Fortinet  FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam  Dumps and Practice Test Questions Set 4 Q 61- 80

Visit here for our full Fortinet FCSS_EFW_AD-7.4 exam dumps and practice test questions.

Question 61

A FortiGate administrator wants to ensure that internal users can only access approved SaaS applications while blocking all other cloud services. Which configuration should be applied?

A) Apply application control profiles with allow lists for approved SaaS applications
B) Enable NAT on internal interfaces
C) Increase TTL for HTTPS sessions
D) Configure static routes to approved SaaS servers

Answer: A

Explanation

A) This describes applying application control profiles with allow lists specifically for approved SaaS applications. Application control identifies traffic by application signatures, behavior, and protocols, which allows granular control over access rather than relying solely on IP addresses or ports. By creating an allow list, only authorized SaaS applications such as Microsoft 365, Salesforce, or other corporate-approved productivity tools are permitted. All other cloud applications are blocked, preventing unauthorized usage that could lead to data leakage, bandwidth abuse, or malware exposure. SSL deep inspection ensures visibility into encrypted HTTPS traffic, allowing the firewall to detect and control applications that may otherwise bypass security measures. Logs provide detailed insight into allowed and blocked traffic, helping administrators monitor policy enforcement and identify attempts to circumvent restrictions. This configuration aligns with zero-trust principles by enforcing strict access controls, reducing exposure to unauthorized cloud services, and ensuring that internal users can only use sanctioned business tools. Granular policies can be applied by user group, department, or VLAN, providing flexibility and targeted enforcement. This solution protects sensitive data, maintains productivity, and minimizes risks associated with unsanctioned cloud usage.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for routing but does not inspect applications or enforce allow lists. NAT alone cannot control SaaS access.

C) This describes increasing TTL for HTTPS sessions. TTL affects session duration but does not provide inspection or enforcement of application-level policies. Adjusting TTL cannot block unauthorized SaaS applications.

D) This describes configuring static routes to approved SaaS servers. Routing ensures connectivity but does not block unapproved applications or enforce allow lists. Static routes alone cannot enforce cloud application access policies.

Application control profiles with allow lists for approved SaaS applications are the only configuration that ensures controlled access to cloud services while blocking unauthorized applications. Therefore, A is correct.

Question 62

A FortiGate administrator wants to monitor and limit per-user internet bandwidth usage to prevent any single user from affecting overall network performance. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP shaping enforces bandwidth limits for individual users or devices, ensuring fair usage of network resources. Administrators can define maximum, guaranteed, and priority bandwidth per user, which helps prevent a single user from consuming excessive resources and impacting business-critical applications. Shaping profiles can also prioritize essential applications while limiting non-critical traffic. By applying shaping at the firewall policy level, every session is monitored and enforced according to policy. Logs and reports provide insight into bandwidth consumption, helping administrators identify users exceeding limits, optimize network performance, and support compliance or auditing requirements. Policies can be applied per VLAN, user group, or device type, providing granular control over bandwidth management. This configuration is particularly useful in environments with limited WAN capacity, ensuring equitable resource allocation, predictable network performance, and adherence to corporate usage policies. Traffic shaping combined with monitoring provides visibility, control, and the ability to enforce fair access to network resources consistently.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not limit bandwidth or enforce per-user policies. NAT alone cannot ensure fair network resource allocation.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not monitor or control bandwidth usage. Adjusting TTL cannot enforce per-user limits.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce bandwidth restrictions. Static routes alone cannot provide traffic shaping.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures per-user bandwidth control and prevents network performance degradation. Therefore, A is correct.

Question 63

A FortiGate administrator wants to prevent malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, IPS, and application control profiles. Segmented internal networks using VLANs reduce exposure to threats by isolating sensitive or critical systems. Firewall policies between VLANs allow traffic inspection to ensure that malicious activity cannot propagate between network segments. Antivirus scanning inspects files, executables, and attachments, blocking malware or ransomware attempting lateral movement. IPS monitors for suspicious activity, exploits, and attack patterns, detecting threats at the network layer. Application control enforces the use of authorized applications, preventing unapproved software from transferring malicious payloads. SSL deep inspection ensures encrypted traffic is also scanned, preventing encrypted malware or ransomware attacks. Logs and reports provide visibility into blocked threats, policy enforcement, and traffic patterns, supporting compliance and incident response. Layering antivirus, IPS, and application control on inter-VLAN policies ensures that security is maintained without disrupting legitimate business operations. This approach enforces zero-trust principles and provides a multi-layered defense against malware propagation and unauthorized application usage.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or prevent malware propagation. NAT alone cannot provide inter-VLAN security.

C) This describes increasing TTL for VLAN sessions. TTL affects session duration but does not enforce antivirus, IPS, or application control. Adjusting TTL cannot prevent malware spread.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or block malware or ransomware. Static routes alone cannot provide inter-VLAN security.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware spread while allowing legitimate traffic. Therefore, A is correct.

Question 64

A FortiGate administrator wants to enforce SSL inspection for remote user web traffic to detect malware, phishing attempts, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on the SSL VPN interface
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes for remote user traffic

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN enables remote users to securely access internal resources over encrypted channels. SSL deep inspection decrypts HTTPS traffic, enabling the firewall to analyze content for malware, phishing attempts, and unauthorized applications. Antivirus scanning inspects attachments and downloads for malware or trojans. Web filtering blocks access to malicious websites, phishing pages, and unapproved content categories. Application control detects unauthorized applications, even if they attempt to tunnel over HTTPS. Logs and reports provide visibility into blocked traffic, detected threats, and policy enforcement, supporting auditing and compliance. Administrators can configure exceptions for trusted websites to reduce user disruption while maintaining security. Applying deep inspection ensures encrypted connections cannot bypass security controls, protecting both remote users and internal resources. This configuration aligns with zero-trust principles, providing comprehensive protection for SSL VPN traffic against malware, phishing, and unauthorized application usage.

B) This describes enabling NAT on the SSL VPN interface. NAT modifies IP addresses but does not inspect SSL traffic or enforce security policies. NAT alone cannot detect malware, phishing, or unauthorized applications.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session duration but does not inspect or control traffic. Adjusting TTL cannot enforce security policies for SSL VPN.

D) This describes configuring static routes for remote user traffic. Routing ensures connectivity but does not decrypt, inspect, or block threats. Static routes alone cannot secure SSL VPN traffic.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure and monitored remote access. Therefore, A is correct.

Question 65

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages continuously updated threat intelligence to identify malicious IP addresses, domains, and URLs associated with botnet activity. DNS filtering intercepts queries to malicious domains, preventing resolution and blocking attempts to contact C&C servers. Web filtering inspects HTTP and HTTPS traffic to detect connections with known botnet infrastructure, applying SSL inspection when necessary. Blocking C&C communications prevents malware-infected internal hosts from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide detailed visibility into blocked attempts, policy enforcement, and potential internal infections, supporting compliance, auditing, and incident response. FortiGuard threat intelligence ensures the firewall remains effective against emerging botnet infrastructures. By combining DNS and web filter C&C protections, administrators prevent internal hosts from compromising network security while maintaining legitimate traffic flow.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not detect or block botnet communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not block botnet communications. Adjusting TTL cannot mitigate malware threats.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not detect or block botnet activity. Static routes alone cannot prevent malicious communications.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively prevents internal hosts from communicating with malicious command-and-control servers. Therefore, A is correct.

Question 66

A FortiGate administrator wants to restrict access to certain social media websites during working hours but allow access outside business hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking and schedule-based policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking along with schedule-based policies. Web filter profiles categorize websites into types such as social media, gambling, entertainment, and business-related. By associating the profile with a schedule, administrators can block access to social media sites during specified working hours while allowing access outside those hours. SSL inspection allows the firewall to inspect HTTPS traffic and enforce the block for encrypted sessions. Logs and reports provide visibility into blocked attempts, policy enforcement, and user behavior, supporting auditing, compliance, and productivity monitoring. Schedule-based web filtering ensures that policy enforcement aligns with organizational work hours and productivity goals. Administrators can apply different schedules for different departments, VLANs, or user groups, providing granular control over web access. This approach maintains network security while balancing operational flexibility. Categorizing websites and combining with time-based schedules reduces the administrative overhead compared to manually listing URLs, ensuring consistent enforcement and minimizing policy violations. It also aligns with corporate governance by restricting non-business activity during work hours while enabling controlled access during personal time.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic or enforce web filtering. NAT alone cannot block access to social media.

C) This describes increasing TTL for HTTP sessions. TTL affects session duration but does not provide category-based blocking or schedule enforcement. Adjusting TTL cannot control web access by time.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not enforce content restrictions or schedules. Static routes alone cannot prevent access to specific categories of websites.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that ensures controlled, time-based access to social media websites. Therefore, A is correct.

Question 67

A FortiGate administrator wants to prevent internal users from bypassing security policies by using unauthorized proxy servers or anonymizers. Which configuration should be applied?

A) Apply application control profiles with rules blocking proxy and anonymizer applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to proxy servers

Answer: A

Explanation

A) This describes applying application control profiles with specific rules to block proxy servers and anonymizers. Users may attempt to bypass corporate security policies by using proxy software or anonymizer websites to circumvent web filtering, malware scanning, or Data Loss Prevention (DLP) rules. Application control inspects traffic for signatures, behaviors, and protocols associated with proxy and anonymizer tools. Blocking these applications ensures that all internet-bound traffic remains subject to corporate policies. SSL inspection enables detection of encrypted traffic attempting to tunnel through these applications. Logs and reports provide visibility into blocked access attempts, policy enforcement, and potential user attempts to circumvent security. Granular control can be applied per VLAN, user group, or department, providing targeted enforcement without affecting business-critical applications. This configuration ensures compliance, reduces security risks, prevents data exfiltration, and aligns with zero-trust principles by controlling and monitoring all outbound traffic. Blocking unauthorized proxies and anonymizers maintains the integrity of security measures and ensures consistent policy enforcement across the organization.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not detect or block proxy or anonymizer applications. NAT alone cannot prevent policy bypass.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not inspect or block traffic. Adjusting TTL cannot prevent bypass attempts.

D) This describes configuring static routes to proxy servers. Routing ensures connectivity but does not block proxy or anonymizer applications. Routing alone cannot enforce security policies.

Application control profiles with rules blocking proxy and anonymizer applications are the only configuration that ensures users cannot bypass security controls. Therefore, A is correct.

Question 68

A FortiGate administrator wants to block access to malicious websites in real-time while allowing access to essential business services. Which configuration should be applied?

A) Apply web filter profiles with FortiGuard categories and create allow lists for business-critical websites
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes for business-critical websites

Answer: A

Explanation

A) This describes applying web filter profiles using FortiGuard categories combined with allow lists for business-critical websites. FortiGuard continuously updates threat intelligence databases to identify malicious, phishing, and fraudulent websites. Web filter profiles categorize URLs and block access to high-risk categories. Allow lists ensure that essential business services remain accessible even if they fall into broad or miscategorized categories. SSL inspection allows encrypted traffic to be inspected, preventing malware, ransomware, or phishing attacks from bypassing controls. Logs and reports provide visibility into blocked attempts, allowed access, and policy enforcement, supporting auditing, compliance, and threat analysis. Granular policy application allows different filtering rules per user group, department, VLAN, or zone, maintaining business continuity while enforcing security. This configuration reduces the risk of web-based attacks, prevents malware infections, and maintains operational efficiency. Combining FortiGuard categorization with allow lists simplifies management and ensures protection against evolving threats. Real-time blocking with continuous updates ensures the firewall responds quickly to new malicious sites without affecting legitimate business operations.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect or block traffic. NAT alone cannot prevent access to malicious websites.

C) This describes increasing TTL for HTTP sessions. TTL affects session lifespan but does not provide content inspection or blocking. Adjusting TTL cannot prevent malicious web access.

D) This describes configuring static routes for business-critical websites. Routing ensures connectivity but does not block malicious content or enforce security policies. Routes alone cannot secure web access.

Web filter profiles with FortiGuard categories and allow lists for business-critical websites are the only configuration that effectively blocks malicious websites while maintaining access to essential services. Therefore, A is correct.

Question 69

A FortiGate administrator wants to enforce per-user data usage limits on internet access to prevent excessive consumption by a single user. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles with data quotas to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles with data quotas to firewall policies. Per-user quotas allow administrators to limit the amount of data consumed by individual users over a defined period, such as daily, weekly, or monthly. Traffic shaping can also control bandwidth allocation, ensuring that business-critical applications receive sufficient resources. By applying these profiles to firewall policies, the firewall enforces both bandwidth and data consumption limits on a per-user basis. Logs and reports provide detailed visibility into usage patterns, quota enforcement, and policy compliance, supporting auditing and troubleshooting. Quotas prevent network congestion, reduce the risk of service degradation for other users, and enforce fair usage policies. Administrators can apply profiles per VLAN, department, or user group, ensuring flexibility and precise control. Integrating per-IP shaping with application control allows prioritization of critical applications while limiting non-essential traffic, maintaining network efficiency and organizational compliance. This configuration enforces zero-trust principles by ensuring all users adhere to defined consumption policies.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not enforce data quotas or limit bandwidth per user. NAT alone cannot prevent excessive consumption.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not control data usage or bandwidth. Adjusting TTL alone cannot enforce quotas.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce per-user data usage restrictions. Static routes alone cannot limit consumption.

Applying per-IP traffic shaping profiles with data quotas to firewall policies is the only configuration that enforces per-user limits and prevents excessive internet usage. Therefore, A is correct.

Question 70

A FortiGate administrator wants to detect and block botnet command-and-control traffic originating from internal hosts. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes for external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to identify malicious domains, URLs, and IP addresses associated with botnet activity. DNS filtering intercepts domain resolution requests, preventing internal hosts from contacting C&C servers. Web filtering inspects HTTP and HTTPS traffic, applying SSL deep inspection when necessary, to detect and block communications with known botnet infrastructure. Blocking C&C traffic prevents malware-infected hosts from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide detailed visibility into blocked attempts, policy enforcement, and potential internal infections, supporting auditing and incident response. FortiGuard threat intelligence ensures continuous protection against new and evolving botnet infrastructures. By combining DNS and web filter C&C protections, administrators maintain network security while allowing legitimate traffic to flow unimpeded. This configuration mitigates risks of malware propagation, data exfiltration, and compromised hosts within the internal network.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not detect or block botnet traffic. NAT alone cannot prevent malware communication with C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not enforce botnet C&C blocking. Adjusting TTL cannot mitigate malware threats.

D) This describes configuring static routes for external servers. Routing ensures connectivity but does not block botnet communications. Static routes alone cannot prevent malware from contacting C&C servers.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively blocks internal hosts from communicating with malicious botnet servers. Therefore, A is correct.

Question 71

A FortiGate administrator wants to ensure that remote users cannot bypass security policies by using unauthorized VPN clients or tunneling applications. Which configuration should be applied?

A) Apply application control profiles with rules blocking VPN tunneling and anonymizer applications
B) Enable NAT on remote user interfaces
C) Increase TTL for remote VPN sessions
D) Configure static routes to trusted VPN servers

Answer: A

Explanation

A) This describes applying application control profiles with rules that block VPN tunneling and anonymizer applications. Remote users may attempt to bypass security policies by installing unauthorized VPN clients, anonymizers, or tunneling applications that allow them to connect directly to external servers, bypassing corporate inspection, web filtering, malware scanning, and Data Loss Prevention (DLP) mechanisms. Application control inspects network traffic for application signatures, behaviors, and protocols, enabling detection and blocking of these tunneling attempts. SSL deep inspection allows encrypted tunnels to be examined for unauthorized applications. Logs provide detailed insight into blocked connections, attempted bypasses, and policy enforcement, supporting auditing, compliance, and incident response. Granular application control rules can be applied per user group, VLAN, or department, ensuring targeted enforcement without affecting legitimate business applications. This configuration enforces zero-trust principles by ensuring that all traffic is inspected, monitored, and controlled according to policy. By blocking unauthorized VPN tunneling, the organization reduces the risk of data exfiltration, malware introduction, and policy circumvention, maintaining the integrity of network security and compliance frameworks.

B) This describes enabling NAT on remote user interfaces. NAT modifies IP addresses but does not inspect traffic for VPN tunneling or enforce security policies. NAT alone cannot prevent unauthorized bypass.

C) This describes increasing TTL for remote VPN sessions. TTL affects session lifespan but does not provide application-level inspection or enforcement. Adjusting TTL cannot block tunneling applications.

D) This describes configuring static routes to trusted VPN servers. Routing ensures connectivity but does not block unauthorized VPN clients or tunneling. Static routes alone cannot enforce security policies.

Application control profiles with rules blocking VPN tunneling and anonymizer applications are the only configuration that ensures remote users cannot bypass security policies. Therefore, A is correct.

Question 72

A FortiGate administrator wants to prevent sensitive documents from being uploaded to unapproved cloud storage services while allowing access to corporate cloud platforms. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles inspect network traffic, including HTTPS, for sensitive content such as financial documents, personally identifiable information (PII), intellectual property, or confidential reports. By defining allowed cloud platforms, the firewall ensures uploads to approved corporate services are permitted, while blocking unauthorized services such as public file-sharing websites or personal cloud storage. SSL inspection enables the firewall to inspect encrypted traffic, preventing data exfiltration attempts through HTTPS. Policies can include file type recognition, keyword matching, or document fingerprinting to accurately detect sensitive data. Logs and reports provide detailed insight into blocked uploads, policy enforcement, and attempted circumvention, supporting compliance, auditing, and incident response. Granular policies can be applied per VLAN, user group, or department, allowing precise control over cloud access and data protection. This configuration prevents accidental or malicious data leakage, reduces exposure to regulatory penalties, and maintains the organization’s security posture while enabling legitimate business operations.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or enforce DLP policies. NAT alone cannot prevent unauthorized uploads.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not control or inspect data for sensitive content. Adjusting TTL alone cannot prevent data exfiltration.

D) This describes configuring static routes to corporate cloud services. Routing ensures connectivity but does not inspect or block uploads to unapproved platforms. Static routes alone cannot enforce DLP policies.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that ensures sensitive data protection while allowing legitimate cloud access. Therefore, A is correct.

Question 73

A FortiGate administrator wants to prevent malware and ransomware from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation separates critical systems from general user networks, limiting the lateral movement of threats. Firewall policies between VLANs enable traffic inspection to detect and block malware, ransomware, and unauthorized applications. Antivirus scanning inspects files and executables to prevent malware propagation. IPS monitors network traffic for exploits, suspicious patterns, and known attack signatures, blocking malicious traffic between VLANs. Application control ensures that only authorized applications can communicate between segments, preventing malware from using unauthorized channels. SSL deep inspection allows encrypted traffic to be inspected for hidden threats. Logs and reports provide visibility into blocked threats, policy enforcement, and traffic patterns, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control creates a multi-layered defense, ensuring security without disrupting legitimate operations. This approach aligns with zero-trust principles by enforcing inspection and access control between network segments.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or prevent malware propagation. NAT alone cannot enforce inter-VLAN security.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not enforce antivirus, IPS, or application control. Adjusting TTL cannot prevent malware spread.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect or block malicious traffic. Static routes alone cannot prevent malware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware spread while allowing legitimate traffic. Therefore, A is correct.

Question 74

A FortiGate administrator wants to enforce SSL inspection for remote users’ web traffic to detect malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes for remote user traffic

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted access for remote users, and without deep inspection, encrypted traffic could bypass security controls. SSL deep inspection decrypts HTTPS sessions, enabling the firewall to analyze content for malware, phishing attempts, and unauthorized applications. Antivirus scanning inspects files and attachments for malware or trojans. Web filtering blocks access to malicious websites, phishing pages, and unapproved content. Application control detects unauthorized applications, even if tunneled through HTTPS. Logs and reports provide visibility into blocked traffic, detected threats, and policy enforcement, supporting auditing, compliance, and incident response. Administrators can configure trusted exceptions to minimize disruption for legitimate websites. By applying deep inspection to SSL VPN traffic, remote users are protected and corporate security policies are enforced. This configuration ensures zero-trust enforcement by inspecting all encrypted traffic and blocking threats while maintaining secure remote access.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not decrypt, inspect, or enforce security policies. NAT alone cannot detect malware or unauthorized applications.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not enforce inspection or security policies. Adjusting TTL cannot detect malware or phishing.

D) This describes configuring static routes for remote user traffic. Routing ensures connectivity but does not inspect encrypted traffic or block threats. Static routes alone cannot secure SSL VPN traffic.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 75

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes for external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking uses FortiGuard threat intelligence to identify malicious IP addresses, domains, and URLs used by botnets to control compromised hosts. DNS filtering intercepts domain resolution requests to block queries to known C&C domains. Web filtering inspects HTTP and HTTPS traffic, applying SSL deep inspection if necessary, to detect and prevent communication with C&C servers. Blocking these communications prevents malware-infected internal hosts from receiving instructions, exfiltrating data, or participating in coordinated attacks. Logs provide visibility into blocked attempts, policy enforcement, and potential infections, supporting auditing, compliance, and incident response. Continuous updates from FortiGuard ensure the firewall remains effective against new and evolving botnet infrastructures. By combining DNS and web filter C&C protections, administrators maintain security, reduce the risk of compromised hosts, and allow legitimate traffic to continue without disruption. This configuration enforces zero-trust principles by controlling all outbound traffic and preventing malicious communications.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not detect or block botnet communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not block botnet communications. Adjusting TTL cannot mitigate malware threats.

D) This describes configuring static routes for external servers. Routing ensures connectivity but does not detect or block botnet traffic. Static routes alone cannot prevent malicious communication.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively blocks internal hosts from communicating with malicious command-and-control servers. Therefore, A is correct.

Question 76

A FortiGate administrator wants to prevent internal users from uploading confidential files to unauthorized cloud storage services while allowing access to corporate-approved platforms. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles inspect network traffic, including encrypted HTTPS sessions, for sensitive content such as financial documents, intellectual property, or personally identifiable information (PII). By defining allowed cloud platforms, the firewall ensures uploads to approved corporate services are permitted while blocking unauthorized platforms, including public file-sharing websites and personal cloud storage. SSL inspection enables visibility into encrypted traffic, ensuring that sensitive data cannot bypass DLP controls. Policies can use content fingerprinting, keyword matching, and file type recognition to accurately detect sensitive data. Logs provide visibility into blocked attempts, allowed uploads, and policy enforcement, supporting auditing, compliance, and incident response. Granular policies can be applied per VLAN, user group, or department, ensuring precise control. This configuration protects sensitive information, prevents data exfiltration, maintains compliance, and supports secure business operations. By integrating DLP with cloud application control, organizations can enforce data security policies effectively without disrupting legitimate business activities.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for routing but does not inspect traffic or enforce DLP policies. NAT alone cannot prevent unauthorized uploads.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not inspect or block sensitive content. Adjusting TTL cannot enforce data protection.

D) This describes configuring static routes to corporate cloud services. Routing ensures connectivity but does not enforce content inspection or DLP policies. Static routes alone cannot prevent unauthorized uploads.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that ensures sensitive data protection while allowing legitimate cloud access. Therefore, A is correct.

Question 77

A FortiGate administrator wants to block access to social media websites during business hours but allow access after work hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking and schedule-based policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking combined with schedule-based policies. Web filter profiles categorize websites, such as social media, gambling, entertainment, and business services. By associating the profile with a schedule, administrators can block access to social media during defined working hours and allow access outside business hours. SSL inspection ensures encrypted HTTPS traffic is inspected, enabling enforcement even for secure websites. Logs provide detailed visibility into blocked attempts, allowed access, and user activity, supporting auditing, compliance, and productivity monitoring. Schedules can be applied per VLAN, department, or user group, allowing flexible enforcement without affecting legitimate business applications. Category-based blocking simplifies administration, as it removes the need to manually maintain a list of URLs. This configuration ensures productivity, enforces corporate policies, and reduces exposure to non-business activities during work hours. It also provides visibility and reporting on web usage patterns, helping administrators adjust policies and monitor compliance effectively.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect or restrict web traffic. NAT alone cannot enforce web access policies.

C) This describes increasing TTL for HTTP sessions. TTL affects session duration but does not block websites. Adjusting TTL cannot control access based on category or time.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not enforce content filtering or schedules. Static routes alone cannot block access to specific websites.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that ensures controlled access to social media based on business hours. Therefore, A is correct.

Question 78

A FortiGate administrator wants to prevent internal users from bypassing security controls by using proxy servers or anonymizers. Which configuration should be applied?

A) Apply application control profiles with rules blocking proxy and anonymizer applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to proxy servers

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking proxy servers and anonymizers. Users may attempt to bypass corporate security policies, web filtering, malware scanning, or DLP rules by using proxy software or anonymizer websites. Application control inspects traffic for signatures, behaviors, and protocols associated with these applications. Blocking unauthorized proxies ensures all internet-bound traffic is subject to corporate policies. SSL inspection provides visibility into encrypted traffic to detect tunneling attempts. Logs provide insight into blocked connections, attempted bypasses, and policy enforcement, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group to enforce granular control without affecting business-critical applications. Blocking unauthorized proxies and anonymizers maintains the integrity of corporate security, prevents data exfiltration, and ensures adherence to zero-trust principles. It also reduces the risk of malware introduction through uncontrolled channels. By enforcing these application control rules, administrators can ensure that users cannot circumvent security measures while maintaining operational flexibility.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not detect or block proxy or anonymizer applications. NAT alone cannot prevent bypass attempts.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not provide application-level inspection. Adjusting TTL cannot prevent users from bypassing policies.

D) This describes configuring static routes to proxy servers. Routing ensures connectivity but does not detect or block unauthorized proxies or anonymizers. Static routes alone cannot enforce security policies.

Application control profiles with rules blocking proxy and anonymizer applications are the only configuration that ensures users cannot bypass security policies. Therefore, A is correct.

Question 79

A FortiGate administrator wants to monitor and enforce per-user bandwidth limits to prevent excessive usage by a single user. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP shaping allows administrators to allocate bandwidth per user or device, ensuring fair distribution of network resources. Maximum, guaranteed, and priority bandwidth can be defined to prevent a single user from monopolizing bandwidth. Shaping profiles can also prioritize business-critical applications while limiting non-essential traffic. By applying profiles to firewall policies, all sessions are monitored and enforced according to policy. Logs and reports provide visibility into per-user bandwidth usage, enabling administrators to troubleshoot performance issues, enforce corporate policies, and maintain compliance. Policies can be applied per VLAN, department, or user group, providing granular control over network performance. This configuration helps prevent congestion, ensures fair access to resources, and supports zero-trust enforcement by controlling network usage on a per-user basis. Traffic shaping combined with monitoring allows proactive management of bandwidth, maintaining operational efficiency while enforcing fair usage.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not control bandwidth or enforce per-user limits. NAT alone cannot prevent excessive usage.

C) This describes increasing TTL for outbound sessions. TTL affects session duration but does not enforce bandwidth limits. Adjusting TTL cannot manage per-user resource consumption.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce per-user bandwidth policies. Static routes alone cannot provide traffic shaping.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth usage and prevents a single user from affecting network performance. Therefore, A is correct.

Question 80

A FortiGate administrator wants to block botnet command-and-control traffic originating from internal hosts. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes for external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to detect malicious IP addresses, domains, and URLs used by botnets to control infected hosts. DNS filtering prevents internal hosts from resolving malicious domains associated with C&C servers. Web filtering inspects HTTP and HTTPS traffic, applying SSL deep inspection if necessary, to detect and block communications with known botnet infrastructure. Blocking C&C communications prevents compromised internal hosts from receiving instructions, exfiltrating data, or participating in coordinated attacks. Logs provide detailed insight into blocked attempts, policy enforcement, and potential infections, supporting auditing, compliance, and incident response. Continuous updates from FortiGuard ensure the firewall remains effective against emerging threats. By combining DNS and web filter C&C protections, administrators can maintain network security while allowing legitimate traffic. This configuration enforces zero-trust principles by controlling all outbound traffic and preventing malicious communications, protecting internal hosts and corporate data.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not detect or block botnet communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not block botnet communications. Adjusting TTL cannot mitigate malware threats.

D) This describes configuring static routes for external servers. Routing ensures connectivity but does not block botnet communications. Static routes alone cannot prevent malicious activity.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively blocks internal hosts from communicating with malicious command-and-control servers. Therefore, A is correct.