Fortinet FCP_FGT_AD-7.6 FCP – FortiGate 7.6 Administrator Exam Dumps and Practice Test Questions Set 10 Q181-200

Visit here for our full Fortinet FCP_FGT_AD-7.6 exam dumps and practice test questions.

Question 181

A FortiGate administrator wants to enforce strict control over which users can access a critical web application based on their group membership. Which configuration should be used?

A) Web Filtering → Block by URL category
B) Firewall Policy → Source Address → Apply user groups
C) Application Control → Block unknown apps
D) SSL Inspection → Apply globally

Answer: Firewall Policy → Source Address → Apply user groups

Explanation:

In enterprise networks, controlling access to sensitive applications based on user identity is a core security requirement. FortiGate allows administrators to integrate with identity providers like Active Directory (AD) or LDAP to enforce granular user-based policies. The firewall policy becomes the central mechanism for controlling access: it defines which users, groups, or devices can communicate with specific resources on the network. By specifying user groups in the source address field, the administrator ensures that only authorized users within those groups can access the targeted application.

Web filtering, while powerful for blocking categories of websites, cannot enforce access control on a per-user basis—it functions primarily to block or allow web content based on URL patterns, categories, or reputation. Application control is designed to detect and manage applications and their usage, but does not inherently provide user-specific access enforcement for critical web applications. SSL inspection decrypts traffic for security scanning purposes but does not determine which users can access a particular resource.

Implementation of identity-based access control using FortiGate begins with integrating the firewall with a centralized identity provider, such as Active Directory (AD) or Azure AD. This integration allows FortiGate to authenticate users based on their directory credentials, rather than relying solely on IP addresses or network locations. By leveraging an identity provider, administrators can ensure that access policies are tied directly to user identities, roles, and group memberships. This provides granular control over network resources, making it possible to define who can access specific applications, servers, or segments of the network based on organizational requirements.

Once the integration is complete, appropriate user groups must be created within the identity directory. These groups can be structured according to departments, roles, or project teams, ensuring that policies align with real-world organizational hierarchies and responsibilities. For instance, an HR group may have access to personnel databases, while the finance team can access accounting systems. Mapping these user groups to firewall policies in FortiGate allows precise control over traffic flows, enforcing security rules based on both identity and context. This approach ensures that access is granted only to the right users under the right conditions, significantly reducing the risk of unauthorized access to sensitive resources.

Logging and monitoring are critical components of this setup. FortiGate generates detailed logs of authentication attempts, including successful logins, denied access, and policy violations. These logs can be visualized and analyzed through FortiView dashboards, providing administrators with a clear overview of network activity and user behavior. By reviewing these dashboards, administrators can identify unusual patterns, such as repeated login failures, attempts from unexpected locations, or access to unauthorized resources. This information enables proactive policy adjustments, enhances security awareness, and supports compliance with regulatory requirements by maintaining an auditable record of user activity.

Implementing identity-based access control also supports the principle of least privilege, a cornerstone of modern cybersecurity strategy. By granting users access only to the resources they need to perform their jobs, organizations minimize the attack surface available to both internal and external threats. Users are prevented from accessing systems outside their scope, reducing the potential impact of compromised credentials. Additionally, policies can be tailored to specific scenarios, such as enforcing multi-factor authentication (MFA) for high-risk applications, restricting access from unmanaged devices, or limiting remote access to certain times or locations.

This identity-driven approach provides flexibility and scalability as the organization grows. New users can be added to appropriate directory groups, automatically inheriting the correct firewall policies without manual configuration on the FortiGate device. Changes in roles or responsibilities can be easily reflected by updating group memberships, ensuring that access rights remain aligned with organizational changes. Furthermore, integrating identity with FortiGate facilitates compliance with industry standards, such as GDPR, HIPAA, and ISO 27001, by enforcing access control policies consistently and maintaining detailed records of user activity.

Finally, continuous monitoring and periodic policy review are essential for maintaining an effective identity-based access control system. By analyzing logs, reviewing FortiView dashboards, and conducting audits, administrators can ensure that access policies remain appropriate, identify potential security gaps, and respond quickly to emerging threats. Combining identity-based access with contextual policies, real-time monitoring, and detailed reporting creates a robust security posture that protects sensitive resources, enhances operational efficiency, and minimizes risk across the organization.

Question 182

A FortiGate administrator needs to prevent malware from entering the network through email attachments. Which feature should be enabled?

A) IPS Sensor → Enable Email Threat Signatures
B) Antivirus → Scan Incoming Email Traffic
C) Web Filtering → Block file downloads
D) Application Control → Block email clients

Answer: Antivirus → Scan Incoming Email Traffic

Explanation:

Email continues to be one of the most prevalent and effective attack vectors for cybercriminals, delivering malware such as ransomware, spyware, trojans, and phishing campaigns directly to end users. Due to the high volume of email traffic and the variety of threats that can be embedded within messages, protecting this channel is critical for any organization. Enabling antivirus scanning for incoming email traffic on FortiGate provides a proactive layer of defense by inspecting messages in real time before they reach users ‘ inboxes. This scanning process examines not only the message body but also attachments, embedded links, and potentially suspicious metadata, allowing FortiGate to identify and block malicious payloads at the network perimeter. By intercepting threats at this early stage, organizations reduce the likelihood of infections spreading through endpoints, minimizing operational disruption and potential data loss.

FortiGate’s email protection leverages FortiGuard antivirus signatures, which are continuously updated to stay ahead of emerging threats. This ensures that even newly discovered malware variants, zero-day exploits, and polymorphic threats can be detected and mitigated before causing harm. Additionally, FortiGate supports heuristic and behavior-based detection techniques, which help identify previously unknown threats by analyzing suspicious patterns and behaviors within attachments or links. This combination of signature-based and heuristic analysis provides a robust defense mechanism, complementing other network security measures.

While antivirus scanning addresses the content of emails, other FortiGate features can enhance email security when used in combination. Intrusion Prevention System (IPS) sensors, for example, detect exploit attempts targeting vulnerabilities in email protocols, such as SMTP, IMAP, and POP3. IPS can block attempts to exploit misconfigured or outdated email servers, preventing attackers from using these systems as entry points. However, IPS alone is insufficient for comprehensive email malware protection because it focuses on network-level exploits and protocol-level vulnerabilities, rather than scanning the content of email messages themselves.

Similarly, Web Filtering can block access to known malicious websites or domains that may be linked within emails. While this helps prevent users from inadvertently visiting phishing sites or downloading malware, Web Filtering does not inspect email attachments or message content. It therefore cannot provide direct protection against the delivery of malware through the email channel. Application Control, on the other hand, can identify and manage email client traffic, controlling which applications are allowed to send or receive email. Although this can help enforce policy compliance and reduce the risk of unauthorized email clients, it does not provide content-level malware scanning and cannot detect threats embedded in legitimate email attachments.

The integration of email antivirus scanning with SSL inspection enhances protection further by allowing encrypted email traffic to be inspected. Many modern email services use TLS or other encryption protocols to secure messages in transit. Without SSL inspection, encrypted traffic cannot be analyzed, and malicious attachments or links may bypass network defenses. FortiGate’s ability to inspect encrypted traffic ensures that malware hidden within secure channels is detected and blocked, maintaining comprehensive protection without compromising legitimate business communications.

Implementation of this layered approach requires careful configuration and ongoing monitoring. Administrators should enable logging of all email scanning events and regularly review FortiView dashboards to track detected threats, blocked attachments, and patterns in attempted attacks. This data can help refine security policies, identify high-risk users or departments, and provide actionable insights for security awareness training. Additionally, ensuring that FortiGuard antivirus signatures and IPS sensors are continuously updated is critical to maintaining protection against evolving threats.

A multi-layered email security strategy, combining antivirus scanning, IPS, Web Filtering, Application Control, and SSL inspection, provides organizations with both proactive and reactive defenses. By intercepting malware at the perimeter, monitoring exploit attempts, and controlling application behavior, FortiGate minimizes the likelihood of infections, reduces the impact of successful attacks, and helps maintain regulatory compliance. Regular monitoring, policy refinement, and user education further strengthen defenses, ensuring that email remains a secure communication channel and a productive tool rather than a source of risk.

The implementation involves applying an antivirus profile to policies handling SMTP, IMAP, and POP3 traffic. Administrators should enable logging to track blocked or quarantined emails and ensure that FortiGuard updates are applied regularly to maintain protection against new threats. This approach ensures that malicious emails are intercepted before they reach endpoints, reducing the risk of infection and potential lateral movement within the network.

Question 183

A FortiGate administrator wants to limit the maximum bandwidth for guest Wi-Fi users without affecting internal employees. Which configuration should be used?

A) Traffic Shaping → Apply per interface and per user group
B) Application Control → Block high-bandwidth apps
C) IPS Sensor → Apply globally
D) SSL Inspection → Enable deep inspection

Answer: Traffic Shaping → Apply per interface and per user group

Explanation: Traffic shaping allows network administrators to control bandwidth allocation across users, interfaces, or applications. For guest Wi-Fi users, this ensures that they do not consume excessive bandwidth, which could affect critical internal operations. FortiGate enables per-policy or per-interface shaping, allowing administrators to define guaranteed minimum and maximum bandwidth, priorities, and traffic queues.

Application control is primarily used for identifying and controlling application usage, but it does not guarantee bandwidth limits. IPS sensors detect exploits and threats, but do not manage traffic performance. SSL inspection allows encrypted traffic to be inspected for threats, but does not manage bandwidth.

Traffic Shaping is a network management technique that allows organizations to control bandwidth allocation, prioritize critical applications, and limit non-essential traffic to ensure optimal network performance. When applied per interface, Traffic Shaping enables administrators to manage bandwidth usage at the network entry or exit points, ensuring that each physical or virtual interface operates efficiently without congestion. This is particularly useful in environments with multiple WAN links, segmented networks, or branch offices, where certain interfaces may carry heavier traffic loads. By defining per-interface policies, administrators can prioritize business-critical traffic, such as ERP systems, VoIP, or video conferencing, while limiting bandwidth for less critical services.

Applying Traffic Shaping per user group provides an additional layer of granularity and control. Organizations can categorize users based on departments, roles, or security groups, and assign specific bandwidth policies to each group. For example, the finance or IT team may receive higher priority access to critical applications, while general staff or guest users have restricted bandwidth for recreational or non-essential traffic. This ensures that important workflows are not impacted by bandwidth-heavy activities, such as streaming, large downloads, or cloud backup tasks, by less critical users.

Combining per-interface and per-user group Traffic Shaping allows for a highly flexible and tailored approach to network performance management. Administrators can enforce policies that reflect both the physical limitations of the network and the operational priorities of the organization. This strategy also supports Quality of Service (QoS) objectives, maintaining low latency for real-time applications and consistent throughput for essential services. Additionally, ongoing monitoring through tools such as FortiView dashboards enables administrators to track traffic patterns, identify bottlenecks, and adjust shaping policies dynamically as usage patterns evolve.

By implementing Traffic Shaping at both the interface and user group levels, organizations can maximize network efficiency, improve user experience, and ensure that critical business applications maintain performance even during periods of high network demand. This approach also reduces potential conflicts between users and applications competing for bandwidth, ensuring predictable and manageable network behavior.

Implementation involves creating traffic shaping policies specific to the guest VLAN or SSID and associating them with the relevant firewall policies. Administrators can define maximum download/upload rates, prioritize certain types of traffic such as VoIP or enterprise apps, and monitor bandwidth usage via FortiView. Continuous monitoring ensures that bandwidth policies are effective and that internal business-critical operations remain unaffected by guest usage.

Question 184

Which FortiGate feature helps detect and block devices infected with botnet malware?

A) IPS Sensor → Enable Botnet C&C Signatures
B) Application Control → Block P2P Applications
C) Web Filtering → Block all non-business websites
D) Traffic Shaping → Limit unknown protocols

Answer: IPS Sensor → Enable Botnet C&C Signatures

Explanation: Botnets rely on infected devices communicating with external Command & Control (C&C) servers to execute attacks, send spam, or exfiltrate data. FortiGate’s IPS sensors include botnet C&C signatures, which detect and block outbound communication attempts to known botnet servers. These signatures are updated continuously via FortiGuard threat intelligence, ensuring that emerging botnet variants are effectively blocked.

Application control can block peer-to-peer applications, which may reduce certain botnet vectors, but it does not provide comprehensive protection against all botnet C&C communications. Web filtering only controls HTTP/HTTPS access and cannot detect botnet traffic over non-web protocols. Traffic shaping limits bandwidth but does not prevent malware activity.

Implementation of botnet mitigation using FortiGate begins with enabling Intrusion Prevention System (IPS) sensors that include up-to-date botnet signatures. These signatures allow the firewall to detect and block traffic associated with known botnet command-and-control servers or malicious communication patterns. By applying these IPS sensors to relevant firewall policies, administrators can ensure that both inbound and outbound traffic is monitored for signs of botnet activity, effectively preventing infected devices from communicating with external malicious actors.

In modern networks, a significant portion of traffic is encrypted using SSL/TLS protocols, which can allow botnet communications to bypass traditional security measures. To address this, SSL deep inspection may be necessary, enabling the firewall to decrypt, analyze, and re-encrypt traffic in real time. This ensures that encrypted botnet traffic is detected, while legitimate business communications remain uninterrupted. SSL deep inspection combined with IPS provides a layered security approach, allowing the organization to identify threats hidden within encrypted channels that would otherwise go unnoticed.

Ongoing monitoring is a critical part of the implementation process. FortiView dashboards and detailed logs provide visibility into traffic patterns, alerting administrators to anomalies or potential compromises. For instance, devices that generate unusual outbound traffic, connect to known botnet servers, or exhibit repetitive suspicious behavior can be quickly identified. By correlating these events with IPS and SSL inspection alerts, administrators gain actionable insights into the scope and severity of potential infections.

Once infected devices are identified, remediation measures must be applied promptly to prevent further compromise. This may include isolating the affected endpoints from the network, performing malware scans, cleaning or reimaging compromised systems, and updating endpoint security measures to prevent reinfection. By addressing infected devices proactively, organizations reduce the risk of internal systems being leveraged in larger botnet operations, which could lead to data exfiltration, distributed denial-of-service (DDoS) attacks, or reputational damage.

Overall, integrating IPS sensors with botnet signatures, SSL deep inspection, and continuous monitoring provides a comprehensive strategy for mitigating botnet threats. This approach ensures that internal devices cannot participate in malicious campaigns, secures network traffic, and preserves the integrity and reputation of the organization. Regular updates to signatures, ongoing analysis of FortiView logs, and timely remediation are essential components of maintaining a resilient network defense against evolving botnet threats.

Question 185

A FortiGate administrator wants to enforce MFA for remote users but allow seamless access for employees on managed corporate devices. Which approach is best?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply externally
D) Azure AD B2B → Manage guest accounts

Answer: Conditional Access → Require MFA for external access → Apply per user group

Explanation: Conditional Access in Azure AD allows administrators to implement adaptive access policies that consider factors like user location, device compliance, and sign-in risk. By enforcing MFA only for users accessing resources from outside the corporate network, administrators provide strong security without inconveniencing employees who use trusted internal devices. This ensures a balance between usability and protection.

Enabling Security Defaults applies MFA globally to all users, including internal users, which could disrupt workflow unnecessarily. Pass-through Authentication verifies credentials but cannot apply conditional MFA policies based on context. Azure AD B2B is designed to manage guest access, not internal adaptive MFA enforcement.

Implementation requires defining Conditional Access policies that target external locations, require MFA for specific user groups, and exempt compliant corporate devices. Policies should be monitored using Azure AD sign-in logs to track policy effectiveness and adjust as necessary. This approach reduces the risk of compromised credentials while maintaining productivity for internal staff.

Question 186

A FortiGate administrator wants to monitor which applications consume the most bandwidth per user. Which feature should be used?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Application Control → Block unknown apps
C) SSL Inspection → Apply globally
D) Web Filtering → Block non-business websites

Answer: FortiView → Traffic Log Analysis → Application and User Reports

Explanation: Network optimization and capacity planning are critical for ensuring business-critical applications perform efficiently. FortiView provides comprehensive real-time and historical visibility into network traffic, including per-user and per-application bandwidth usage. It allows administrators to identify high-bandwidth users, monitor the performance of critical applications, detect anomalous traffic patterns, and make informed decisions about traffic shaping or QoS policies.

By analyzing FortiView reports, an administrator can determine which applications consume the most resources. For example, streaming video or large file transfers may be throttled to ensure that VoIP, ERP, or CRM systems maintain performance. FortiView also integrates seamlessly with security profiles such as SSL inspection, enabling administrators to monitor encrypted traffic usage without compromising privacy or security.

Application Control, Web Filtering, and SSL Inspection do not provide the granular analytics needed to understand per-user bandwidth consumption comprehensively. Application Control can block or prioritize apps, but does not provide detailed reporting per user. Web Filtering can block categories of websites, but cannot track overall bandwidth consumption. SSL Inspection decrypts traffic but does not produce usage reports.

Implementation involves enabling logging on relevant firewall policies, configuring FortiView dashboards to display per-user and per-application metrics, and periodically reviewing these reports to optimize policies and ensure fair bandwidth distribution. Historical analysis supports strategic decisions for future network expansion, security enforcement, and business continuity planning.

Question 187

A FortiGate administrator wants to ensure antivirus, IPS, and application control signatures remain up-to-date automatically. Which configuration should be used?

A) FortiGuard Security Services → Enable automatic updates
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Manual updates

Answer: FortiGuard Security Services → Enable automatic updates

Explanation: The threat landscape evolves rapidly, with new malware, exploits, and risky applications emerging daily. FortiGuard Security Services provides signature updates for antivirus, IPS, and application control profiles to ensure that the FortiGate device can detect and block the latest threats. Automatic updates are essential because manually updating signatures can be error-prone, time-consuming, and leave the network vulnerable to attacks.

FortiGuard updates include malware definitions, botnet C&C signatures, application behavior signatures, and exploit patterns. Administrators can schedule these updates at intervals, ensuring minimal disruption while maintaining protection. Automatic updates also help meet compliance requirements for frameworks like ISO 27001, NIST, and HIPAA, which require continuous security monitoring and timely threat mitigation.

SSL Inspection, traffic shaping, and manual application control updates do not address the core requirement of maintaining up-to-date security signatures. SSL inspection ensures encrypted traffic can be scanned for threats, but does not update threat intelligence. Traffic shaping manages bandwidth, and manual updates are inefficient and risky.

Implementation includes enabling FortiGuard automatic updates in the device settings, configuring notification logs for update success/failure, and verifying updates through FortiView or FortiManager dashboards. Administrators should also regularly audit and review update logs to ensure that all security profiles remain current and effective against emerging threats.

Question 188

A FortiGate administrator wants to prevent users from accidentally visiting malicious websites while browsing. Which configuration is appropriate?

A) Web Filtering → Enable FortiGuard Categories → Apply to policies
B) Application Control → Block unknown applications
C) IPS Sensor → Enable Web Exploit Signatures
D) Traffic Shaping → Limit web bandwidth

Answer: Web Filtering → Enable FortiGuard Categories → Apply to policies

Explanation: 

Web filtering is designed to enforce safe browsing practices by blocking access to websites classified as malicious, phishing, or otherwise risky. FortiGuard maintains continuously updated categories that include malicious URLs, adult content, gambling, and other potentially harmful sites. By applying web filter profiles to firewall policies, administrators can proactively prevent users from accessing sites that could deliver malware, steal credentials, or compromise network security.

FortiView reports and logs enable administrators to monitor blocked attempts, refine category settings, and identify patterns of risky behavior. This visibility allows for targeted training or policy adjustments and ensures compliance with internal security policies and regulatory requirements.

Application Control is limited to identifying applications rather than blocking web content based on reputation. IPS sensors detect attacks but cannot prevent access proactively. Traffic shaping can only manage bandwidth and has no impact on security or user behavior.

Implementation involves creating a web filter profile, enabling FortiGuard categories relevant to the organization’s security posture, applying the profile to appropriate policies, and configuring logging. Regular updates and audits ensure the web filter remains effective against evolving threats.

Question 189

A FortiGate administrator needs to inspect SSL-encrypted traffic for threats while avoiding disruption of SaaS applications like Office 365. What should be done?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Traffic Shaping → Limit HTTPS traffic
D) IPS Sensor → Enable SSL

Answer: SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS

Explanation:

Encrypted traffic, particularly HTTPS, is increasingly used by malware for command-and-control, ransomware distribution, and data exfiltration. SSL Deep Inspection decrypts this traffic, allowing FortiGate to apply antivirus, IPS, and application control scanning effectively. However, some SaaS applications use certificate pinning or strict security protocols, which can fail if deep inspection intercepts traffic indiscriminately. To maintain continuity, bypass rules for trusted SaaS applications ensure that essential services like Office 365, Google Workspace, or Salesforce function without disruption.

SSL Certificate Inspection validates certificates but does not inspect content for threats. Traffic shaping manages bandwidth without detecting malware. IPS sensors cannot detect encrypted threats unless traffic is decrypted.

Implementation involves creating SSL inspection profiles, enabling deep inspection on relevant policies, defining bypass rules for critical SaaS domains, and monitoring FortiView logs to identify threats or blocked sessions. Regular review of bypass rules ensures they remain up-to-date as new cloud services are adopted.

Question 190

Which FortiGate feature allows administrators to block specific risky applications while allowing legitimate apps?

A) Application Control → Enable signatures → Apply per policy
B) Web Filtering → Block categories
C) IPS Sensor → Enable exploit detection
D) Traffic Shaping → Limit unknown applications

Answer: Application Control → Enable signatures → Apply per policy

Explanation:

Application Control is designed to detect, monitor, and manage application usage across the network. By enabling application signatures, administrators can allow legitimate apps while blocking risky or non-business applications. This selective control ensures productivity and security. For example, file-sharing or P2P applications can be blocked to prevent malware or unauthorized data exfiltration, while essential productivity tools remain operational.

Web Filtering manages URLs but cannot distinguish application behavior. IPS sensors detect exploits but do not control legitimate application usage. Traffic shaping only controls bandwidth and cannot selectively block applications.

Implementation requires enabling application control profiles, selecting appropriate signatures, and assigning them to relevant firewall policies. FortiView can then provide analytics on application usage, blocked attempts, and potential policy adjustments.

Question 191

A FortiGate administrator wants to prevent data exfiltration through unapproved cloud storage services. Which feature should be enabled?

A) Application Control → Block unapproved SaaS apps
B) Web Filtering → Block all non-business websites
C) IPS Sensor → Enable data leak prevention
D) Traffic Shaping → Limit cloud storage bandwidth

Answer: Application Control → Block unapproved SaaS apps

Explanation:

In modern enterprise networks, cloud storage services such as Dropbox, Google Drive, and OneDrive are commonly used. While these services increase productivity, they also present a significant risk for data exfiltration if employees or compromised devices upload sensitive information to unauthorized platforms. FortiGate’s Application Control feature provides granular visibility and control over SaaS applications, allowing administrators to permit legitimate business applications while blocking unauthorized ones.

Application Control uses signature-based detection to identify SaaS applications and their functionality. Administrators can create policies that explicitly allow corporate-approved SaaS apps while denying access to any unapproved cloud storage service. This helps prevent data leaks without disrupting legitimate business processes. FortiView provides detailed reporting on blocked attempts, usage patterns, and high-risk activity, enabling proactive security monitoring.

Web filtering is not sufficient because it categorizes websites rather than detecting specific SaaS applications. IPS sensors may detect exploits, but cannot prevent legitimate users from uploading data to unapproved cloud platforms. Traffic shaping controls bandwidth but does not prevent uploads or enforce security policies.

Implementation involves defining a set of approved SaaS applications, creating application control profiles, applying them to firewall policies, and monitoring activity through FortiView. This approach ensures sensitive information remains within corporate-sanctioned platforms while maintaining operational efficiency.

Question 192

A FortiGate administrator wants to block malware from spreading between internal devices. Which feature should be implemented?

A) IPS Sensor → Enable lateral movement prevention signatures
B) Application Control → Block P2P traffic
C) Web Filtering → Block non-business sites
D) Traffic Shaping → Limit internal traffic

Answer: IPS Sensor → Enable lateral movement prevention signatures

Explanation:

Malware infections often propagate laterally within a network, exploiting vulnerabilities in internal systems to spread from one host to another. FortiGate’s IPS sensors include signatures specifically designed to detect lateral movement, such as attempts to exploit SMB, RDP, or RPC services between internal devices. By enabling these signatures and applying them to internal firewall policies, administrators can significantly reduce the risk of internal malware propagation.

Application Control can block certain applications, including P2P traffic, but cannot detect malware attempting to exploit vulnerabilities for lateral movement. Web filtering controls access to external websites and does not address internal threat propagation. Traffic shaping is purely focused on bandwidth management and does not provide any threat mitigation.

Implementation involves creating internal policies that apply IPS sensors to traffic between internal VLANs or subnets, enabling lateral movement signatures, and monitoring alerts via FortiView. Administrators can then isolate compromised devices, apply patches, and remediate infections to prevent further spread.

Question 193

A FortiGate administrator wants to ensure compliance with corporate security policies by logging all outbound HTTPS connections while minimizing performance impact. Which approach is appropriate?

A) SSL Inspection → Selective deep inspection → Bypass trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Application Control → Block unknown apps
D) Traffic Shaping → Limit HTTPS traffic

Answer: SSL Inspection → Selective deep inspection → Bypass trusted SaaS

Explanation:

Monitoring HTTPS traffic is critical because an increasing proportion of internet traffic is encrypted. SSL inspection allows FortiGate to decrypt traffic and apply antivirus, IPS, and data loss prevention controls. However, deep inspection of all HTTPS traffic can introduce latency and potentially disrupt trusted SaaS services such as Office 365, Salesforce, and Google Workspace, which use certificate pinning or strict security protocols.

Selective deep inspection allows administrators to decrypt and inspect traffic for security threats while bypassing trusted cloud services, balancing security and performance. SSL Certificate Inspection alone only validates certificates and does not scan content for threats. Application Control cannot log all HTTPS traffic, and traffic shaping merely limits bandwidth without visibility.

Implementation involves creating SSL inspection profiles, defining policies that target internal users or subnets, specifying SaaS domains to bypass, enabling logging, and monitoring alerts through FortiView. This ensures full visibility for security compliance while maintaining performance for essential business applications.

Question 194

A FortiGate administrator wants to detect compromised endpoints communicating with external C&C servers over HTTPS. Which configuration is needed?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply with SSL Deep Inspection
B) Web Filtering → Block malicious URLs
C) Traffic Shaping → Limit external HTTPS connections
D) Application Control → Block unknown SaaS apps

Answer: IPS Sensor → Enable Botnet C&C Signatures → Apply with SSL Deep Inspection

Explanation: Many modern malware variants communicate with external Command & Control (C&C) servers using encrypted HTTPS traffic to evade detection. Enabling IPS sensors with botnet C&C signatures allows FortiGate to identify and block these connections. SSL Deep Inspection ensures that encrypted traffic can be decrypted and analyzed for malicious behavior.

Web filtering may block known malicious domains, but cannot detect botnet traffic over HTTPS or unknown domains. Traffic shaping controls bandwidth but does not prevent malware communications. Application Control focuses on legitimate application detection and control, not malicious C&C communication.

Implementation involves enabling botnet signatures in IPS, applying SSL Deep Inspection to traffic policies, configuring logging and alerting, and continuously monitoring FortiView dashboards for compromised hosts. Administrators can then isolate infected devices, initiate remediation procedures, and prevent data exfiltration or further network compromise.

Question 195

A FortiGate administrator wants to restrict access to non-business websites while allowing employees to access essential SaaS applications. Which configuration is appropriate?

A) Web Filtering → Enable FortiGuard Categories → Whitelist SaaS applications
B) Application Control → Block high-risk apps
C) IPS Sensor → Enable web exploit detection
D) Traffic Shaping → Limit non-business site bandwidth

Answer: Web Filtering → Enable FortiGuard Categories → Whitelist SaaS applications

Explanation: Web filtering allows administrators to categorize web content and block access to categories deemed inappropriate or non-business related, such as social media, adult content, or gambling sites. FortiGuard maintains constantly updated category databases, ensuring that new threats or sites are automatically categorized. Whitelisting SaaS applications such as Office 365 or Salesforce ensures that essential business services remain accessible, preventing operational disruption.

Application Control is focused on application usage rather than URL categories. IPS can detect web exploits, but does not control general web browsing. Traffic shaping only limits bandwidth and does not enforce content restrictions.

Implementation involves creating a web filter profile, selecting categories to block, whitelisting necessary SaaS applications, applying the profile to outbound policies, and monitoring FortiView for blocked attempts and user compliance. Periodic review ensures that the policy evolves alongside organizational needs and internet trends.

Question 196

A FortiGate administrator wants to prevent ransomware from encrypting sensitive files on endpoints while scanning inbound and outbound traffic. Which combination of features is recommended?

A) Antivirus → Enable FortiGuard Real-Time Protection + IPS Sensor → Enable exploit detection
B) Web Filtering → Block all download categories
C) Application Control → Block all P2P apps
D) Traffic Shaping → Limit unknown traffic

Answer: Antivirus → Enable FortiGuard Real-Time Protection + IPS Sensor → Enable exploit detection

Explanation:

Ransomware typically exploits system vulnerabilities and user actions to encrypt files. Antivirus with real-time protection scans inbound and outbound files, emails, and network traffic for malicious signatures and behavioral indicators. IPS sensors complement this by detecting attempts to exploit known vulnerabilities on endpoints, preventing the initial compromise.

Web filtering or application control alone cannot prevent ransomware effectively. Traffic shaping does not mitigate malware threats.

Implementation involves enabling antivirus scanning profiles on all inbound/outbound policies, configuring IPS with relevant exploit signatures, enabling SSL inspection to detect encrypted threats, and monitoring FortiView alerts. This layered approach ensures ransomware is blocked both at the network perimeter and in real time on affected devices.

Question 197

A FortiGate administrator wants to identify high-risk users accessing the network from untrusted locations. Which feature provides this visibility?

A) FortiAnalyzer → User & Device Risk Reports
B) Application Control → Log high-bandwidth apps
C) Web Filtering → Monitor URL categories
D) Traffic Shaping → Limit guest bandwidth

Answer: FortiAnalyzer → User & Device Risk Reports

Explanation:

FortiAnalyzer collects and correlates logs from FortiGate devices to provide detailed insight into user and device behavior. Administrators can identify users accessing the network from untrusted locations or using high-risk devices. FortiAnalyzer supports reports on login patterns, VPN connections, application usage, and policy violations, making it a powerful tool for risk assessment.

Application Control logs only app usage, web filtering tracks web categories, and traffic shaping monitors bandwidth; none provide comprehensive risk analytics.

Implementation involves integrating FortiGate with FortiAnalyzer, enabling log forwarding, configuring risk reporting, and reviewing trends regularly. Administrators can then take proactive measures, such as applying Conditional Access policies or isolating risky devices.

Question 198

A FortiGate administrator wants to prevent phishing attacks while allowing legitimate email communications. Which combination of features should be applied?

A) Antivirus → Enable email scanning + Web Filtering → Block phishing domains
B) IPS Sensor → Block SMTP traffic
C) Application Control → Block all email clients
D) Traffic Shaping → Limit email bandwidth

Answer: Antivirus → Enable email scanning + Web Filtering → Block phishing domains

Explanation:

Phishing attacks rely on malicious links or attachments in emails to compromise credentials or deliver malware. Antivirus scanning inspects inbound emails for malicious attachments, while web filtering blocks access to known phishing sites. This combination provides layered protection, preventing users from interacting with dangerous content while ensuring legitimate email communications continue uninterrupted.

IPS cannot prevent phishing proactively; Application Control does not block malicious links; Traffic Shaping only limits bandwidth.

Implementation involves enabling antivirus scanning on SMTP, IMAP, and POP3 traffic, applying web filter profiles to block phishing domains, logging blocked attempts, and training users to recognize suspicious emails.

Question 199

A FortiGate administrator wants to block unknown or risky applications while allowing critical business apps. Which feature is appropriate?

A) Application Control → Enable signatures → Apply per policy
B) Web Filtering → Block unknown sites
C) IPS Sensor → Enable anomaly detection
D) Traffic Shaping → Limit unknown apps

Answer: Application Control → Enable signatures → Apply per policy

Explanation:

Application Control identifies applications based on traffic signatures, categorizing them as business-critical, risky, or unknown. Administrators can block high-risk or unknown applications while allowing approved business applications. This ensures security while maintaining productivity.

Web filtering targets URLs, IPS detects exploits, and traffic shaping manages bandwidth. They do not provide granular control over specific applications.

Implementation involves enabling application control profiles, selecting signature categories, applying policies to relevant users or interfaces, and reviewing FortiView reports to fine-tune allowed and blocked applications.

Question 200

A FortiGate administrator wants to enforce secure access for all remote workers, ensuring traffic is scanned and monitored without affecting performance. Which strategy is best?

A) SSL VPN → Apply security profiles + SSL Inspection → Selective deep inspection
B) IPS Sensor → Enable globally for all traffic
C) Application Control → Block unknown apps for VPN users
D) Traffic Shaping → Limit VPN bandwidth

Answer: SSL VPN → Apply security profiles + SSL Inspection → Selective deep inspection

Explanation:

Remote access must balance security and performance. SSL VPN provides secure, encrypted tunnels for remote users. Applying security profiles like antivirus, IPS, and application control ensures that traffic passing through the VPN is scanned for threats. Selective SSL deep inspection allows traffic inspection without disrupting trusted services, maintaining performance for essential SaaS applications.

Applying IPS globally is inefficient for remote users and may introduce latency. Application Control alone does not provide full threat detection. Traffic shaping limits bandwidth without security scanning.

Implementation involves configuring SSL VPN policies, applying appropriate security profiles, defining SSL inspection rules to bypass trusted SaaS domains, and monitoring FortiView logs. This strategy provides secure, monitored, and performant access for all remote workers.