Fortinet  FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam  Dumps and Practice Test Questions Set 1  Q 1 -20 

Visit here for our full Fortinet FCSS_EFW_AD-7.4 exam dumps and practice test questions.

Question 1

A FortiGate administrator wants to ensure that all outbound traffic from internal networks is inspected with full SSL inspection, except traffic destined for a specific trusted partner domain that must not be decrypted. What is the correct way to configure this?

A) Create a full SSL inspection profile and exclude the trusted domain using the exemption feature
B) Create a certificate inspection profile and apply it only to sessions destined for the trusted domain
C) Disable SSL inspection globally and use a policy override for all other domains
D) Create an SSL inspection profile using TLS passthrough mode and apply it to all outbound traffic

Answer: A

Explanation

A) This describes applying a full SSL inspection profile while using an exemption list to prevent decryption for specific trusted destinations. It maintains full decryption and deep inspection for all other outbound traffic, fulfilling the security requirement. The exemption mechanism allows granular control so that traffic matching the trusted domain pattern is bypassed from SSL decryption while still being processed through normal policy evaluation. This method avoids weakening overall security while respecting the operational requirements of trusted external partners. It ensures the firewall continues to inspect most encrypted traffic for threats while allowing necessary exceptions. The exemption list is designed specifically for this purpose, preventing unnecessary decryption failures or privacy violations. This approach ensures maximum visibility for security teams without interfering with applications that cannot function under SSL decryption.

B) This describes using a certificate inspection profile, which cannot provide the required full SSL inspection. Certificate inspection only validates certificates and does not decrypt encrypted traffic. Using this for the trusted domain would not maintain full SSL inspection for the rest of the outbound flows because it requires multiple separate rules and adds configuration complexity. It does not meet the requirement to ensure full inspection across internal networks. Certificate inspection cannot achieve deep threat prevention or analysis of encrypted traffic.

C) This describes globally disabling SSL inspection, which contradicts the requirement to inspect all outbound traffic except for a specific trusted domain. Once SSL inspection is disabled globally, exceptions or overrides cannot restore full SSL inspection because the global setting takes precedence. This method exposes the network to encrypted threats, eliminates deep packet inspection on encrypted sessions, and represents poor security practice. It cannot meet the requirement of enabling full SSL inspection for the majority of traffic.

D) This describes using TLS passthrough mode, which forwards encrypted traffic without any decryption. Applying passthrough mode to all outbound traffic would entirely defeat the requirement because no encrypted session would be inspected. TLS passthrough eliminates deep packet inspection capabilities, prevents detection of hidden threats, and removes visibility into encrypted flows. This method cannot satisfy the requirement to inspect outbound traffic.

The only configuration that meets the requirement to fully inspect all outbound encrypted traffic except for a trusted domain is the use of an SSL inspection profile with an exemption list. Therefore, the correct answer is A.

Question 2

A FortiGate administrator configures a security policy using application control. The policy should block high-risk applications but still allow business-critical traffic through. Which configuration approach ensures the most effective enforcement?

A) Create an application control profile with categories set to block high-risk applications and allow required business applications
B) Create a web filter profile and rely on URL categorization to block applications
C) Use DNS filtering to prevent application access
D) Disable deep inspection and rely on port-based filtering

Answer: A

Explanation

A) This describes creating an application control profile that specifically blocks categories considered high risk while allowing essential business-critical applications. Application control uses signatures, heuristics, and behavior analysis to detect applications regardless of port, protocol, or evasion techniques. It enables precise control and enforces rules even when applications attempt to hide inside encrypted or common traffic. It allows administrators to meet the requirement of blocking undesired high-risk applications without affecting approved business traffic.

B) This describes relying on web filtering, which cannot reliably detect or control applications that do not depend exclusively on websites. Many applications communicate through APIs, use nonstandard ports, or rely on background services that do not map to URL categories. Web filtering is not capable of providing application-level precision.

C) This describes DNS filtering, which only affects domain resolutions. Applications using direct IP connections, encrypted DNS, cached results, or internal traffic patterns bypass DNS filtering entirely. DNS filtering cannot enforce high-risk application blocking because it lacks visibility into application behavior.

D) This describes using port-based filtering without deep inspection. Modern applications frequently evade port rules by using common ports such as TCP 443. Without deep inspection, the firewall cannot identify application signatures and therefore cannot block high-risk applications while permitting business-critical ones.

Only the method based on application control provides the necessary precision and reliability to meet the requirement. Therefore, the correct answer is A.

Question 3

A FortiGate administrator wants to use security fabric automation to automatically quarantine compromised endpoints when an IPS signature is triggered. What must be configured to achieve this?

A) Configure an automation stitch to execute quarantine actions when a security event occurs
B) Configure a static firewall address group and add the compromised hosts manually
C) Enable NAT on the outbound interface
D) Configure a routing policy to isolate the affected subnet

Answer: A

Explanation

A) This describes using automation stitches to detect events such as IPS triggers and then perform an automatic response, including quarantining compromised endpoints. Automation stitches are designed specifically for reactive security actions, enabling immediate containment when a threat is detected. They integrate with endpoint tagging and dynamic address objects to automate quarantine. This matches the requirement for automatic, real-time response.

B) This describes manually adding compromised hosts into a static group, which does not meet the requirement because it is not automated. It relies on human intervention, potentially delaying containment and increasing exposure to threats. Static groups do not dynamically update based on events.

C) This describes enabling NAT, which is unrelated to endpoint quarantine. NAT deals with translation of addresses and cannot respond automatically to security events or enforce quarantine logic.

D) This describes routing-based isolation, which applies isolation at the subnet level and cannot target specific compromised devices automatically. It also does not respond dynamically to security events.

The only configuration that meets the requirement for automatic quarantine triggered by an IPS signature is the automation stitch. Therefore, A is correct.

Question 4

A FortiGate administrator wants to optimize WAN usage so that traffic from specific applications always uses the highest-performing WAN link. Which feature should be used?

A) SD-WAN rules using performance SLAs
B) Policy routes
C) Static routes with higher priority
D) Link load balancing using round-robin

Answer: A

Explanation

A) This describes SD-WAN rules that leverage performance SLAs to determine the best available WAN link based on metrics such as latency, jitter, and packet loss. This method enables dynamic steering of application traffic to the optimal path, satisfying the requirement for ensuring the highest performance for specific applications.

B) This describes policy routes, which do not evaluate real-time link performance. They are static and cannot adjust based on changing WAN conditions. Therefore, they cannot guarantee that applications always use the highest-performing link.

C) This describes static routing, which cannot make decisions based on performance metrics or per-application needs. Static priorities cannot react to changing conditions such as link degradation.

D) This describes round-robin balancing, which distributes traffic evenly across links without considering link quality. It cannot guarantee best-performance routing for specific applications.

The only method capable of dynamically selecting the best link for specific applications is SD-WAN rules using performance SLAs. Therefore, A is correct.

Question 5

A FortiGate administrator wants to restrict access to a sensitive internal server so only authenticated users in a specific group can reach it. What setup is required?

A) Configure identity-based policies with user group authentication
B) Configure a static NAT policy
C) Configure implicit deny rules
D) Configure a DHCP server on the internal interface

Answer: A

Explanation

A) This describes using identity-based policies requiring authentication before granting access to the sensitive server. A defined user group can be assigned to the policy so only authenticated group members may access the resource. This fulfills the requirement by enforcing identity verification and group-based access.

B) This describes NAT configuration, which handles address translation and does not authenticate users or enforce group restrictions. It cannot meet the requirement.

C) This describes implicit deny rules, which block non-matched traffic but cannot selectively grant access to authenticated user groups. They offer no authentication capability.

D) This describes DHCP configuration, which assigns IP addresses but has no relationship to access control or authentication.

The only method that enforces authentication and restricts access to a specific user group is the identity-based policy. Therefore, A is correct.

Question 6

A FortiGate administrator wants to ensure that traffic to an internal HR system is accessible only if users authenticate through a captive portal and that reauthentication is required every 8 hours. What is the correct configuration to achieve this?

A) Configure a firewall policy with captive portal authentication and set an authentication timeout of 8 hours
B) Configure a static route pointing to the HR system
C) Enable NAT and disable session TTL
D) Configure IPS signatures to trigger authentication for HR traffic

Answer: A

Explanation

A) This describes using a firewall policy that enforces captive portal authentication combined with an authentication timeout of eight hours. A captive portal requires users to log in before traffic is allowed to pass. By also setting a specific timeout, the administrator ensures that authenticated users are required to reauthenticate after the defined period. The firewall enforces identity-based control at the policy level, and the timeout ensures that stale logins or prolonged access without validation do not persist. This configuration aligns directly with the requirement for controlled access, identity verification, and periodic reauthentication. The policy-based captive portal provides both the initial access restriction and the mechanism to enforce recurring authentication checks.

B) This describes using a static route to the HR system. Routing defines the path traffic takes but does not influence authentication or user-based security controls. Configuring a route will not require authentication nor enforce any timeout. Routing decisions cannot perform user validation, session control, or identity tracking. Thus, using a route for access control is fundamentally misaligned with the requirement. It also fails to provide any timed reauthentication feature, making it ineffective for controlling privileged internal resource access.

C) This describes enabling NAT and disabling session TTL. NAT transforms addresses between networks but has no relationship to authentication requirements. Disabling or modifying session TTL changes session persistence characteristics but does not force users to authenticate nor reauthenticate. NAT does not control identity-based access, and session time values cannot enforce identity expiration. Therefore, this configuration does not achieve controlled access based on authentication or timed reauthentication requirements.

D) This describes using IPS signatures to trigger authentication. IPS signatures detect malicious or suspicious behavior and enforce security actions, but they do not trigger identity authentication mechanisms. Intrusion prevention systems are not built to require user authentication before traffic is allowed. They cannot enforce a captive portal, cannot assign time-based authentication controls, and cannot validate user identities. IPS is not a substitute for policy-based authentication requirements, nor can it enforce periodic reauthentication needed for HR system access.

The correct configuration is to use a captive portal within a firewall policy and define an authentication timeout. This provides both the controlled access and the periodic reauthentication required. Therefore, the correct answer is A.

Question 7

A FortiGate administrator wants to enforce antivirus scanning on all inbound and outbound SMTP traffic. What must be configured to accomplish this?

A) Apply an antivirus profile to firewall policies handling SMTP traffic
B) Apply a DNS filter profile
C) Configure a static one-to-one NAT rule
D) Disable email filtering

Answer: A

Explanation

A) This describes applying an antivirus profile to firewall policies that handle SMTP flows. Antivirus scanning works at the firewall policy level, enabling inspection of email traffic both inbound and outbound. SMTP is a common vector for malware delivery, so enabling antivirus scanning ensures that attachments and email payloads are inspected for malicious content. The antivirus profile applies deep content inspection, decompression, heuristic analysis, and signature-based detection. This meets the requirement by enforcing antivirus scanning for both directions of SMTP communication.

B) This describes using DNS filtering, which only filters domain resolutions and cannot inspect SMTP payloads or email attachments. DNS filtering helps block malicious domains but does not provide antivirus capabilities, especially for SMTP. It cannot scan attachments, detect malware inside emails, or analyze SMTP content. Therefore, it does not meet the requirement for antivirus scanning on email traffic.

C) This describes configuring static NAT. NAT handles translation between internal and external IP addresses but does not influence content inspection. NAT does not provide antivirus scanning capabilities nor control SMTP inspection. It affects routing and visibility but has no function related to email-based malware detection. Therefore, NAT configuration cannot meet the requirement.

D) This describes disabling email filtering, which contradicts the requirement. Email filtering assists with spam detection, MIME header checking, and other protections. Disabling it would weaken security and in no way helps achieve antivirus enforcement. It reduces email security rather than strengthening it.

To satisfy the requirement of scanning SMTP traffic with antivirus, an antivirus profile must be applied to policies handling SMTP flows. Therefore, the correct answer is A.

Question 8

A FortiGate administrator wants to ensure that remote users connecting via SSL VPN can only access specific internal subnets. What must be configured?

A) Configure SSL VPN portals with restricted routing and firewall policies permitting only the allowed subnets
B) Enable NAT on the SSL VPN interface
C) Adjust system DNS settings
D) Apply a certificate inspection profile

Answer: A

Explanation

A) This describes configuring SSL VPN portals with restricted access rules and applying firewall policies that define exactly which subnets remote users are allowed to reach. SSL VPN portals define IP pools, split-tunneling rules, and accessible resources. The firewall policies then enforce which internal networks users can access. By limiting the allowed destinations in both the portal configuration and the firewall policy, access is restricted precisely as required. This meets the objective of ensuring remote users cannot reach unauthorized internal networks.

B) This describes enabling NAT on the SSL VPN interface, which does not restrict access to specific subnets. NAT changes addressing for sessions but does not filter or limit access based on internal destination networks. NAT provides no control over which subnets a VPN user can reach. Therefore, it cannot satisfy the requirement for restricting subnet access.

C) This describes adjusting system DNS settings. DNS settings affect domain resolution but do not limit access to internal subnets. Even if DNS were modified, users could still reach networks directly using IP addresses, making DNS irrelevant to access restrictions. It plays no role in limiting which internal networks VPN users may access.

D) This describes applying a certificate inspection profile, which inspects certificates in encrypted traffic but does not manage VPN access control. Certificate inspection does not determine which subnets a VPN user can access. It affects inspection behavior, not access permissions or routing.

To enforce subnet restrictions for SSL VPN users, the administrator must configure limited-access VPN portals and firewall policy controls. Therefore, A is correct.

Question 9

A FortiGate administrator wants to reduce false positives in IPS alerts while still maintaining strong threat detection. What configuration approach should be taken?

A) Tune IPS sensors by adjusting thresholds, disabling noisy signatures, and enabling only relevant attack patterns
B) Disable IPS completely
C) Enable SSL passthrough mode
D) Increase the TTL of all sessions

Answer: A

Explanation

A) This describes tuning IPS sensors to reduce false positives by adjusting thresholds, refining detection rules, and enabling only signatures relevant to the environment. Proper tuning reduces noise while maintaining high security. Administrators commonly remove signatures that do not apply to their networks, adjust sensitivity for specific patterns, and refine event thresholds. This enhances accuracy without compromising detection capability. IPS tuning is essential for real-world deployments where minimizing alert fatigue while sustaining protection is critical.

B) This describes disabling IPS, which eliminates both false positives and all protection. It exposes the environment to attacks, violates security requirements, and is not an acceptable approach. It completely contradicts the need to maintain strong threat detection.

C) This describes enabling SSL passthrough mode, which bypasses decryption and prevents deep inspection. Without decryption, IPS cannot analyze encrypted payloads properly. This increases blind spots and reduces threat detection capabilities. It does not reduce false positives intelligently and instead weakens overall protection.

D) This describes increasing session TTL, which affects how long sessions remain active but does not relate to IPS alert accuracy. Session TTL adjustments have no effect on IPS false positive rates. IPS tuning requires modifying IPS configurations, not session timers.

To reduce false positives while maintaining strong detection, the correct approach is tuning the IPS sensor through signature management and threshold adjustments. Therefore, A is correct.

Question 10

A FortiGate administrator wants to ensure that all traffic between two branch offices is encrypted using IPsec and that only specific applications are allowed across the tunnel. What configuration is required?

A) Configure an IPsec VPN and apply application control policies to the tunnel
B) Configure static routes with higher priority
C) Enable DNS filtering on the tunnel interface
D) Disable NAT on the external interface

Answer: A

Explanation

A) This describes configuring an IPsec VPN to encrypt all traffic between the branches and then applying application control to the firewall policy governing the tunnel. The IPsec VPN provides secure encrypted communication between the locations, while application control allows the administrator to restrict which applications may traverse the tunnel. This combination satisfies both encryption and selective access requirements. Administrators can define granular rules to allow only business-approved applications. This ensures the tunnel is both secure and tightly controlled.

B) This describes using static routes, which cannot provide encryption nor selective application filtering. Static routing only determines the next-hop path; it does not establish secure connections or filter application-level traffic. It cannot satisfy encryption or application restriction needs.

C) This describes enabling DNS filtering on the tunnel interface, which only filters DNS queries and cannot encrypt traffic or enforce application-based restrictions. DNS filtering does not govern general traffic across IPsec tunnels and cannot control application use.

D) This describes disabling NAT on the external interface, which does not secure tunnel traffic nor restrict applications. NAT settings do not influence encryption or application-level filtering for traffic flowing through an IPsec VPN.

The only configuration that provides both encryption and application restriction across the tunnel is an IPsec VPN with application control applied. Therefore, the correct answer is A.

Question 11

A FortiGate administrator wants to ensure that only traffic with verified source MAC addresses can access a sensitive network segment. The administrator intends to prevent spoofing attacks and ensure that hosts cannot impersonate others. What should be configured?

A) Enable MAC address filtering on the relevant firewall policy using device identification
B) Adjust TTL settings for incoming sessions
C) Configure a static route to the sensitive network
D) Enable NAT on the internal interface

Answer: A

Explanation

A) This describes enabling filtering based on host MAC address information combined with device identification capabilities in the firewall policy. By enforcing MAC-level verification, the firewall ensures that only traffic originating from known and approved device identities is permitted onto the sensitive network. This configuration helps mitigate spoofing attempts where an attacker tries to replicate another machine’s IP address or device identity. Enabling such filtering means the firewall evaluates the MAC address against approved entries or mappings and rejects sessions that conflict with the expected identity. This directly aligns with the requirement to prevent unauthorized or impersonated devices from accessing the protected network. MAC-based verification gives an additional layer of security on top of IP-level controls, reinforcing trust in the origin of incoming traffic. The firewall’s device identification capabilities can detect underlying characteristics of a connecting device, correlate them with MAC address information, and then allow or deny access accordingly. This results in a more secure access control method than relying solely on IP addresses, which are more easily spoofed. Using such filtering also creates a predictable device inventory where only known and approved hardware may communicate with the sensitive segment. This is essential for environments where hardware provenance matters, such as finance or regulated industries where device trust is strictly enforced.

B) This describes adjusting the time-to-live value for sessions. TTL defines how long packets persist on the network before being discarded, but it does not validate MAC addresses or authenticate device identities. Adjusting TTL will not prevent spoofing attacks nor enforce any policy about what devices may access the network. TTL has no relationship to MAC verification, trust management, or device authentication. It only deals with the lifespan of packets. An attacker spoofing a MAC address would bypass any TTL setting because TTL does not affect layer-2 verification. Therefore, modifying TTL cannot achieve the requirement of restricting access only to verified MAC addresses.

C) This describes configuring a static route to the sensitive network segment. A static route simply informs the firewall how to reach a particular destination, but it does not impose restrictions on which devices may access that destination. Routing operates at layer-3 and does not consider MAC address legitimacy or device identity. An attacker could easily spoof addresses and still traverse the route because the router or firewall is not validating the authenticity of the MAC. Static routing therefore provides no defense against impersonation or spoofing attacks where device-level verification is required. It has no connection to identity-based access restrictions and cannot be used to enforce a MAC validation policy.

D) This describes enabling NAT on the internal interface. NAT modifies IP addresses as traffic crosses an interface, but it does not verify device authenticity or MAC information. NAT obscures source addresses, making it harder—not easier—to associate specific devices with sessions. When NAT is applied inside sensitive segments, it further distances the firewall from the originating physical device. NAT fails to provide trust, validation, or assurance regarding hardware identity. It therefore does not fulfill the requirement of allowing access only to verified source MAC addresses. NAT affects traffic forwarding behavior but has no influence on preventing impersonation or MAC spoofing attacks.

MAC filtering with device identification is the only method that meets the requirement of restricting access to verified devices and preventing impersonation attacks. Therefore, the correct answer is A.

Question 12

A FortiGate administrator wants to ensure that outbound web traffic is checked for data leakage, including scanning for sensitive keywords, confidential document patterns, and unauthorized file uploads. Which configuration is required?

A) Apply a DLP profile to outbound firewall policies
B) Apply an antivirus profile only
C) Enable DNS over TLS
D) Configure a VPN tunnel to the destination

Answer: A

Explanation

A) This describes using a DLP profile applied to outbound firewall policies in order to inspect data leaving the network. Data Loss Prevention (DLP) is specifically designed to monitor, detect, and block sensitive data transmissions, whether they involve keyword matches, pattern recognition such as financial information, or document fingerprinting. When applied to outbound web traffic, the DLP engine evaluates HTTP, HTTPS (with SSL inspection), FTP, and other supported protocols to ensure no unauthorized data leaves the organization. DLP can block, log, or quarantine sessions that match sensitive patterns. This aligns exactly with the requirement to analyze outbound web traffic for unauthorized or confidential information. A DLP profile enables administrators to enforce compliance, prevent accidental data exposure, and mitigate insider threats. Applying DLP to outbound policies ensures that every packet destined for the internet is evaluated by the data inspection engine. With SSL inspection enabled, DLP can also inspect encrypted content for sensitive data patterns. This combination is essential for a complete data protection strategy and provides the oversight needed to prevent data leakage.

B) This describes using only an antivirus profile. Antivirus scanning focuses on identifying malicious content such as malware, viruses, and trojans. While antivirus inspection is crucial for inbound and outbound security, it does not detect confidential information leaks. Antivirus lacks the ability to scan for keywords, structured sensitive data patterns, document signatures, or content-exfiltration attempts. It cannot detect unauthorized file uploads unless the files themselves contain malware, and it cannot analyze the context or sensitivity of outbound content. Therefore, an antivirus profile cannot satisfy the requirement for detecting data leakage.

C) This describes enabling DNS over TLS. DNS over TLS encrypts DNS queries to enhance privacy and prevent interception. While beneficial for confidentiality, encrypting DNS traffic does not inspect or control outbound web content. DNS privacy features provide no visibility into the data being uploaded or transmitted across web sessions. This does not provide any keyword scanning, pattern matching, or document fingerprinting. Encrypting DNS queries may even hinder certain types of inspection, making it unrelated to data leakage prevention.

D) This describes configuring a VPN tunnel to the destination. A VPN encrypts traffic between locations but does not inspect for data leakage. If anything, a VPN makes inspection harder because encrypted tunnels prevent the firewall from viewing the content unless the firewall is a termination point. Establishing a VPN cannot satisfy the requirement for scanning outbound content for sensitive information. VPN tunnels secure transport, not data governance or content-level oversight.

The only method that provides detection and control over outbound confidential information is applying a DLP profile. Therefore, the correct answer is A.

Question 13

A FortiGate administrator wants to prevent internal hosts from reaching suspicious IP addresses known for hosting botnet command-and-control servers. What configuration is required?

A) Enable botnet C&C blocking in the web filter or DNS filter
B) Apply NAT to restrict external access
C) Increase the session TTL for outbound flows
D) Configure a loopback interface

Answer: A

Explanation

A) This describes enabling botnet command-and-control blocking, which relies on threat intelligence feeds and database updates to identify known botnet servers. The firewall can block access through DNS filtering, web filtering, or security profiles that categorize such destinations as malicious. When enabled, the firewall evaluates outbound requests and denies connections to any IP or domain known to be part of a botnet infrastructure. This aligns perfectly with the requirement to restrict internal hosts from contacting suspicious or malicious external servers. Botnet blocking dynamically updates using FortiGuard intelligence feeds, ensuring ongoing protection even as threat landscapes change. This feature prevents malware-infected hosts from communicating with their controllers, thereby disrupting command channels and reducing the severity of infections. The configuration also helps detect compromised devices, allowing rapid incident response.

B) This describes using NAT, which changes outgoing IP addresses but does not evaluate whether traffic is malicious or destined for suspicious servers. NAT cannot block communication with botnet controllers. It is purely a translation mechanism, not a security filter.

C) This describes adjusting session TTL values. TTL does not influence the destination of traffic and cannot prevent outbound sessions from reaching botnet IP addresses. It only defines how long a session persists, not whether the session is allowed. Modifying TTL provides no botnet protection.

D) This describes configuring a loopback interface, which is used for administrative or routing purposes and has no relevance to preventing access to suspicious IPs. Loopback interfaces cannot block botnet communications.

Blocking botnet command-and-control connections requires enabling the firewall’s botnet protection mechanisms. Therefore, the correct answer is A.

Question 14

A FortiGate administrator needs to log every allowed session for compliance. The logs must include source, destination, ports, user identity, and security profile results. What should be configured?

A) Enable logging of all allowed traffic in the policy settings
B) Create a static route for logging
C) Adjust DNS settings on the firewall
D) Enable NAT on internal interfaces

Answer: A

Explanation

A) This describes enabling logging for all allowed traffic at the policy level. Firewall policies have a setting that determines whether allowed sessions are logged. When enabled, the firewall records session information including source, destination, ports, applied security profiles, user identity (if authentication is used), and the session outcome. This fulfills compliance requirements that mandate auditing all successful traffic. Logging allowed traffic ensures administrators can track usage patterns, detect anomalies, perform forensic investigations, and prove compliance during audits. The logs can be forwarded to FortiAnalyzer, syslog servers, or cloud logging services for long-term storage and analysis. Since compliance frameworks typically require full audit trails, logging allowed sessions is essential. This configuration captures all traffic permitted by the firewall and includes the detailed metadata needed for regulatory and internal review.

B) This describes creating a static route. Routing does not control logging. Static routes define how to reach networks, but do not generate logs nor influence logging behavior. Creating a route will not record session details or security profile information. Therefore, it does not meet logging requirements.

C) This describes adjusting DNS settings. DNS settings determine how the firewall resolves domain names but do not affect traffic logging. DNS configuration cannot enforce or enable session logging for compliance. Changing DNS servers or settings offers no connection to logging requirements.

D) This describes enabling NAT, which does not generate logs automatically unless combined with a logging policy. NAT only modifies addresses and does not enable or enforce logging behavior. Therefore, enabling NAT cannot satisfy the requirement for auditing all allowed traffic.

The only configuration that ensures full logging of allowed sessions is enabling the logging option within firewall policies. Therefore, the correct answer is A.

Question 15

A FortiGate administrator wants to ensure that application traffic between multiple internal VLANs is inspected, even though the VLANs belong to the same virtual domain. The administrator wants to enforce antivirus, web filtering, and IPS between the VLANs. What must be configured?

A) Create inter-VLAN firewall policies and apply security profiles
B) Use a static route to separate the VLANs
C) Disable the internal switch interface
D) Increase the MTU on the VLAN interfaces

Answer: A

Explanation

A) This describes creating firewall policies between VLAN interfaces within the same virtual domain and applying security profiles such as antivirus, IPS, and web filters. VLAN interfaces behave like separate layer-3 interfaces, and traffic between them requires firewall policies. By configuring inter-VLAN policies, the administrator can apply the full suite of security inspection capabilities to traffic flowing between internal segments. This ensures segmentation, visibility, and control, even when the VLANs are part of a single VDOM. Applying security profiles ensures that threats cannot propagate laterally between VLANs and that each segment is protected with enterprise-grade inspection. This matches the requirement to ensure inspection between VLANs.

B) This describes using static routes, which only control reachability but do not apply security profiles. Static routes cannot enforce security inspection nor stop traffic by themselves. They cannot satisfy the requirement for antivirus, IPS, or filtering between VLANs.

C) This describes disabling the internal switch interface. Disabling it may break internal connectivity, but it does not enable inspection or security enforcement. It also does not provide inter-VLAN segmentation or inspection control.

D) This describes increasing the MTU, which affects frame size but not security or traffic inspection. MTU adjustments have no relationship to enforcing security profiles or controlling inter-VLAN traffic.

Only inter-VLAN firewall policies with applied security profiles meet the inspection requirement. Therefore, A is correct.

Question 16

A FortiGate administrator needs to ensure that SSL-encrypted traffic between internal users and external websites is fully inspected for threats. The administrator wants to scan for malware, block malicious URLs, and apply data leak prevention controls. What must be configured?

A) Enable deep inspection SSL profile and apply it to outbound policies
B) Use only DNS filtering
C) Enable NAT on the external interface
D) Modify the static route to point to the internet gateway

Answer: A

Explanation

A) This describes enabling deep inspection of SSL sessions and applying the inspection profile to outbound policies. When deep inspection is activated, the firewall intercepts encrypted traffic, performs decryption, scans the plaintext content, and re-encrypts it before forwarding it to the destination. This enables the application of antivirus scanning, web filtering, intrusion prevention, application control, and data leak prevention. Without decrypting the encrypted traffic, none of these security measures can analyze the contents, since SSL encryption prevents visibility. Deep inspection allows the firewall to detect threats hidden within encrypted content, such as malware downloads, phishing pages, or command-and-control traffic masked inside HTTPS. Applying deep inspection to outbound policies ensures that every encrypted web session initiated by internal users is inspected thoroughly. This fulfills the administrator’s requirement to inspect SSL-encrypted traffic for malware, URL threats, and data leakage. It also ensures compliance and prevents misuse of encryption channels. Such inspection requires installing the firewall’s certificate on client devices to avoid certificate errors, because the firewall performs man-in-the-middle decryption for security scanning. Ultimately, deep inspection is the only configuration capable of meeting the visibility and inspection needs described.

B) This describes using only DNS filtering. DNS filtering analyzes domain lookups and can block known malicious or inappropriate domains. However, it cannot inspect encrypted traffic, scan for malware within HTTPS content, or evaluate files downloaded through encrypted channels. DNS filtering is limited to controlling domain queries and does not provide content inspection. Malware or data leakage hidden inside SSL sessions would bypass DNS filtering entirely once the domain is resolved. DNS filtering cannot perform decryption or inspect HTTPS content at a granular level. Therefore, it cannot satisfy the requirement to fully inspect SSL traffic.

C) This describes enabling NAT on the external interface. NAT modifies addresses as traffic leaves the network but does not influence the inspection of SSL content. NAT does not decrypt or analyze traffic and offers no visibility into encrypted payloads. It only affects translation of IP addresses and provides no mechanism for threat detection inside encryption. NAT alone cannot meet the requirement for inspecting malware, URLs, or sensitive data inside encrypted sessions.

D) This describes modifying the static route to point to the internet gateway. Routing determines the path traffic follows but does not influence security inspection. A static route has no capability to decrypt SSL traffic or inspect it for threats. Even with correct routing, encrypted sessions remain opaque unless a deep inspection SSL profile is applied. Routing configurations do not affect visibility or security scanning.

The only configuration that enables deep scanning of SSL-encrypted web traffic is applying a deep inspection SSL profile to outbound firewall policies. Therefore, the correct answer is A.

Question 17

A FortiGate administrator wants to apply bandwidth limits to guest Wi-Fi users. The goal is to ensure no single user consumes excessive bandwidth and that total usage remains balanced. The administrator wants to apply per-user shaping while maintaining overall fairness. What should be implemented?

A) Apply a traffic shaping profile with per-IP shaping in the firewall policy
B) Modify the session TTL for guest sessions
C) Use NAT to mask guest user identities
D) Create a static route for guest traffic

Answer: A

Explanation

A) This describes applying a traffic shaping profile that uses per-IP shaping. Traffic shaping profiles allow administrators to allocate bandwidth fairly by imposing per-user or per-IP limits. When applied to guest Wi-Fi, the firewall ensures that each user receives a controlled rate of bandwidth, preventing any single device from overwhelming the connection. Per-IP shaping monitors flows on a per-address basis, distributing bandwidth equitably among users. This is ideal for guest networks, where fairness and predictable performance are important. Applying the shaping profile in the firewall policy ensures that all traffic passing through that policy is subject to the shaping rules. The administrator can configure guaranteed bandwidth, maximum limits, and priority levels, ensuring stable performance even when many guest users are connected. Per-IP shaping is specifically designed for environments where unique users must be controlled individually. This directly aligns with the requirement for balanced usage and prevention of excessive consumption by any single user.

B) This describes modifying session TTL values. TTL affects how long sessions persist but does not enforce bandwidth limits. Adjusting TTL would not ensure fairness or prevent excessive usage. TTL settings cannot shape traffic or differentiate user bandwidth levels. Therefore, TTL adjustments cannot fulfill the requirement for per-user bandwidth control.

C) This describes using NAT to mask guest identities. Masking users behind NAT hides individual IP addresses, which makes per-user shaping impossible. If NAT is used in a way that obscures user identities, the firewall cannot apply limits per user because traffic appears to originate from a single IP. NAT offers no mechanism for bandwidth fairness or shaping.

D) This describes creating a static route for guest traffic. Routing does not control bandwidth or apply shaping rules. Static routes merely determine where packets go but do not impose speed limits or fairness rules. Traffic shaping must be applied through policies, not routing configurations.

Per-IP traffic shaping is the only configuration that ensures fair bandwidth distribution among guest Wi-Fi users. Therefore, the correct answer is A.

Question 18

A FortiGate administrator needs to enforce identity-based policies for remote SSL VPN users. The administrator wants to apply different access permissions to employees based on group membership. What must be configured?

A) Assign user groups to firewall policies that handle SSL VPN traffic
B) Modify WAN interface MTU
C) Enable NAT on the SSL VPN interface
D) Adjust routing priority for internal networks

Answer: A

Explanation

A) This describes adding user groups to firewall policies that handle SSL VPN traffic. Identity-based policies allow the firewall to evaluate user credentials during VPN authentication and apply different rules based on group membership. Once the SSL VPN user logs in, the firewall recognizes the authenticated identity and enforces the associated policy. This allows restricting access to specific internal networks based on job function, department, or role. Applying user groups directly to the firewall policies ensures that the policy enforcement happens at the session level. This configuration is at the core of identity-based access control. It allows managing permissions for remote users in a structured, secure manner. This fulfills the requirement of applying different access permissions based on group membership.

B) This describes modifying the MTU. MTU settings affect packet sizes but do not relate to identity-based access control or user group permissions. Adjusting MTU does not influence authentication or authorization and has no effect on enforcing user group–based policies.

C) This describes enabling NAT on the SSL VPN interface. NAT would obscure user identity and undermine the ability to apply per-user or per-group policies. Identity-based rules require clear user mappings, and NAT does not provide any benefit for authentication or group enforcement. NAT is unrelated to identity-based policy mechanisms.

D) This describes adjusting routing priority. Routing priority determines how packets are forwarded but does not enforce user access controls. Identity-based authorization occurs at the firewall policy layer, not in routing. Routing cannot determine group membership or enforce permissions based on identity.

Only assigning user groups to policies handling SSL VPN traffic enables identity-based policy enforcement. Therefore, A is the correct answer.

Question 19

A FortiGate administrator wants to ensure that applications such as social media, streaming services, and peer-to-peer apps are controlled based on their actual behavior rather than port numbers. The administrator also wants to block unknown applications. What configuration is necessary?

A) Enable application control with block for unknown applications
B) Rely solely on port-based firewall rules
C) Increase session timeout values
D) Disable NAT on all outgoing interfaces

Answer: A

Explanation

A) This describes enabling application control and setting unknown applications to be blocked. Application control identifies applications based on deep packet inspection, protocol analysis, and behavior signatures rather than ports. Modern applications use dynamic ports, encryption, and tunneling to bypass port-based rules. Enabling application control allows the firewall to detect applications accurately even when traditional port numbers are not used. Blocking unknown applications ensures that any unrecognized or evasive applications are denied access, which strengthens security. This configuration ensures visibility, control, and enforcement over application behavior. Application control also helps monitor usage patterns, enforce compliance, and limit bandwidth consumption by non-essential applications. This aligns directly with the requirement described, providing behavioral analysis and enforcement independent of port numbers.

B) This describes relying solely on port-based rules. Port-based filtering is insufficient for controlling modern applications, which frequently evade such controls. Port-based rules cannot identify or block unknown or encrypted applications. Therefore, this cannot meet the requirement.

C) This describes increasing session timeout values. Session timeouts do not influence application identification or enforcement. They only determine how long a session may persist, not what application is allowed. Timeout settings cannot control or block applications.

D) This describes disabling NAT. Changing NAT has no effect on application identification, behavior analysis, or app blocking. NAT does not provide visibility or control over applications.

Application control with blocking of unknown applications is the only way to enforce behavioral application restrictions. Therefore, A is correct.

Question 20

A FortiGate administrator needs to optimize the firewall’s performance by ensuring that frequently accessed DNS records are quickly resolved without generating unnecessary external queries. The administrator wants internal clients to benefit from local DNS caching. What should be configured?

A) Enable DNS cache on the FortiGate
B) Increase the WAN interface speed
C) Use NAT for DNS queries
D) Adjust static routes for DNS servers

Answer: A

Explanation

A) This describes enabling DNS cache on the firewall. When DNS caching is enabled, the FortiGate stores DNS responses locally. Subsequent requests for the same domain are answered directly from the cache, reducing lookup time, minimizing external DNS queries, and improving performance. This benefits internal users by providing faster domain resolution and reduces load on upstream DNS servers. DNS caching is especially useful in large networks or environments with frequent repeated domain lookups. It directly satisfies the requirement to improve performance by resolving DNS queries locally and preventing unnecessary external queries. DNS caching is the only configuration that provides immediate performance benefits related to DNS lookup efficiency.

B) This describes increasing WAN interface speed. Increasing bandwidth may improve general network performance but does not directly enhance DNS resolution efficiency. DNS query improvement depends on caching and resolution mechanisms, not link speed. Therefore, increasing WAN speed does not satisfy the requirement.

C) This describes using NAT for DNS queries. NAT has no connection to DNS caching or resolution improvements. NAT simply changes IP addresses and does not optimize DNS behavior. It provides no caching or lookup benefits.

D) This describes adjusting static routes for DNS servers. Routing ensures DNS queries reach their destination but does not improve performance through caching. Changing static routes does not reduce external DNS queries nor speed up repeated lookups.

The only configuration that provides local DNS caching and reduces external queries is enabling DNS cache. Therefore, the correct answer is A.