Fortinet FCP_FGT_AD-7.6 FCP – FortiGate 7.6 Administrator Exam Dumps and Practice Test Questions Set 9 Q161-180

Visit here for our full Fortinet FCP_FGT_AD-7.6 exam dumps and practice test questions.

Question 161:

A FortiGate 7.6 administrator wants to allow remote SSL VPN access only from devices that meet corporate compliance standards. Which configuration should be used?

A) SSL VPN → Enable device certificate authentication → Apply per user group
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all external devices
D) Traffic Shaping → Limit SSL VPN bandwidth

Answer: A) – SSL VPN → Enable device certificate authentication → Apply per user group

Explanation

Enforcing endpoint compliance is critical to ensuring that only trusted corporate devices can access internal resources. Device certificate authentication verifies that SSL VPN clients hold a valid corporate-issued certificate before granting access. This reduces the risk of unauthorized access, even if credentials are compromised.

Option A: By enabling device certificate authentication, administrators can enforce granular access control per user group, ensuring only authorized groups on compliant devices can connect. Certificates can be tied to endpoint posture checks, verifying OS version, patch level, antivirus status, and other compliance parameters. This approach is central to a Zero Trust model, ensuring that even if credentials are stolen, unauthorized endpoints cannot connect. FortiView logging provides detailed reports on successful and failed authentication attempts, supporting compliance audits and incident investigations. For example, an employee’s corporate laptop can access HR servers, whereas a personal laptop without the corporate certificate is denied, even if the correct username and password are provided.

Option B: IPsec VPN provides encrypted connectivity but cannot enforce endpoint compliance. Any device with credentials can connect, which introduces potential security risks if personal or compromised devices attempt access. While IPsec ensures traffic confidentiality, it lacks fine-grained control based on device posture.

Option C: Web Filtering blocks web access but cannot enforce VPN access. Blocking external devices at the URL level does not prevent VPN connections from non-compliant devices and does not provide authentication or posture verification.

Option D: Traffic Shaping controls bandwidth allocation but does not provide access control. Limiting SSL VPN bandwidth may manage performance, but it does nothing to ensure only compliant devices connect.

Implementation: Administrators issue certificates to corporate-managed devices, configure SSL VPN portals with device certificate authentication, assign user groups to portals, and monitor authentication logs. Regular reviews of endpoint certificates and group assignments ensure ongoing compliance and security. This approach combines device-level verification, group-based access, and detailed auditing to maintain secure and controlled remote access while minimizing operational disruption.

Question 162:

A FortiGate 7.6 administrator wants to scan incoming email attachments for malware. Which configuration should be used?

A) Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies
B) IPS Sensor → Apply to email servers
C) Web Filtering → Block suspicious domains
D) Application Control → Block email clients

Answer: A) – Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policy.s

Explanation

Email is a major malware vector. Attachments often carry ransomware, macros, and malicious scripts. SMTP scanning allows FortiGate to inspect incoming messages before delivery to users.

Option A: Enabling SMTP scanning ensures real-time detection and blocking of infected attachments. FortiGuard antivirus signatures provide continuously updated threat intelligence. Integration with sandboxing allows suspicious attachments to be executed in a secure environment, detecting previously unknown malware. Applying the antivirus profile to inbound firewall policies ensures that all email traffic entering the network is scanned. Logs provide visibility into detected threats, blocked messages, and policy compliance, which is critical for security audits. For example, a finance department receives a Word document with embedded ransomware; the FortiGate device scans, identifies the threat, blocks the message, and alerts administrators.

Option B: IPS sensors detect network exploits but do not inspect email content or attachments, making them insufficient to prevent email-borne malware. IPS is valuable for blocking threats targeting server vulnerabilities, but it cannot analyze SMTP payloads.

Option C: Web Filtering blocks access to malicious websites but does not scan email attachments. While it reduces risk from phishing links, it does not mitigate attachment-borne malware, which remains a primary infection vector.

Option D: Blocking email clients prevents users from accessing email, but is impractical and disruptive. It also does not scan attachments for malware.

Implementation: Administrators configure antivirus profiles with SMTP scanning, apply them to inbound policies, ensure FortiGuard updates are active, enable sandboxing for unknown files, and monitor logs and alerts. Periodic review of blocked attachments allows tuning for false positives. This configuration prevents malware from reaching end-users, protects the network, and ensures compliance with security standards.

Question 163:

A FortiGate 7.6 administrator wants to block unauthorized applications while allowing business-critical apps. Which configuration should be used?

A) Application Control → Block unknown or risky applications → Allow whitelisted apps
B) Web Filtering → Block non-business websites
C) SSL Deep Inspection → Enable globally
D) IPS Sensor → Enable for traffic inspection

Answer: A) – Application Control → Block unknown or risky applications → Allow whitelisted apps

Explanation

Application Control provides granular traffic management, controlling which applications can run in the network while maintaining functionality for critical business apps.

Option A: Administrators can classify applications into risky categories such as peer-to-peer sharing, gaming, or unapproved collaboration tools, and explicitly whitelist essential applications like Teams, ERP systems, or email clients. FortiView dashboards provide visibility into blocked and allowed application traffic, enabling administrators to refine policies. FortiGuard updates ensure accurate classification of new applications. For example, blocking an unauthorized file-sharing app prevents potential data exfiltration while allowing Teams to operate normally for collaboration.

Option B: Web Filtering restricts website access but cannot enforce application-specific rules. Users could still run unapproved desktop applications or mobile apps that bypass URL-based controls.

Option C: SSL Deep Inspection decrypts encrypted traffic for content inspection but does not inherently control which applications can run. While important for security, SSL inspection alone cannot prevent unauthorized application execution.

Option D: IPS sensors detect network exploits but cannot block application usage. IPS mitigates attacks but does not enforce business policies on application access.

Implementation: Create Application Control profiles, block risky categories, whitelist approved apps, and apply profiles to relevant firewall policies. Use FortiView to monitor usage, refine rules, and ensure continuous protection. Regular review ensures policies adapt to evolving business needs. This configuration balances security with operational continuity, preventing unauthorized application usage while supporting critical workflows.

Question 164:

A FortiGate 7.6 administrator wants to prioritize critical business applications over non-essential traffic. Which configuration should be used?

A) Traffic Shaping → Limit bandwidth for non-critical apps → Guarantee bandwidth for critical apps
B) SD-WAN → Load balance traffic
C) SSL Inspection → Enable globally
D) IPS Sensor → Enable for large file transfers

Answer: A) – Traffic Shaping → Limit bandwidth for non-critical apps → Guarantee bandwidth for critical apps

Explanation

Traffic Shaping provides Quality of Service (QoS) capabilities to optimize network performance, ensuring that business-critical applications receive sufficient bandwidth even during congestion.

Option A: Administrators classify traffic by application, define priority queues, and allocate guaranteed bandwidth to essential applications like ERP, VoIP, and email while limiting bandwidth for non-critical applications such as streaming or file sharing. FortiView dashboards enable real-time monitoring of traffic utilization and policy effectiveness. For example, during peak hours, VoIP and ERP traffic are prioritized, preventing call drops and ensuring timely transaction processing, while bandwidth-intensive streaming is throttled.

Option B: SD-WAN balances traffic across multiple WAN links but does not provide application-level prioritization. While it improves link utilization and redundancy, it cannot ensure critical apps maintain performance under congestion.

Option C: SSL Inspection decrypts traffic for inspection but does not allocate or prioritize bandwidth. It complements security but does not solve performance management.

Option D: IPS sensors detect attacks but do not manage bandwidth allocation. Enabling IPS for large file transfers does not guarantee critical app performance and may introduce latency.

Implementation: Configure traffic shaping policies, classify applications into critical and non-critical categories, apply shaping per firewall policy or interface, and monitor via FortiView. Adjust policies as business priorities evolve. This approach ensures predictable network performance, guarantees QoS for critical apps, and minimizes impact from non-essential traffic.

Question 165:

A FortiGate 7.6 administrator wants to restrict SSL VPN users to specific internal servers based on group membership. Which configuration should be used?

A) SSL VPN → Configure user groups → Assign per portal → Define restricted resources
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all internal sites
D) Traffic Shaping → Apply per SSL VPN user

Answer: A) – SSL VPN → Configure user groups → Assign per portal → Define restricted resources

Explanation

SSL VPN portals enable role-based access control, restricting users to authorized resources and enforcing least privilege principles.

Option A: Administrators configure user groups, assign portals, and define allowed internal resources per group. Attempts to access unauthorized servers are blocked. FortiView dashboards and logs provide audit trails for access events. Endpoint compliance checks further ensure only trusted devices connect. For example, HR staff can access HR servers but cannot reach finance or development servers. This minimizes lateral movement risks in case of credential compromise.

Option B: IPsec VPN provides encrypted connectivity but does not provide per-user resource restrictions. Any user with credentials may access all internal network resources.

Option C: Web Filtering restricts web access but cannot control server-level access for VPN users. It is insufficient for granular access control.

Option D: Traffic Shaping controls bandwidth but does not restrict access to specific resources. Limiting traffic does not prevent unauthorized access.

Implementation: Configure SSL VPN portals, define user groups, assign allowed resources, enforce endpoint compliance, and monitor access logs. Regularly review group assignments to ensure alignment with organizational roles. This configuration ensures secure, role-based remote access while preventing unauthorized resource exposure.

Question 166:

A FortiGate 7.6 administrator wants to scan outbound web traffic for malware without disrupting trusted cloud applications. Which configuration should be used?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Traffic Shaping → Limit HTTPS traffic
D) IPS Sensor → Enable SSL

Answer: A) – SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS.

Explanation

Outbound web traffic often carries malware or data exfiltration attempts. SSL Deep Inspection decrypts encrypted traffic (HTTPS), allowing antivirus, IPS, and application control to scan for threats. Without decryption, malware can evade detection.

Option A: By enabling deep inspection and scanning, administrators can detect threats in encrypted traffic. Bypass rules for trusted SaaS (e.g., Office 365, Salesforce) prevent functionality disruptions because these applications use certificate pinning, which can fail if traffic is intercepted. Administrators can define policies per interface, user group, or zone. FortiView provides logs and visibility into decrypted traffic, blocked threats, and bypassed sessions. For example, a user attempting to upload a malicious file to a non-approved cloud storage service is blocked, while uploads to Office 365 proceed without interruption.

Option B: SSL Certificate Inspection validates certificates but does not scan content, so malware may pass undetected.

Option C: Traffic Shaping controls bandwidth but does not inspect encrypted traffic for threats. Limiting HTTPS traffic alone does not improve security.

Option D: IPS sensors detect exploits but cannot inspect encrypted traffic without decryption. SSL-enabled IPS is insufficient alone for outbound malware inspection.

Implementation: Create SSL/SSH inspection profiles, enable deep inspection, configure SaaS bypass rules, and monitor logs. Periodically update policies to include new trusted SaaS applications. This balances security with operational continuity, ensuring malware scanning without disrupting business-critical cloud services.

Question 167:

A FortiGate 7.6 administrator wants to enforce MFA for users accessing cloud applications from outside the corporate network, while allowing seamless access from trusted internal devices. Which configuration should be used?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply to external users only
D) Azure AD B2B Collaboration → Manage guest accounts

Answer: A) – Conditional Access → Require MFA for external access → Apply per user group

Explanation

Conditional Access allows administrators to enforce adaptive authentication based on location, user risk, and device compliance. MFA is required for external users, reducing the risk of credential theft, while internal trusted devices are allowed seamless access.

Option A: Administrators define user groups, trusted locations, and MFA policies. This approach minimizes user friction while maximizing security. Logs provide detailed audit trails. For example, a finance employee connecting from home is prompted for MFA, whereas the same employee using a corporate laptop in the office accesses applications without additional verification.

Option B: Security Defaults enforce MFA globally, which may disrupt internal users unnecessarily and is not location-aware.

Option C: Pass-through Authentication validates credentials but cannot enforce conditional MFA based on location or risk.

Option D: Azure AD B2B Collaboration manages guest accounts and does not enforce internal MFA policies.

Implementation: Create Conditional Access policies targeting external access, enforce MFA, monitor logs, and audit compliance. This approach protects cloud applications while maintaining productivity for internal users.

Question 168:

A FortiGate 7.6 administrator wants to prevent internal devices from joining botnets. Which configuration should be used?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Web Filtering → Block all external URLs
C) Traffic Shaping → Limit bandwidth for unknown applications
D) Application Control → Block email clients

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

Botnets rely on communication with Command & Control (C&C) servers. Enabling IPS sensors with botnet signatures blocks this traffic, preventing devices from participating in malicious campaigns.

Option A: IPS with botnet signatures protects endpoints and the network by identifying and blocking connections to known C&C servers. Logs provide alerts for infected devices, enabling remediation. SSL inspection ensures detection even for encrypted communications. For example, if a workstation attempts to connect to a botnet C&C server over HTTPS, the IPS sensor blocks the connection and generates a log entry.

Option B: Web Filtering blocks malicious websites but cannot detect botnet traffic over non-web protocols or encrypted channels.

Option C: Traffic Shaping manages bandwidth but does not prevent botnet communications.

Option D: Application Control blocks applications but cannot reliably prevent botnet activity that communicates over standard protocols.

Implementation: Apply IPS sensors with botnet signatures to firewall policies, integrate SSL inspection, monitor logs for infections, and remediate compromised devices. This approach reduces internal risk and prevents participation in external botnet campaigns.

Question 169:

A FortiGate 7.6 administrator wants to ensure antivirus, IPS, and application control signatures are always up-to-date. Which configuration should be used?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

Up-to-date security signatures are critical for protecting against new malware and exploits. FortiGuard provides continuous updates for antivirus, IPS, and application control.

Option A: Automatic updates reduce administrative overhead and maintain consistent protection. Logs track updates and confirm deployment. For example, newly discovered ransomware signatures are applied immediately, preventing compromise. Continuous updates also support compliance with security standards.

Option B: SSL Inspection decrypts traffic but does not manage signature updates.

Option C: Traffic Shaping manages bandwidth but does not update security signatures.

Option D: Manual updates are prone to errors and delays, leaving devices vulnerable.

Implementation: Enable FortiGuard automatic updates for all profiles, configure logging and monitoring, and periodically verify deployment. This ensures continuous protection against evolving threats and minimizes administrative burden.

Question 170:

A FortiGate 7.6 administrator wants to monitor per-user and per-application bandwidth for optimization. Which configuration should be used?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Application Control → Block unknown applications
C) SSL Inspection → Apply globally
D) Web Filtering → Block non-business sites

Answer: A) – FortiView → Traffic Log Analysis → Application and User Reports

Explanation

Monitoring traffic provides insight into bandwidth usage and application behavior. FortiView allows administrators to generate real-time and historical reports for users, applications, and IP addresses.

Option A: Reports help identify high-bandwidth users, detect anomalies, and inform traffic shaping or QoS policies. Historical reports aid capacity planning, and real-time dashboards enable immediate action during congestion. Integration with SSL inspection ensures encrypted traffic visibility. For example, excessive video streaming can be throttled, while critical ERP and VoIP traffic maintain performance.

Option B: Application Control blocks apps but does not provide usage analytics or bandwidth reports.

Option C: SSL Inspection decrypts traffic but does not report on per-user or per-application bandwidth.

Option D: Web Filtering blocks non-business sites but does not provide detailed usage monitoring.

Implementation: Enable logging, configure FortiView dashboards, generate reports, and adjust shaping or prioritization policies based on insights. Continuous monitoring ensures optimal network performance and QoS for business-critical applications.

Question 171:

A FortiGate 7.6 administrator wants to allow SSL VPN access only from devices that meet corporate compliance standards. Which configuration should be used?

A) SSL VPN → Enable device certificate authentication → Apply per user group
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all external devices
D) Traffic Shaping → Limit SSL VPN bandwidth

Answer: A) – SSL VPN → Enable device certificate authentication → Apply per user group

Explanation

Secure remote access is critical for protecting corporate networks, particularly when employees connect from outside the office. Enforcing endpoint compliance ensures that only trusted corporate devices can establish an SSL VPN connection.

Option A: By enabling device certificate authentication, FortiGate verifies that connecting devices hold a valid corporate certificate. These certificates can be tied to compliance checks, verifying the device’s OS version, patch level, antivirus status, and other endpoint security measures. Access can also be applied per user group, allowing granular control over which devices can access specific resources. FortiView provides logs of both successful and failed authentication attempts, supporting auditing, compliance, and incident response. For example, an employee using a managed corporate laptop can access HR servers, while a personal laptop without a certificate is denied, even if the correct credentials are entered. This approach aligns with Zero Trust principles, where device verification complements user authentication.

Option B: IPsec VPN provides encrypted tunnels but does not enforce device compliance. Any device with the correct credentials could connect, which increases risk. While encryption protects data in transit, it does not restrict unauthorized devices from connecting.

Option C: Web Filtering controls access to websites but cannot enforce SSL VPN access. Blocking external devices at the URL level does not prevent them from initiating VPN sessions, leaving the network vulnerable.

Option D: Traffic Shaping controls bandwidth but does not enforce access based on device trust. Limiting SSL VPN bandwidth may manage performance, but does not prevent unauthorized devices from connecting.

Implementation: Administrators issue device certificates to corporate-managed endpoints, configure SSL VPN portals with certificate-based authentication, assign user groups to specific portals, and monitor authentication logs. Regular review of certificates and group assignments ensures ongoing compliance and security. This configuration ensures secure, controlled remote access while maintaining operational efficiency.

Question 172:

A FortiGate 7.6 administrator wants to scan inbound email attachments for malware. Which configuration should be used?

A) Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies
B) IPS Sensor → Apply to email servers
C) Web Filtering → Block suspicious domains
D) Application Control → Block email clients

Answer: A) – Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policy.s

Explanation

Email is one of the most common vectors for malware, including ransomware, phishing attachments, and malicious macros. Scanning SMTP traffic ensures that malware is intercepted before reaching users’ mailboxes.

Option A: Enabling SMTP scanning in an antivirus profile allows FortiGate to inspect incoming emails and attachments for malware in real-time. FortiGuard antivirus signatures are updated continuously to detect emerging threats. Administrators can also integrate sandboxing for unknown attachments to detect zero-day malware. Applying this profile to inbound firewall policies ensures all inbound email is scanned. Logs and alerts provide detailed information about blocked threats, supporting incident response and compliance auditing. For example, a finance employee receives a Word document with a macro virus; SMTP scanning detects and blocks it, preventing compromise.

Option B: IPS sensors detect network exploits but do not inspect email attachments, leaving users exposed to malware delivered via SMTP.

Option C: Web Filtering blocks access to malicious websites but does not examine attachments, so email-borne malware can bypass it.

Option D: Blocking email clients is impractical and disruptive, preventing legitimate email access and failing to scan attachments.

Implementation: Configure antivirus profiles with SMTP scanning, apply them to inbound firewall policies, maintain FortiGuard updates, enable sandboxing for unknown files, and monitor logs and alerts. Periodic review ensures detection efficacy and minimizes false positives. This approach protects the organization from email-borne threats while maintaining usability.

Question 173:

A FortiGate 7.6 administrator wants to block unauthorized applications while allowing business-critical apps. Which configuration should be used?

A) Application Control → Block unknown or risky applications → Allow whitelisted apps
B) Web Filtering → Block non-business websites
C) SSL Deep Inspection → Enable globally
D) IPS Sensor → Enable for traffic inspection

Answer: A) – Application Control → Block unknown or risky applications → Allow whitelisted apps

Explanation

Controlling application usage ensures productivity and security. Application Control identifies, categorizes, and manages traffic from known and unknown applications.

Option A: Administrators can define risky application categories, such as peer-to-peer file sharing, gaming, or unapproved collaboration tools. Essential business applications, like ERP, Microsoft Teams, or corporate email, can be whitelisted. FortiView dashboards display both blocked and allowed traffic, providing insights into user activity and policy effectiveness. FortiGuard updates ensure accurate application classification. For example, unauthorized file-sharing software is blocked, preventing data leakage, while Teams operates without disruption.

Option B: Web Filtering restricts website access but cannot block desktop or mobile applications, so users could bypass restrictions through non-browser apps.

Option C: SSL Deep Inspection decrypts encrypted traffic for scanning but does not control application execution. While it improves visibility, it cannot enforce access restrictions by itself.

Option D: IPS sensors detect exploits but cannot prevent the use of unauthorized applications, making it unsuitable for enforcing application usage policies.

Implementation: Create Application Control profiles, block risky categories, whitelist approved apps, and apply profiles to firewall policies. Monitor FortiView dashboards, refine rules, and ensure policies adapt to organizational changes. This method balances security enforcement with operational continuity.

Question 174:

A FortiGate 7.6 administrator wants to prioritize critical business applications over non-essential traffic. Which configuration should be used?

A) Traffic Shaping → Limit bandwidth for non-critical apps → Guarantee bandwidth for critical apps
B) SD-WAN → Load balance traffic
C) SSL Inspection → Enable globally
D) IPS Sensor → Enable for large file transfers

Answer: A) – Traffic Shaping → Limit bandwidth for non-critical apps → Guarantee bandwidth for critical apps

Explanation

Traffic Shaping, or QoS, ensures that high-priority applications maintain performance even during congestion.

Option A: Administrators classify traffic into critical and non-critical categories. Critical apps, like ERP, VoIP, and email, are allocated guaranteed bandwidth, while non-essential apps, such as streaming or large downloads, are throttled. FortiView dashboards allow monitoring of traffic utilization and policy effectiveness. For example, during peak hours, VoIP calls maintain quality while streaming traffic is limited. Policies can be adjusted dynamically to reflect business priorities.

Option B: SD-WAN optimizes multiple WAN links but does not prioritize individual applications, so critical apps may still experience congestion.

Option C: SSL Inspection decrypts traffic for scanning but does not manage bandwidth allocation.

Option D: IPS sensors detect attacks but do not enforce traffic prioritization, making them ineffective for QoS.

Implementation: Configure traffic shaping policies, classify applications, apply per firewall policy or interface, and monitor performance via FortiView. Adjust policies as business needs change to ensure reliable performance for critical applications while managing non-essential traffic effectively.

Question 175:

A FortiGate 7.6 administrator wants to restrict SSL VPN users to specific internal servers based on group membership. Which configuration should be used?

A) SSL VPN → Configure user groups → Assign per portal → Define restricted resources
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all internal sites
D) Traffic Shaping → Apply per SSL VPN user

Answer: A) – SSL VPN → Configure user groups → Assign per portal → Define restricted resources

Explanation

Role-based access control (RBAC) ensures users can only access resources they are authorized for, reducing the risk of lateral movement or data leakage.

Option A: Administrators create SSL VPN portals, define allowed internal resources, and assign user groups. Users attempting to access unauthorized servers are blocked. FortiView dashboards provide audit trails, and endpoint compliance checks ensure only trusted devices connect. For example, HR staff can access HR servers but cannot reach finance servers, preventing accidental or malicious data exposure.

Option B: IPsec VPN provides encryption but does not support per-user resource restrictions, potentially allowing broad access to the internal network.

Option C: Web Filtering restricts web access but cannot enforce server-level resource access, making it insufficient for this requirement.

Option D: Traffic Shaping controls bandwidth but does not restrict access. Limiting traffic does not prevent unauthorized resource access.

Implementation: Configure SSL VPN portals, assign user groups, define allowed resources, enforce endpoint compliance, and monitor logs. Regularly review group assignments and portal configurations to align with organizational changes. This ensures secure, controlled remote access while maintaining operational efficiency.

Question 176:
A FortiGate 7.6 administrator wants to inspect encrypted outbound web traffic for malware but ensure that trusted cloud applications continue to function without interruption. Which configuration should be used?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Traffic Shaping → Limit HTTPS traffic
D) IPS Sensor → Enable SSL

Answer: A) – SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS.

Explanation

Encrypted outbound web traffic can carry malware, ransomware, or data exfiltration attempts. SSL Deep Inspection decrypts HTTPS traffic, allowing security profiles like antivirus, IPS, and application control to inspect it for threats. Without decryption, malicious content in HTTPS streams could bypass detection.

Option A: Enabling SSL Deep Inspection and scanning allows FortiGate to analyze content thoroughly. Trusted cloud applications (e.g., Office 365, Salesforce, Google Workspace) often use certificate pinning. If deep inspection intercepts traffic without exceptions, these applications may fail. Configuring bypass rules for trusted SaaS ensures these applications function seamlessly while all other traffic is scanned. Administrators can target inspection policies per interface, zone, or user group. FortiView dashboards and logs provide visibility into decrypted sessions, detected threats, and bypassed traffic. For instance, if a user attempts to upload a malicious file to a non-approved cloud storage service, the system blocks the upload, while Office 365 operations continue normally.

Option B: SSL Certificate Inspection validates certificates but does not scan content, leaving malware undetected.

Option C: Traffic Shaping manages bandwidth but does not provide threat detection for encrypted traffic.

Option D: IPS sensors detect exploits but cannot inspect encrypted traffic unless it is decrypted. An  SSL-enabled IPS alone is insufficient for malware scanning in HTTPS traffic.

Implementation: Configure SSL/SSH inspection profiles with deep inspection, enable scanning, define bypass rules for trusted SaaS, and monitor logs. Regularly update bypass rules to reflect newly adopted cloud services. This approach provides comprehensive malware protection without disrupting critical business workflows.

Question 177:

A FortiGate 7.6 administrator wants to enforce MFA for users accessing Microsoft 365 from outside the corporate network while allowing seamless access from corporate devices. Which configuration should be used?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply to external users only
D) Azure AD B2B Collaboration → Manage guest accounts

Answer: A) – Conditional Access → Require MFA for external access → Apply per user group

Explanation

Conditional Access allows adaptive authentication based on factors such as network location, device compliance, and user risk. MFA for external users reduces the risk of compromised credentials while allowing trusted internal devices to access resources seamlessly.

Option A: Administrators can define policies per user group, enforce MFA for sign-ins from untrusted networks, and allow frictionless access from corporate-managed devices. FortiView and Azure AD logs provide auditing for compliance purposes. For example, a finance employee working remotely is prompted for MFA, while the same employee in the corporate office accesses Microsoft 365 without extra authentication.

Option B: Security Defaults enforce MFA globally, including for internal users, which may unnecessarily disrupt operations.

Option C: Pass-through Authentication validates credentials but cannot enforce conditional MFA based on location or device posture.

Option D: Azure AD B2B Collaboration manages guest accounts but does not control MFA enforcement for internal users.

Implementation: Create Conditional Access policies targeting external access, enforce MFA, monitor logs, and periodically review group membership and trusted locations. This ensures adaptive security without reducing user productivity.

Question 178:

A FortiGate 7.6 administrator wants to prevent internal devices from participating in botnets. Which configuration should be used?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Web Filtering → Block all external URLs
C) Traffic Shaping → Limit bandwidth for unknown applications
D) Application Control → Block email clients

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

Botnets operate by instructing infected devices to communicate with external Command & Control (C&C) servers. Blocking these connections prevents internal devices from participating in attacks, data exfiltration, or distributed denial-of-service (DDoS) campaigns.

Option A: Enabling IPS sensors with botnet signatures identifies and blocks traffic to known C&C servers. FortiGuard updates provide continuously updated threat intelligence. Logs and alerts allow administrators to identify infected devices for remediation. SSL inspection ensures encrypted botnet traffic is detected. For example, a compromised workstation attempting to contact a botnet C&C server over HTTPS is blocked and logged, enabling rapid intervention.

Option B: Web Filtering blocks websites but cannot detect botnet activity over non-web protocols or encrypted channels.

Option C: Traffic Shaping manages bandwidth but does not prevent botnet communication.

Option D: Application Control blocks apps but cannot reliably prevent botnet activity that uses standard protocols or custom ports.

Implementation: Apply IPS sensors with botnet signatures, enable SSL inspection, monitor logs for anomalies, and remediate infected devices. This strategy protects the network and prevents internal devices from contributing to external attacks.

Question 179:

A FortiGate 7.6 administrator wants to ensure antivirus, IPS, and application control signatures are always up-to-date. Which configuration should be used?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

Security threats evolve rapidly, and signature updates are critical to maintain protection against malware, exploits, and risky applications.

Option A: Enabling FortiGuard automatic updates ensures all antivirus, IPS, and application control profiles receive timely updates. Logs confirm successful updates, reducing the risk of exposure to new threats. For instance, newly discovered ransomware or exploit signatures are applied automatically, protecting endpoints and networks. Automatic updates also support compliance with security frameworks such as ISO 27001 and NIST.

Option B: SSL Inspection decrypts traffic for scanning but does not manage signature updates.

Option C: Traffic Shaping controls bandwidth allocation and does not update security profiles.

Option D: Manual updates are error-prone and can leave devices vulnerable between updates.

Implementation: Enable FortiGuard automatic updates, configure logging and monitoring, and verify deployment via FortiView or centralized management. This ensures continuous protection against evolving threats while minimizing administrative overhead.

Question 180:

A FortiGate 7.6 administrator wants to monitor per-user and per-application bandwidth for optimization. Which configuration should be used?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Application Control → Block unknown applications
C) SSL Inspection → Apply globally
D) Web Filtering → Block non-business sites

Answer: A) – FortiView → Traffic Log Analysis → Application and User Reports

Explanation

Monitoring traffic usage is essential for network optimization, capacity planning, and enforcing QoS policies.

Option A highlights the comprehensive analytics and monitoring capabilities provided by FortiView, a critical component of FortiGate for maintaining visibility and control over network traffic. FortiView provides both real-time and historical analytics across multiple dimensions, including applications, users, and IP addresses. This granular visibility allows administrators to gain a detailed understanding of how network resources are being utilized, identify trends, and detect anomalies that may indicate misconfigurations, inefficient usage, or potential security threats. For example, by analyzing historical reports, administrators can identify patterns such as peak periods of non-business traffic, recurring high-bandwidth usage by specific departments, or sustained downloads that could strain network capacity. This information supports capacity planning by helping IT teams anticipate infrastructure requirements, optimize bandwidth allocation, and prevent performance bottlenecks before they impact critical operations.

Real-time dashboards in FortiView provide administrators with the ability to respond immediately to network congestion or abnormal traffic patterns. For instance, if a user or group begins streaming excessive amounts of video content, administrators can detect this in real time and implement traffic shaping policies to throttle the non-essential traffic. At the same time, critical business applications such as Enterprise Resource Planning (ERP) systems or Voice over IP (VoIP) services can be prioritized to maintain optimal performance. This level of visibility and control ensures that essential workflows remain uninterrupted, even during periods of high network demand. Integration with SSL inspection enhances this capability by enabling the analysis of encrypted traffic. As much of modern network traffic is encrypted, SSL inspection ensures that FortiView can provide a complete picture of usage patterns and bandwidth consumption, even for HTTPS traffic, which would otherwise remain invisible. By combining traffic monitoring, application visibility, and SSL inspection, administrators can implement precise Quality of Service (QoS) and bandwidth management policies tailored to organizational priorities.

Option B, which involves Application Control, provides the ability to block or restrict applications on the network. This capability is useful for enforcing security policies, preventing the use of unauthorized or risky applications, and reducing the potential for data leaks. For example, administrators can block peer-to-peer file-sharing applications or unauthorized messaging tools that could introduce malware or consume excessive bandwidth. However, Application Control does not provide detailed bandwidth reporting or per-user and per-application traffic analytics. While it can prevent the usage of certain applications, it cannot quantify their impact on network resources or help in capacity planning, limiting its utility as a traffic management tool when compared to FortiView.

Option C focuses on SSL Inspection, which is crucial for decrypting encrypted traffic and analyzing its contents. SSL Inspection allows organizations to detect threats hidden within HTTPS traffic, including malware, command-and-control communications, and policy violations. While this capability is essential for security, SSL Inspection alone does not generate detailed analytics regarding per-user or per-application usage. It enables content inspection but lacks the reporting and monitoring features required to make informed decisions about traffic prioritization or bandwidth allocation. For organizations seeking both security and network optimization, SSL Inspection must be complemented by tools like FortiView to provide comprehensive visibility.

Option D involves Web Filtering, which blocks access to non-business or malicious websites. Web Filtering is effective in enforcing acceptable use policies, preventing access to phishing or malware-hosting sites, and reducing potential security risks. However, Web Filtering does not provide detailed traffic monitoring or insights into bandwidth usage. While it can prevent users from visiting certain categories of websites, it cannot quantify the amount of traffic generated by users or applications, nor can it detect anomalies or trends that may impact overall network performance. As such, Web Filtering is a policy enforcement tool rather than a comprehensive traffic management solution.