Fortinet  FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam  Dumps and Practice Test Questions Set 5  Q  81- 100

Visit here for our full Fortinet FCSS_EFW_AD-7.4 exam dumps and practice test questions.

Question 81

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows remote users to securely access internal resources over encrypted channels. Without deep inspection, encrypted HTTPS traffic could bypass security measures, allowing malware, phishing attempts, or unauthorized applications to pass undetected. SSL deep inspection decrypts HTTPS traffic, enabling antivirus scanning to inspect files and attachments for malware or trojans. Web filtering blocks access to malicious websites, phishing domains, and unapproved content categories. Application control identifies unauthorized applications, even if they attempt to tunnel over HTTPS. Logs and reports provide visibility into blocked traffic, detected threats, and policy enforcement, supporting auditing, compliance, and incident response. Administrators can configure exceptions for trusted sites to minimize user disruption while maintaining security. Applying SSL deep inspection ensures that remote users cannot bypass corporate security policies and that encrypted traffic does not undermine zero-trust principles. This configuration protects both remote users and internal resources by enforcing inspection and blocking threats while maintaining secure remote access.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect encrypted traffic, detect malware, or enforce security policies. NAT alone cannot ensure secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or enforce security policies. Adjusting TTL alone cannot block malware or unauthorized applications.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not provide traffic inspection or threat protection. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 82

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to identify malicious IP addresses, domains, and URLs used by botnets to control compromised hosts. DNS filtering prevents internal hosts from resolving malicious domains associated with C&C servers, while web filtering inspects HTTP and HTTPS traffic, applying SSL deep inspection if needed, to block communication attempts with known C&C infrastructure. Blocking these communications prevents malware-infected hosts from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide detailed visibility into blocked attempts, policy enforcement, and potential internal infections, supporting auditing, compliance, and incident response. FortiGuard threat intelligence ensures continuous protection against evolving botnet infrastructures. By combining DNS and web filter C&C protections, administrators can maintain internal network security while allowing legitimate traffic. This approach enforces zero-trust principles, prevents compromised hosts from being weaponized, and reduces the overall risk of malware propagation and data exfiltration.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic or block botnet communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not detect or block botnet communications. Adjusting TTL cannot prevent malware propagation or C&C activity.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not enforce security policies or block malicious communications. Static routes alone cannot prevent C&C traffic.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively blocks internal hosts from communicating with malicious command-and-control servers. Therefore, A is correct.

Question 83

A FortiGate administrator wants to prevent malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, preventing lateral movement of threats. Firewall policies between VLANs enable inspection of all inter-segment traffic. Antivirus scanning inspects files, executables, and attachments, blocking malware or ransomware propagation. IPS monitors network traffic for exploits, suspicious behaviors, and attack signatures. Application control enforces use of authorized applications, preventing malware or unauthorized applications from spreading through unauthorized channels. SSL deep inspection ensures encrypted traffic is also evaluated. Logs provide detailed insights into blocked threats, policy enforcement, and inter-VLAN traffic patterns, supporting compliance, auditing, and incident response. Layering antivirus, IPS, and application control on inter-VLAN policies creates a multi-layered defense while maintaining business operations. This approach aligns with zero-trust principles by enforcing inspection and access control across internal segments. Administrators can apply policies per VLAN, department, or user group to maintain security while allowing legitimate traffic flows.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic, block malware, or enforce inter-VLAN security policies. NAT alone cannot prevent threat propagation.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not provide malware inspection or application control. Adjusting TTL cannot prevent malware spread.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or block threats. Static routes alone cannot prevent malware or ransomware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware spread while allowing legitimate business traffic. Therefore, A is correct.

Question 84

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive resources and affecting overall network performance. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP shaping allows administrators to define maximum, guaranteed, and priority bandwidth for individual users or devices. This ensures equitable distribution of resources and prevents a single user from monopolizing network bandwidth. Traffic shaping profiles can prioritize business-critical applications while limiting non-essential traffic. By applying the shaping policies to firewall rules, all user sessions are monitored and enforced according to defined bandwidth limits. Logs and reports provide visibility into user consumption patterns, policy enforcement, and troubleshooting data, supporting compliance and operational efficiency. Policies can be applied per VLAN, department, or user group, enabling granular control and flexibility. This configuration ensures fair access to network resources, reduces congestion, and supports zero-trust principles by controlling network usage at the individual level. It also prevents performance degradation for critical applications and other users while maintaining operational stability. Traffic shaping combined with monitoring allows proactive management of bandwidth and network optimization.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not enforce per-user bandwidth limits. NAT alone cannot control resource consumption.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not control bandwidth usage. Adjusting TTL cannot enforce per-user limits.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce bandwidth policies. Static routes alone cannot manage network resource allocation.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth usage and prevents network performance issues. Therefore, A is correct.

Question 85

A FortiGate administrator wants to block access to malicious websites in real-time while allowing access to essential business services. Which configuration should be applied?

A) Apply web filter profiles with FortiGuard categories and allow lists for business-critical websites
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes for business-critical websites

Answer: A

Explanation

A) This describes applying web filter profiles with FortiGuard categories along with allow lists for business-critical websites. FortiGuard threat intelligence continuously updates categories of malicious websites, phishing domains, and high-risk content. Web filter profiles block access to these sites in real-time, preventing malware infections, phishing attacks, and other security risks. Allow lists ensure access to essential business services, even if miscategorized, maintaining operational continuity. SSL deep inspection allows encrypted HTTPS traffic to be inspected, ensuring security policies are enforced consistently. Logs and reports provide insight into blocked traffic, allowed access, and policy enforcement, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group to provide granular control. This configuration maintains security without disrupting legitimate business operations, prevents web-based attacks, and reduces the risk of malware propagation. Combining FortiGuard categories with allow lists ensures real-time protection and business continuity.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect or block malicious websites. NAT alone cannot prevent web-based threats.

C) This describes increasing TTL for HTTP sessions. TTL affects session lifespan but does not provide content inspection or policy enforcement. Adjusting TTL cannot block malicious websites.

D) This describes configuring static routes for business-critical websites. Routing ensures connectivity but does not enforce content filtering or security policies. Static routes alone cannot prevent access to malicious sites.

Web filter profiles with FortiGuard categories and allow lists for business-critical websites are the only configuration that ensures secure, real-time protection against malicious sites while maintaining business continuity. Therefore, A is correct.

Question 86

A FortiGate administrator wants to prevent internal hosts from using unauthorized VPN clients or anonymizers to bypass security policies. Which configuration should be applied?

A) Apply application control profiles with rules blocking VPN tunneling and anonymizer applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to trusted VPN servers

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking VPN tunneling and anonymizer applications. Internal users may attempt to bypass corporate security policies by installing unauthorized VPN clients or using anonymizers to circumvent firewall policies, web filtering, antivirus scanning, and Data Loss Prevention (DLP) rules. Application control inspects network traffic for application signatures, behaviors, and protocols, allowing the firewall to detect and block these bypass attempts. SSL deep inspection allows inspection of encrypted sessions, ensuring users cannot tunnel unauthorized traffic. Logs provide detailed visibility into blocked connections, attempted policy bypasses, and enforcement results, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group, providing granular enforcement without affecting legitimate applications. Blocking unauthorized VPN and anonymizer applications maintains network integrity, prevents data exfiltration, reduces exposure to malware, and ensures adherence to zero-trust principles. By enforcing application control rules, administrators ensure all traffic adheres to corporate security standards while enabling legitimate business operations.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic for VPN or anonymizer usage. NAT alone cannot enforce security policies.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not inspect or block applications. Adjusting TTL cannot prevent bypass attempts.

D) This describes configuring static routes to trusted VPN servers. Routing ensures connectivity but does not block unauthorized VPN clients or anonymizers. Static routes alone cannot enforce security policies.

Application control profiles with rules blocking VPN tunneling and anonymizer applications are the only configuration that prevents internal users from bypassing security policies. Therefore, A is correct.

Question 87

A FortiGate administrator wants to enforce SSL inspection on remote user web traffic to detect malware, phishing attempts, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for HTTPS sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows remote users to securely access internal resources over encrypted channels. Without SSL deep inspection, encrypted traffic could bypass corporate security policies, allowing malware, phishing attempts, and unauthorized applications to pass undetected. SSL deep inspection decrypts traffic, allowing antivirus scanning to inspect files and attachments for malware or trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content categories. Application control identifies and blocks unauthorized applications, even when tunneled through HTTPS. Logs and reports provide visibility into blocked traffic, detected threats, and enforcement of security policies, supporting auditing, compliance, and incident response. Trusted exceptions can be configured to minimize user disruption while maintaining security. Applying SSL deep inspection ensures encrypted traffic is inspected, threats are blocked, and zero-trust principles are maintained for remote users accessing corporate resources.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic, detect malware, or enforce security policies. NAT alone cannot secure SSL VPN traffic.

C) This describes increasing TTL for HTTPS sessions. TTL affects session lifespan but does not inspect traffic or enforce policies. Adjusting TTL cannot prevent malware or unauthorized applications.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not provide traffic inspection or block threats. Static routes alone cannot enforce security policies.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 88

A FortiGate administrator wants to prevent internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking uses FortiGuard threat intelligence to identify malicious IP addresses, domains, and URLs associated with botnet infrastructures. DNS filtering intercepts requests to known malicious domains, preventing internal hosts from resolving or connecting to C&C servers. Web filtering inspects HTTP and HTTPS traffic, using SSL deep inspection when necessary, to block communication attempts with known C&C infrastructure. Blocking these connections prevents malware-infected hosts from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide detailed insights into blocked attempts, policy enforcement, and potential infections, supporting auditing, compliance, and incident response. FortiGuard threat intelligence ensures real-time updates to detect and prevent emerging botnet activities. Combining DNS and web filter C&C protections ensures internal hosts are prevented from compromising network security while legitimate traffic flows uninterrupted. This approach enforces zero-trust principles and reduces the risk of malware propagation, data exfiltration, and coordinated attacks from internal hosts.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block botnet communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not block botnet communications. Adjusting TTL cannot prevent malware propagation or command-and-control activity.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect or block malicious traffic. Static routes alone cannot prevent C&C communications.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively prevents internal hosts from communicating with malicious command-and-control servers. Therefore, A is correct.

Question 89

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP shaping allows administrators to define maximum, guaranteed, and priority bandwidth for individual users or devices. This ensures equitable distribution of network resources and prevents a single user from monopolizing bandwidth. Traffic shaping profiles can prioritize critical applications while limiting non-essential traffic. Applying these profiles at the firewall policy level ensures all sessions are monitored and enforced according to policy. Logs and reports provide visibility into per-user bandwidth consumption, policy enforcement, and troubleshooting, supporting compliance and operational efficiency. Policies can be applied per VLAN, department, or user group, providing granular control. This configuration ensures fair access to network resources, prevents congestion, maintains predictable network performance, and supports zero-trust principles by controlling individual usage. Traffic shaping combined with monitoring allows proactive bandwidth management while preserving operational efficiency and security compliance.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not enforce per-user bandwidth limits. NAT alone cannot control resource consumption.

C) This describes increasing TTL for outbound sessions. TTL affects session duration but does not limit bandwidth or manage per-user resource consumption.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce per-user bandwidth limits. Static routes alone cannot manage network performance.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth usage and prevents network degradation caused by individual users. Therefore, A is correct.

Question 90

A FortiGate administrator wants to block access to malicious websites while allowing access to business-critical websites. Which configuration should be applied?

A) Apply web filter profiles with FortiGuard categories and allow lists for business-critical websites
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes for business-critical websites

Answer: A

Explanation

A) This describes applying web filter profiles with FortiGuard categories along with allow lists for business-critical websites. FortiGuard continuously updates threat intelligence to identify malicious websites, phishing domains, and high-risk content. Web filter profiles block access to these threats in real-time, preventing malware, ransomware, or phishing attacks. Allow lists ensure essential business services remain accessible even if miscategorized, maintaining operational continuity. SSL deep inspection enables encrypted HTTPS traffic to be scanned, ensuring consistent enforcement of security policies. Logs provide detailed insights into blocked traffic, allowed access, and policy enforcement, supporting auditing, compliance, and incident response. Granular policy application per VLAN, user group, or department allows flexibility without compromising security. This configuration reduces exposure to web-based attacks, prevents malware propagation, and maintains business continuity. Combining FortiGuard categories with allow lists ensures real-time protection while supporting operational efficiency and security compliance.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect or block malicious content. NAT alone cannot protect against web-based threats.

C) This describes increasing TTL for HTTP sessions. TTL affects session duration but does not enforce web security or block malicious websites.

D) This describes configuring static routes for business-critical websites. Routing ensures connectivity but does not inspect content or enforce security policies. Static routes alone cannot prevent access to malicious websites.

Web filter profiles with FortiGuard categories and allow lists for business-critical websites are the only configuration that ensures secure, real-time protection while maintaining access to essential services. Therefore, A is correct.

Question 91

A FortiGate administrator wants to prevent internal hosts from bypassing security controls by using unauthorized proxy servers or anonymizers. Which configuration should be applied?

A) Apply application control profiles with rules blocking proxy and anonymizer applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to proxy servers

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking proxy servers and anonymizers. Internal users may attempt to bypass corporate security policies, web filtering, antivirus scanning, or DLP rules by using proxy software or anonymizer websites. Application control inspects traffic for signatures, behaviors, and protocols associated with these applications. Blocking unauthorized proxies ensures that all internet-bound traffic remains subject to corporate security policies. SSL inspection allows the firewall to inspect encrypted sessions, preventing users from bypassing controls via HTTPS. Logs provide detailed visibility into blocked connections, attempted bypasses, and enforcement results, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group, providing granular control without affecting legitimate business applications. Blocking unauthorized proxies and anonymizers reduces the risk of malware introduction, data exfiltration, and policy circumvention while maintaining operational security and zero-trust principles. This configuration ensures users cannot circumvent security measures, protecting both internal systems and network integrity while supporting regulatory compliance.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block proxies or anonymizers. NAT alone cannot prevent bypass attempts or enforce security policies.

C) This describes increasing TTL for outbound sessions. TTL affects session duration but does not inspect or block application traffic. Adjusting TTL cannot prevent users from bypassing security policies.

D) This describes configuring static routes to proxy servers. Routing ensures connectivity but does not detect or block unauthorized proxy or anonymizer applications. Static routes alone cannot enforce security policies.

Application control profiles with rules blocking proxy and anonymizer applications are the only configuration that prevents internal users from bypassing corporate security policies. Therefore, A is correct.

Question 92

A FortiGate administrator wants to enforce per-user data usage limits on internet access to prevent excessive consumption by a single user. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles with data quotas to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles with data quotas to firewall policies. Traffic shaping profiles allow administrators to define maximum, guaranteed, and priority bandwidth per user or IP address, and data quotas enforce consumption limits over defined periods such as daily, weekly, or monthly. By applying these profiles to firewall policies, the firewall can enforce both bandwidth and data usage limits per user. Logs provide detailed visibility into usage patterns, quota enforcement, and policy compliance, supporting auditing, compliance, and operational monitoring. Quotas prevent network congestion, ensure fair distribution of bandwidth, and maintain predictable performance for business-critical applications. Policies can be applied per VLAN, department, or user group, allowing granular control while enabling flexibility for business needs. This approach ensures equitable resource allocation, reduces the risk of network performance degradation, and supports zero-trust enforcement by monitoring and controlling per-user network activity. Traffic shaping combined with data quotas also helps prevent malicious or excessive consumption that could impact other users or degrade network performance.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not enforce bandwidth limits or data quotas. NAT alone cannot prevent excessive consumption.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not control bandwidth or usage. Adjusting TTL cannot enforce data consumption policies.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not monitor or enforce per-user bandwidth or data usage. Static routes alone cannot limit excessive consumption.

Applying per-IP traffic shaping profiles with data quotas to firewall policies is the only configuration that ensures per-user limits, prevents excessive internet usage, and maintains network performance. Therefore, A is correct.

Question 93

A FortiGate administrator wants to block access to social media websites during business hours but allow access after work hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking and schedule-based policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking combined with schedule-based policies. Web filter profiles categorize websites into groups such as social media, entertainment, gambling, and business-related sites. By associating the profile with a schedule, administrators can block access to social media sites during defined working hours and allow access outside business hours. SSL inspection ensures encrypted HTTPS traffic is also inspected, allowing enforcement on secure connections. Logs and reports provide detailed visibility into blocked and allowed traffic, user activity, and policy compliance. Policies can be applied per VLAN, department, or user group to allow granular enforcement without impacting legitimate business applications. Category-based blocking simplifies administration by eliminating the need to maintain manual URL lists and ensures consistent enforcement. This approach maintains productivity, reduces exposure to non-business activities, and ensures policy compliance while providing visibility and reporting for administrators to adjust enforcement as needed.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect or block website access. NAT alone cannot enforce web filtering or scheduling policies.

C) This describes increasing TTL for HTTP sessions. TTL affects session duration but does not block websites or enforce time-based policies. Adjusting TTL cannot control web access.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not enforce category-based blocking or schedule enforcement. Static routes alone cannot prevent access to social media.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that ensures controlled access to social media based on business hours. Therefore, A is correct.

Question 94

A FortiGate administrator wants to detect and block botnet command-and-control traffic originating from internal hosts. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes for external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking uses FortiGuard threat intelligence to identify domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving malicious domains linked to botnet C&C servers, and web filtering inspects HTTP and HTTPS traffic, applying SSL deep inspection when needed, to block communication attempts. Blocking C&C communications prevents compromised internal hosts from receiving instructions, participating in coordinated attacks, or exfiltrating sensitive data. Logs provide detailed insights into blocked connections, policy enforcement, and potential internal infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates ensure real-time protection against emerging threats. By combining DNS and web filter C&C protections, administrators maintain network security without disrupting legitimate traffic. This configuration enforces zero-trust principles by controlling outbound traffic and mitigating the risk of internal hosts being used for malicious purposes, reducing the threat landscape and improving overall network resilience.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block botnet communications. NAT alone cannot prevent malware from communicating with C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not detect or block botnet communications. Adjusting TTL cannot mitigate C&C activity.

D) This describes configuring static routes for external servers. Routing ensures connectivity but does not inspect traffic or block malicious communications. Static routes alone cannot prevent botnet C&C traffic.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively blocks internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 95

A FortiGate administrator wants to block malware and ransomware from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, reducing the risk of malware and ransomware propagation. Inter-VLAN firewall policies inspect traffic crossing segments. Antivirus scanning inspects files, attachments, and executables to prevent malware transmission. IPS monitors traffic for known attack signatures, exploits, and anomalous behavior, blocking malicious activity between VLANs. Application control ensures only authorized applications can communicate, preventing malware or ransomware from using unauthorized channels. SSL deep inspection allows encrypted traffic to be evaluated for threats. Logs and reports provide detailed visibility into blocked threats, policy enforcement, and traffic patterns, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control creates a multi-layered defense while maintaining legitimate business operations. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration aligns with zero-trust principles by inspecting and controlling inter-VLAN traffic, ensuring that critical assets remain protected while allowing operational workflows to continue uninterrupted.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware. NAT alone cannot enforce inter-VLAN security.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware spread.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or block threats. Static routes alone cannot prevent malware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware propagation while allowing legitimate business traffic. Therefore, A is correct.

Question 96

A FortiGate administrator wants to prevent sensitive documents from being uploaded to unauthorized cloud storage services while allowing access to approved corporate cloud platforms. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles inspect network traffic, including encrypted HTTPS traffic, to detect sensitive information such as financial documents, intellectual property, confidential reports, or personally identifiable information (PII). By defining allowed cloud platforms, uploads to approved corporate services are permitted, while connections to unauthorized cloud services like public file-sharing websites or personal storage accounts are blocked. SSL deep inspection ensures encrypted traffic is thoroughly inspected to prevent data exfiltration through HTTPS. DLP policies can incorporate content fingerprinting, keyword matching, and file type recognition to accurately identify sensitive data. Logs provide visibility into blocked uploads, allowed transfers, and enforcement actions, supporting auditing, compliance, and regulatory requirements. Policies can be applied per VLAN, department, or user group to achieve granular enforcement without affecting legitimate business workflows. This approach ensures sensitive data is protected, compliance standards are met, and operational continuity is maintained while minimizing the risk of accidental or malicious data leaks.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or enforce DLP rules. NAT alone cannot prevent unauthorized cloud uploads.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not inspect or block sensitive content. Adjusting TTL cannot enforce data protection policies.

D) This describes configuring static routes to corporate cloud services. Routing ensures connectivity but does not inspect content or enforce DLP policies. Static routes alone cannot prevent unauthorized uploads.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that effectively protects sensitive data while allowing legitimate cloud access. Therefore, A is correct.

Question 97

A FortiGate administrator wants to enforce controlled access to social media websites during work hours while allowing access after hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking and schedule-based policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking and schedule-based policies. Web filter profiles categorize websites into groups such as social media, entertainment, and business services. By associating the profile with a schedule, administrators can block access to social media during work hours while allowing access outside business hours. SSL inspection ensures encrypted HTTPS traffic is inspected, allowing enforcement on secure connections. Logs provide visibility into blocked attempts, allowed access, user activity, and policy enforcement, supporting auditing, compliance, and productivity monitoring. Policies can be applied per VLAN, department, or user group to provide granular control without impacting legitimate business applications. Category-based blocking reduces administrative overhead, removing the need to manually maintain large URL lists. This configuration maintains employee productivity during work hours, reduces exposure to distractions, and ensures policy compliance while providing visibility and reporting for administrators.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect or block web traffic. NAT alone cannot enforce web filtering or scheduling policies.

C) This describes increasing TTL for HTTP sessions. TTL affects session lifespan but does not block websites or enforce time-based policies. Adjusting TTL cannot control web access.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not enforce category-based or schedule-based blocking. Static routes alone cannot prevent access to social media during business hours.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that ensures controlled social media access based on business hours. Therefore, A is correct.

Question 98

A FortiGate administrator wants to prevent malware and ransomware from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation separates critical assets from general user networks, reducing the risk of malware or ransomware propagation. Inter-VLAN firewall policies inspect all traffic moving between VLANs. Antivirus scanning examines files, attachments, and executables to detect malware and ransomware, blocking malicious content from spreading. IPS inspects network traffic for known attack signatures, anomalous behavior, and exploits to prevent attacks between segments. Application control enforces authorized communication channels and blocks unauthorized applications that could facilitate malware spread. SSL deep inspection ensures encrypted traffic is also analyzed for threats. Logs and reports provide visibility into blocked threats, policy enforcement, and inter-VLAN traffic patterns, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control creates a robust multi-layer defense without interrupting legitimate business operations. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration aligns with zero-trust principles by inspecting and controlling traffic between internal segments, preventing malware propagation while enabling operational workflows.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent inter-VLAN threats.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware or ransomware spread.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware propagation while allowing legitimate business traffic. Therefore, A is correct.

Question 99

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to detect domains, IP addresses, and URLs associated with botnet infrastructures. DNS filtering prevents internal hosts from resolving malicious domains linked to C&C servers, while web filtering inspects HTTP and HTTPS traffic, using SSL deep inspection when necessary, to block communications. Blocking these communications prevents malware-infected hosts from receiving instructions, exfiltrating sensitive data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates ensure real-time protection against evolving threats. By combining DNS and web filter C&C protections, administrators maintain network security without affecting legitimate traffic. This configuration enforces zero-trust principles, reduces the risk of internal hosts being compromised, and mitigates the spread of malware while maintaining operational continuity.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect or block botnet communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not detect or block botnet communications. Adjusting TTL cannot mitigate malware or C&C activity.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious communication. Static routes alone cannot prevent C&C traffic.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively blocks internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 100

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP traffic shaping allows administrators to define maximum, guaranteed, and priority bandwidth for individual users or devices. This ensures equitable distribution of network resources and prevents a single user from monopolizing bandwidth. Traffic shaping profiles can prioritize critical business applications while limiting non-essential traffic. Applying the profiles to firewall policies ensures all user sessions are monitored and enforced according to defined bandwidth limits. Logs and reports provide visibility into per-user consumption patterns, policy enforcement, and troubleshooting, supporting compliance, operational monitoring, and resource optimization. Policies can be applied per VLAN, department, or user group for granular control. This configuration ensures fair access to network resources, prevents congestion, maintains predictable network performance, and supports zero-trust principles by controlling network usage at the individual level. Traffic shaping combined with monitoring allows proactive management of bandwidth and prevents network performance degradation due to excessive consumption by individual users.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not control bandwidth or enforce per-user limits. NAT alone cannot prevent excessive resource usage.

C) This describes increasing TTL for outbound sessions. TTL affects session duration but does not enforce bandwidth limits. Adjusting TTL cannot manage per-user consumption.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce per-user bandwidth policies. Static routes alone cannot manage network resource allocation.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth usage and prevents network performance issues caused by individual users. Therefore, A is correct.