configuration to enforce blocking based on FortiSandbox verdicts; the verdict-based blocking is handled directly by the antivirus profile. Option D is wrong because the 'Block malicious files' setting in the FortiSandbox connector settings controls whether the FortiGate sends files to FortiSandbox for analysis, not whether it blocks files based on received verdicts; blocking is enforced at the antivirus profile level.

← PreviousPage 3 of 3 · 169 questions total

Ready to test yourself?

Try a timed practice session using only Nse7 Atp questions.