Fortinet FCP_FGT_AD-7.6 FCP – FortiGate 7.6 Administrator Exam Dumps and Practice Test Questions Set 4 Q61-80

Visit here for our full Fortinet FCP_FGT_AD-7.6 exam dumps and practice test questions.

Question 61:

You want FortiGate 7.6 to enforce Multi-Factor Authentication (MFA) for all users accessing critical applications from outside the corporate network while allowing seamless access from trusted corporate devices. Which configuration should be applied?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply to external users only
D) Azure AD B2B Collaboration → Manage guest accounts

Answer: A) – Conditional Access → Require MFA for external access → Apply per user group

Explanation

FortiGate integrates with identity services like Azure AD to enforce Conditional Access policies. By requiring MFA for users connecting from untrusted networks, administrators reduce the risk of account compromise while allowing seamless access from corporate devices.

Option B (Security Defaults) applies global policies and cannot selectively enforce location-based MFA. Option C (Pass-through Authentication) validates credentials but cannot enforce conditional MFA. Option D (Azure AD B2B) manages guest accounts but does not enforce internal access policies.

Implementation involves creating a Conditional Access policy targeting all users or specific groups, specifying trusted locations (corporate networks), and enabling MFA for external connections. For example, a user signing in from home receives an MFA challenge, while the same user on a corporate laptop at the office accesses resources seamlessly. Logs allow monitoring compliance and authentication attempts. Periodic review ensures policies reflect organizational security requirements. This approach balances strong authentication with user convenience and adaptive security.

Question 62:

A FortiGate 7.6 administrator wants to ensure branch offices can access SaaS applications over multiple WAN links and automatically route traffic through the fastest available path. Which feature should be used?

A) SD-WAN → Application-based routing → Enable link performance monitoring
B) Static Routing → Configure multiple default gateways
C) Transparent Mode → Bridge WAN interfaces
D) SSL VPN → Enable per branch user

Answer: A) – SD-WAN → Application-based routing → Enable link performance monitoring

Explanation

SD-WAN in FortiGate 7.6 enables administrators to route traffic intelligently across multiple WAN links based on application type and link performance metrics (latency, jitter, packet loss). Critical SaaS applications can be routed through the fastest path, while non-critical traffic is balanced across links.

Option B (Static Routing) cannot dynamically route traffic based on link performance. Option C (Transparent Mode) bridges traffic but does not provide path optimization. Option D (SSL VPN) provides remote access but does not optimize branch-to-SaaS routing.

Implementation involves creating an SD-WAN zone, adding WAN members, defining performance SLAs, and creating application-based routing rules. For example, Office 365 traffic from a branch office is automatically routed over the lowest-latency link. Logs and FortiView dashboards help monitor link performance and traffic distribution. Periodic review ensures SLA thresholds and routing rules remain aligned with business requirements. This approach improves SaaS performance, ensures reliability, and maintains security through standard inspection policies applied to SD-WAN traffic.

Question 63:

You want FortiGate 7.6 to prevent sensitive financial data from leaving the corporate network via email or cloud services. Which configuration is correct?

A) DLP Profile → Apply to outbound firewall policies → Inspect for predefined sensitive data patterns
B) Web Filtering → Block all cloud storage
C) SSL Inspection → Enable globally
D) Application Control → Block email clients

Answer: A) – DLP Profile → Apply to outbound firewall policies → Inspect for predefined sensitive data patterns

Explanation

FortiGate 7.6 Data Loss Prevention (DLP) allows administrators to inspect outbound traffic for sensitive content such as credit card numbers, social security numbers, or confidential financial data. By applying DLP profiles to outbound policies, unauthorized uploads to email or cloud storage can be blocked, preventing data leakage.

Option B (Web Filtering) can block access but cannot inspect file contents. Option C (SSL Inspection) decrypts traffic but requires DLP profiles to block sensitive content. Option D (Application Control) blocks apps but does not inspect data.

Implementation involves creating a DLP profile with regex patterns or predefined content types, applying it to outbound policies, and enabling logging. For example, if an employee tries to email a file containing customer financial data, the transfer is blocked and logged. Alerts notify administrators for immediate action. Regular updates to DLP patterns ensure protection against new data types. This configuration enforces compliance, reduces the risk of accidental or malicious data exfiltration, and provides auditability for regulatory reporting.

Question 64:

A FortiGate 7.6 administrator wants to prioritize VoIP traffic across the WAN while limiting bandwidth for video streaming applications. Which configuration is correct?

A) Traffic Shaping Policy → Apply per application → Assign guaranteed bandwidth and priority
B) SD-WAN → Load balance all traffic equally
C) IPS Sensor → Enable for VoIP
D) SSL Inspection → Enable globally

Answer: A) – Traffic Shaping Policy → Apply per application → Assign guaranteed bandwidth and priority

Explanation

FortiGate 7.6 Traffic Shaping allows administrators to prioritize business-critical applications, like VoIP, by assigning guaranteed bandwidth and priority. Non-critical applications, such as video streaming, can be throttled to reduce network congestion and ensure high-quality voice communication.

Option B (SD-WAN load balancing) optimizes path selection but does not prioritize applications at the bandwidth level. Option C (IPS Sensor) inspects for threats but does not manage traffic priority. Option D (SSL Inspection) decrypts traffic but cannot enforce bandwidth allocation.

Implementation involves creating traffic shaping policies targeting VoIP ports or application signatures, setting guaranteed bandwidth and high priority, and applying throttling rules for video streaming. For example, SIP or RTP traffic is prioritized during peak hours, while Netflix or YouTube traffic is limited. FortiView dashboards monitor performance metrics, including latency and packet loss. Periodic review ensures that prioritization rules align with organizational needs. This configuration maintains call quality, improves network performance, and ensures critical business applications remain unaffected during peak usage.

Question 65:

You want FortiGate 7.6 to automatically update IPS, antivirus, and application control signatures for all devices without manual intervention. Which configuration is correct?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

FortiGate 7.6 integrates with FortiGuard Security Services to provide real-time updates for IPS, antivirus, and application control signatures. Enabling automatic updates ensures that all devices receive the latest threat definitions without manual intervention, reducing vulnerability windows and maintaining consistent protection across the network.

Option B (SSL Inspection) decrypts traffic but does not update security signatures. Option C (Traffic Shaping) controls bandwidth but does not manage threat intelligence. Option D (Application Control → Manual updates) requires administrator intervention, increasing the risk of outdated protection.

Implementation involves subscribing to FortiGuard services, enabling automatic updates for all security profiles, and monitoring logs to confirm update success. For example, new malware definitions are automatically pushed daily, ensuring real-time protection. Regular review ensures updates are applied consistently and all devices remain synchronized. This configuration reduces administrative overhead, strengthens security posture, and ensures continuous threat defense across the network.

Question 66:

A FortiGate 7.6 administrator wants to enforce endpoint compliance before allowing SSL VPN access. The compliance check must ensure antivirus is running and the firewall is enabled. Which configuration is correct?

A) SSL VPN → Enable Endpoint Compliance Check → Enforce antivirus and firewall status
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block untrusted sites
D) Traffic Shaping → Apply per SSL VPN user

Answer: A) – SSL VPN → Enable Endpoint Compliance Check → Enforce antivirus and firewall status

Explanation

FortiGate 7.6 supports Endpoint Compliance Checks for SSL VPN users to verify device security before granting access. Compliance checks can include verifying that antivirus definitions are up-to-date, the local firewall is enabled, and other endpoint requirements like patch level or FortiClient presence. Devices failing the check can be denied access or routed to a restricted portal.

Option B (IPsec VPN) secures tunnels but does not enforce endpoint compliance. Option C (Web Filtering) controls web access but does not validate device security. Option D (Traffic Shaping) manages bandwidth and cannot enforce compliance policies.

Implementation involves enabling endpoint compliance on the SSL VPN portal, creating compliance rules (antivirus, firewall, OS version), and mapping rules to user groups. For example, a corporate laptop passes the compliance check and gains full SSL VPN access, while an unmanaged or outdated device is restricted. Logging provides visibility into compliance failures. Combining endpoint compliance with MFA strengthens security for remote access. Regular review ensures that compliance rules are updated to meet evolving security policies. This approach reduces the risk of malware or compromised devices entering the network through remote connections.

Question 67:

You want FortiGate 7.6 to block access to social media sites during business hours but allow access during lunch breaks. Which configuration is correct?

A) Web Filtering → Apply to firewall policies → Configure schedule-based rules
B) Application Control → Block all unknown apps
C) SSL Deep Inspection → Apply globally
D) Traffic Shaping → Limit bandwidth for social media

Answer: A) – Web Filtering → Apply to firewall policies → Configure schedule-based rules

Explanation

Web Filtering in FortiGate 7.6 allows administrators to block categories of websites, specific domains, or URLs. By combining Web Filtering with schedule-based policies, access can be restricted during certain hours (e.g., 9 AM–5 PM) and allowed at other times (e.g., 12 PM–1 PM).

Option B (Application Control) targets applications rather than web categories and cannot enforce schedule-based access. Option C (SSL Deep Inspection) decrypts traffic but does not enforce time-based rules. Option D (Traffic Shaping) limits bandwidth but cannot fully block access.

Implementation involves creating a Web Filtering profile with the “Social Media” category blocked, applying it to outbound firewall policies, and configuring schedules for business hours and lunch breaks. For example, users cannot access Facebook or Twitter during work hours but are allowed during a 1-hour lunch period. Logs and reports provide visibility into blocked attempts and policy effectiveness. Periodic review ensures that categories and schedules align with changing business needs. This approach improves productivity while still accommodating occasional recreational access.

Question 68:

A FortiGate 7.6 administrator wants to detect botnet command-and-control traffic from internal devices. Which configuration is correct?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Traffic Shaping → Apply per user group
C) SSL Inspection → Enable globally
D) Web Filtering → Block suspicious URLs

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

FortiGate 7.6 IPS (Intrusion Prevention System) can detect botnet command-and-control (C&C) communications by using specific IPS signatures. When applied to firewall policies, the IPS sensor inspects inbound and outbound traffic, detecting malware-infected devices attempting to contact C&C servers.

Option B (Traffic Shaping) controls bandwidth, not malware detection. Option C (SSL Inspection) decrypts traffic but does not detect botnets unless combined with IPS/antivirus scanning. Option D (Web Filtering) blocks malicious URLs but does not inspect non-web C&C traffic.

Implementation involves enabling IPS signatures for botnet detection, applying them to relevant policies, and monitoring alerts. For example, a workstation infected with malware attempting to communicate with a C&C server is blocked and logged. Logs provide detailed information for forensic investigation. Regular updates of IPS signatures are essential for detecting new botnets and threats. Combining IPS with SSL inspection and antivirus scanning ensures comprehensive threat detection. This configuration enhances network security by preventing compromised devices from participating in botnets or data exfiltration.

Question 69:

You want FortiGate 7.6 to ensure that all email attachments are scanned for malware before reaching internal users. Which configuration is correct?

A) Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies
B) IPS Sensor → Apply to email servers
C) Web Filtering → Block suspicious email domains
D) Application Control → Block email clients

Answer: A) – Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies

Explanation

FortiGate 7.6 supports Antivirus scanning for email protocols. Enabling SMTP scanning inspects inbound emails and attachments for viruses, malware, and other threats. Applying the antivirus profile to firewall policies controlling email traffic ensures malicious attachments are blocked before reaching users.

Option B (IPS Sensor) detects exploits but does not scan email attachments. Option C (Web Filtering) blocks websites but cannot scan attachments. Option D (Application Control) blocks applications but does not inspect content.

Implementation involves creating an antivirus profile, enabling SMTP scanning, and applying it to inbound policies. For example, an infected Word document attached to an email is blocked, and an alert is logged. Regular updates of antivirus definitions are critical to protect against new malware. Logs allow administrators to monitor blocked threats and ensure compliance. Combining antivirus scanning with SSL inspection (if email uses encrypted protocols) ensures all traffic is thoroughly inspected. This configuration reduces the risk of malware infection via email and strengthens overall network security.

Question 70:

You want FortiGate 7.6 to provide centralized logging, reporting, and management for multiple FortiGate devices across branches. Which solution should be implemented?

A) FortiManager → Add FortiGate devices → Centralized management and reporting
B) SD-WAN → Apply to all branch devices
C) SSL VPN → Enable endpoint compliance
D) Traffic Shaping → Apply to all WAN interfaces

Answer: A) – FortiManager → Add FortiGate devices → Centralized management and reporting

Explanation

FortiManager provides centralized management for multiple FortiGate devices, including configuration backup, firmware updates, policy deployment, and log aggregation. By adding FortiGate units to FortiManager, administrators gain a single pane of glass for monitoring, reporting, and auditing across distributed branches.

Option B (SD-WAN) optimizes WAN performance but does not provide centralized management. Option C (SSL VPN) provides secure remote access but not device management. Option D (Traffic Shaping) controls bandwidth but does not centralize configuration or reporting.

Implementation involves registering FortiGate devices with FortiManager, authorizing management access, and mapping policies or security profiles. Logs from all devices can be aggregated, analyzed, and used for compliance reporting. For example, new web filtering policies can be deployed simultaneously to all branch FortiGates, ensuring consistent enforcement. Periodic reviews and monitoring dashboards help maintain policy consistency, track configuration changes, and detect anomalies. Centralized management reduces operational complexity, minimizes configuration errors, and improves network-wide security oversight.

Question 71:

A FortiGate 7.6 administrator wants to block all unencrypted HTTP traffic while allowing HTTPS traffic. Which configuration is correct?

A) Web Filtering → Enable HTTP-only blocking → Apply to firewall policies
B) SSL Inspection → Apply globally
C) Traffic Shaping → Limit HTTP traffic
D) Application Control → Block unknown HTTP clients

Answer: A) – Web Filtering → Enable HTTP-only blocking → Apply to firewall policies

Explanation

FortiGate 7.6’s Web Filtering can selectively block access to unencrypted HTTP websites while allowing HTTPS. This ensures that sensitive data is not transmitted over unencrypted channels, mitigating the risk of interception or tampering.

Option B (SSL Inspection) decrypts HTTPS traffic but does not block HTTP inherently. Option C (Traffic Shaping) controls bandwidth but cannot block traffic by protocol. Option D (Application Control) identifies applications but cannot enforce HTTP-only restrictions.

Implementation involves creating a Web Filtering profile, enabling the HTTP-only blocking option, and applying it to firewall policies governing user traffic. For example, users attempting to access a plain HTTP site will be blocked, while encrypted HTTPS access continues uninterrupted. Logging provides administrators with visibility into blocked attempts, helping refine security policies. Periodic review ensures the list of blocked HTTP sites aligns with organizational compliance requirements. This approach enforces secure browsing practices and reduces the risk of data leaks or injection attacks over insecure channels.

Question 72:

You want FortiGate 7.6 to detect and prevent users from uploading confidential files to cloud storage while still allowing normal web browsing. Which configuration is correct?

A) DLP Profile → Apply to firewall policies → Inspect outbound traffic for sensitive data patterns
B) Web Filtering → Block all cloud storage
C) SSL Inspection → Enable globally
D) Traffic Shaping → Limit upload speed

Answer: A) – DLP Profile → Apply to firewall policies → Inspect outbound traffic for sensitive data patterns

Explanation

Data Loss Prevention (DLP) in FortiGate 7.6 scans outbound traffic for sensitive content, such as financial data, personal information, or intellectual property. By applying DLP profiles to firewall policies, administrators can block or log unauthorized attempts to upload confidential data to cloud storage, email, or web applications.

Option B (Web Filtering) can block access but cannot inspect file contents. Option C (SSL Inspection) decrypts traffic but cannot prevent data leakage without DLP rules. Option D (Traffic Shaping) controls bandwidth but does not enforce security policies.

Implementation involves creating a DLP profile with patterns or predefined data types, applying it to outbound policies, and enabling logging. For example, if an employee tries to upload a document containing customer credit card information, the transfer is blocked and an alert is logged. Regular updates to DLP patterns ensure ongoing protection against new data types. This configuration enforces corporate security policies, reduces regulatory risks, and prevents accidental or malicious data exfiltration while maintaining normal web access.

Question 73:

A FortiGate 7.6 administrator wants to analyze bandwidth usage per application and user to optimize network performance. Which feature should be used?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Application Control → Block unknown applications
C) SSL Inspection → Apply globally
D) Web Filtering → Block non-business sites

Answer: A) – FortiView → Traffic Log Analysis → Application and User Reports

Explanation

FortiView provides real-time and historical analysis of traffic by application, user, IP, and interface. Administrators can identify top bandwidth-consuming applications and users, allowing informed decisions for traffic shaping, network optimization, and capacity planning.

Option B (Application Control) manages application access but does not provide usage metrics. Option C (SSL Inspection) inspects encrypted traffic but does not report bandwidth usage. Option D (Web Filtering) restricts site access but does not analyze traffic volume per application or user.

Implementation involves enabling logging for all firewall policies, accessing FortiView dashboards, and generating reports on application and user bandwidth. For example, streaming media may be identified as a high-bandwidth application during peak hours, allowing administrators to throttle non-critical traffic while prioritizing business-critical applications. FortiView also supports historical trend analysis for capacity planning. Periodic review helps maintain network efficiency, optimize resource allocation, and ensure QoS for critical applications. This proactive monitoring ensures high performance while preventing network congestion.

Question 74:

You want FortiGate 7.6 to prevent brute-force attacks on administrative accounts by locking accounts after multiple failed login attempts. Which configuration is correct?

A) Administrative Account Lockout → Configure threshold and lockout duration
B) Traffic Shaping → Apply per admin interface
C) SSL Inspection → Apply to admin traffic
D) IPS Sensor → Enable login brute-force detection

Answer: A) – Administrative Account Lockout → Configure threshold and lockout duration

Explanation

Administrative Account Lockout protects FortiGate devices from brute-force attacks by locking accounts after a configurable number of failed login attempts. The lockout duration can be defined to prevent unauthorized access while minimizing disruption to legitimate administrators.

Option B (Traffic Shaping) controls bandwidth but does not protect accounts. Option C (SSL Inspection) decrypts traffic but cannot enforce login security. Option D (IPS Sensor) detects network attacks but does not directly lock admin accounts.

Implementation involves setting thresholds (e.g., 5 failed attempts) and lockout duration (e.g., 15 minutes), enabling logging, and configuring alerts. For example, if an attacker tries multiple incorrect passwords, the account locks automatically and triggers an alert. Combining this with two-factor authentication strengthens security. Regular monitoring ensures lockout policies are effective without accidentally locking legitimate administrators. This configuration reduces the risk of credential compromise and protects the device management interface.

Question 75:

A FortiGate 7.6 administrator wants to allow SSL VPN users to access only specific internal servers based on group membership. Which configuration is correct?

A) SSL VPN → Configure user groups → Assign per portal and define restricted resources
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all internal sites
D) Traffic Shaping → Apply per SSL VPN user

Answer: A) – SSL VPN → Configure user groups → Assign per portal and define restricted resources

Explanation

FortiGate 7.6 allows SSL VPN portals to restrict internal resources based on user group membership. By defining user groups and mapping them to specific SSL VPN portals, administrators can control which servers, subnets, or applications are accessible to remote users, reducing the attack surface and enforcing least-privilege access.

Option B (IPsec VPN) provides encrypted tunnels but lacks user-level resource restriction. Option C (Web Filtering) controls web access, not VPN resource access. Option D (Traffic Shaping) manages bandwidth, not access control.

Implementation involves creating user groups, assigning users, defining accessible resources per SSL VPN portal, and enabling endpoint compliance if necessary. For example, finance users are restricted to accounting servers, while HR users access only HR systems. Logs capture portal access activity for auditing and compliance. Regular review ensures user groups and portal assignments reflect organizational changes. This approach enhances security, provides controlled remote access, and reduces the risk of unauthorized data exposure.

Question 76:

You want FortiGate 7.6 to detect and block malware in encrypted HTTPS traffic but avoid inspecting critical SaaS applications. Which configuration is correct?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Application Control → Block SaaS applications
D) Traffic Shaping → Limit HTTPS traffic

Answer: A) – SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS

Explanation

SSL Deep Inspection decrypts HTTPS traffic to allow malware scanning, IPS enforcement, and application control. Some SaaS applications use certificate pinning and fail if deep inspection is applied. FortiGate 7.6 allows bypass rules for these trusted SaaS applications, ensuring security without disrupting critical services.

Option B (SSL Certificate Inspection) validates certificates but does not scan encrypted content for threats. Option C (Application Control → Block SaaS applications) would block access rather than selectively inspect traffic. Option D (Traffic Shaping) controls bandwidth but does not scan for malware.

Implementation involves creating an SSL/SSH inspection profile, enabling malware scanning, IPS, and application control, and specifying exceptions for critical SaaS applications. For example, Office 365 traffic is bypassed to maintain functionality, while other encrypted traffic is inspected. Logging allows administrators to monitor both inspected and bypassed traffic. Periodic review ensures new SaaS apps are added to bypass rules as necessary. This configuration balances threat protection with operational continuity, maintaining security while avoiding application failures.

Question 77:

A FortiGate 7.6 administrator wants to prevent brute-force attacks on administrative accounts by locking accounts after multiple failed login attempts. Which configuration is correct?

A) Administrative Account Lockout → Configure threshold and lockout duration
B) Traffic Shaping → Apply per admin interface
C) SSL Inspection → Apply to admin traffic
D) IPS Sensor → Enable login brute-force detection

Answer: A) – Administrative Account Lockout → Configure threshold and lockout duration

Explanation

Administrative Account Lockout protects FortiGate devices against brute-force attacks by automatically locking accounts after a configurable number of failed login attempts. This prevents attackers from repeatedly guessing credentials.

Option B (Traffic Shaping) only manages bandwidth and cannot protect accounts. Option C (SSL Inspection) decrypts traffic but does not enforce login security. Option D (IPS Sensor) detects threats at the network level but does not lock admin accounts.

Implementation involves defining a threshold (e.g., 5 failed attempts), lockout duration (e.g., 15 minutes), and enabling logging. Alerts notify administrators of locked accounts. For example, an attacker attempting multiple password guesses on an admin account triggers a lockout, preventing unauthorized access. Combining lockout policies with two-factor authentication further enhances security. Regular monitoring ensures legitimate administrators are not unintentionally locked out while maintaining strong account protection. This feature reduces the risk of credential compromise and strengthens overall device security.

Question 78:

You want FortiGate 7.6 to scan all email attachments for malware before reaching internal users. Which configuration is correct?

A) Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies
B) IPS Sensor → Apply to email servers
C) Web Filtering → Block suspicious email domains
D) Application Control → Block email clients

Answer: A) – Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies

Explanation

FortiGate 7.6 allows administrators to scan email attachments for malware by applying Antivirus profiles to SMTP traffic. This ensures that malicious attachments are blocked before reaching end-users, protecting endpoints and internal systems.

Option B (IPS Sensor) detects exploits but cannot scan attachment content. Option C (Web Filtering) restricts websites but does not inspect emails. Option D (Application Control) blocks applications but cannot inspect file contents.

Implementation involves creating an antivirus profile with SMTP scanning enabled, applying it to inbound firewall policies, and enabling logging. For example, a Word document containing malware attached to an incoming email is blocked and logged. FortiGuard antivirus definitions must be regularly updated to ensure detection of new threats. Logs provide visibility into blocked emails, supporting security monitoring and compliance reporting. Combining antivirus scanning with SSL inspection (for encrypted SMTP) ensures all attachments are inspected. This configuration mitigates email-borne malware risks, protecting both users and network infrastructure.

Question 79:

A FortiGate 7.6 administrator wants to prioritize VoIP traffic across the WAN while limiting bandwidth for video streaming applications. Which configuration is correct?

A) Traffic Shaping Policy → Apply per application → Assign guaranteed bandwidth and priority
B) SD-WAN → Load balance all traffic equally
C) IPS Sensor → Enable for VoIP
D) SSL Inspection → Enable globally

Answer: A) – Traffic Shaping Policy → Apply per application → Assign guaranteed bandwidth and priority

Explanation

FortiGate 7.6 Traffic Shaping allows administrators to assign priority and guaranteed bandwidth to critical applications like VoIP. This ensures low latency, minimal jitter, and high call quality, while non-critical traffic, such as video streaming, can be limited or throttled.

Option B (SD-WAN load balancing) optimizes link selection but does not prioritize traffic within a link. Option C (IPS Sensor) detects threats but does not manage bandwidth. Option D (SSL Inspection) decrypts traffic but does not influence performance.

Implementation involves creating traffic shaping policies targeting VoIP ports or application signatures, assigning guaranteed bandwidth and priority, and applying throttling rules for video streaming. For example, RTP and SIP traffic is given high priority, ensuring consistent call quality during peak hours. FortiView monitoring confirms bandwidth usage and performance metrics. Periodic review ensures policies remain effective as application usage changes. This approach maintains high-quality voice communication, optimizes WAN usage, and ensures business-critical applications perform reliably.

Question 80:

You want FortiGate 7.6 to automatically update IPS, antivirus, and application control signatures for all devices without manual intervention. Which configuration is correct?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

FortiGuard Security Services in FortiGate 7.6 provides real-time updates for IPS, antivirus, and application control signatures. Enabling automatic updates ensures that all devices receive the latest threat definitions without manual intervention, maintaining consistent protection against evolving malware and vulnerabilities.

Option B (SSL Inspection) decrypts traffic but does not update signatures. Option C (Traffic Shaping) controls bandwidth but does not provide threat updates. Option D (Application Control → Manual updates) requires administrative effort and risks outdated protection.

Implementation involves subscribing to FortiGuard services, enabling automatic updates for all security profiles, and monitoring logs for update success. For example, new malware definitions are automatically distributed to all devices daily, ensuring timely protection. Regular monitoring confirms updates are applied across all devices. This configuration reduces administrative workload, strengthens security posture, and ensures continuous defense against emerging threats. Automated updates are critical for maintaining high network security and minimizing exposure to new vulnerabilities.