Fortinet FCP_FGT_AD-7.6 FCP – FortiGate 7.6 Administrator Exam Dumps and Practice Test Questions Set 3 Q41-60

Visit here for our full Fortinet FCP_FGT_AD-7.6 exam dumps and practice test questions.

Question 41:

You want FortiGate 7.6 to ensure VPN users are connecting from devices that have the latest antivirus definitions and firewall enabled. Which feature should be used?

A) SSL VPN → Enable Endpoint Compliance Check → Enforce antivirus and firewall status
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block untrusted websites
D) Application Control → Block unknown applications

Answer: A) – SSL VPN → Enable Endpoint Compliance Check → Enforce antivirus and firewall status

Explanation

FortiGate 7.6 supports Endpoint Compliance Checks for SSL VPN users to verify that connecting devices meet security requirements. Compliance checks can validate antivirus definitions, firewall status, operating system patches, and the presence of FortiClient. Devices failing the check can be denied VPN access or limited to restricted portals.

Option A, SSL VPN → Enable Endpoint Compliance Check → Enforce, is the correct approach for ensuring secure remote access while maintaining endpoint security. SSL VPN (Secure Sockets Layer Virtual Private Network) allows users to securely connect to corporate networks over the internet using encryption, protecting data in transit from eavesdropping or tampering. By enabling endpoint compliance checks, administrators can verify that connecting devices meet organizational security requirements before granting network access. This can include checking for antivirus definitions, firewall status, operating system patches, disk encryption, or other security configurations. Enforcement ensures that only compliant devices can access sensitive internal resources, reducing the risk of malware or compromised endpoints entering the corporate network. For example, a laptop attempting to connect via SSL VPN will first be assessed for compliance; if it fails the checks, access can be blocked or limited, protecting critical systems while alerting administrators to potential security issues.

IPSec VPN → Enable Endpoint Compliance Check → Enforce, is similar in concept but differs in VPN protocol. IPSec VPN is often used for site-to-site connections or dedicated remote access clients. While IPSec can also perform endpoint checks with advanced configurations, SSL VPN is generally preferred for clientless access and easier deployment for remote users. Moreover, in many Fortinet environments, endpoint compliance features are tightly integrated with SSL VPN portals, making this combination more suitable for enforcing user and device policies on remote devices.

Option C, Web Filtering → Blocks untrusted websites, addresses a different security concern. Web filtering protects users from accessing malicious or inappropriate websites by applying URL filtering rules. While important for threat prevention and productivity, web filtering does not control whether the connecting device itself is secure or compliant. Therefore, it does not replace endpoint compliance checks required for secure remote access.

Option D, Application Control → Block unknown applications, also serves a distinct purpose. Application Control monitors and restricts application usage, blocking unapproved or high-risk software from running on endpoints. While this enhances security within the network, it does not verify device compliance before allowing VPN access. Consequently, it cannot ensure that the endpoint meets minimum security standards before connecting to sensitive resources.

In summary, Option A provides a comprehensive remote access solution that combines SSL VPN for secure connectivity with endpoint compliance enforcement. This ensures that only trusted, properly configured devices gain network access, protecting sensitive data and reducing the risk of security breaches. Options B, C, and D provide complementary security features but do not directly enforce endpoint compliance for SSL VPN connections, making them insufficient for this specific use case. By enabling SSL VPN with endpoint compliance checks, organizations can secure remote access while maintaining visibility and control over connecting devices.

Implementation involves enabling endpoint compliance on the SSL VPN portal, creating compliance rules (antivirus, firewall, OS version), and mapping rules to user groups. For example, a corporate laptop with up-to-date antivirus software passes the check and gains full access, while a personal laptop with outdated definitions is denied. Logging allows administrators to monitor compliance failures and ensure security policies are enforced. Periodic review of compliance rules is necessary to adapt to new threats or software updates. This ensures VPN access remains secure, reducing the risk of malware entering the corporate network through remote connections.

Question 42:

A FortiGate 7.6 administrator wants to apply different security profiles based on the type of application users access. Which feature should be used?

A) Application Control → Map to firewall policies → Apply Antivirus, IPS, and Web Filtering per app category
B) SSL Inspection → Apply to all traffic
C) Traffic Shaping → Limit bandwidth per user
D) Static Routing → Route traffic to specific gateways

Answer: A) – Application Control → Map to firewall policies → Apply Antivirus, IPS, and Web Filtering per app category

Explanation

Application Control in FortiGate 7.6 allows administrators to identify traffic by application and enforce granular security policies. Profiles can combine Antivirus, IPS, Web Filtering, and Data Loss Prevention selectively per application or category. This enables strong security for high-risk apps while minimizing impact on critical business applications.

(SSL Inspection) decrypts traffic but cannot selectively apply security policies per app. Option C (Traffic Shaping) manages bandwidth but does not enforce security profiles. Option D (Static Routing) only determines path selection, not application-level security.

Implementation involves creating an Application Control profile, defining categories and signatures, mapping profiles to firewall policies, and enabling security inspection. For example, social media apps may have antivirus scanning and web filtering enabled, while ERP applications receive only SSL inspection to avoid disruption. Logging provides visibility into blocked or inspected traffic. Periodic updates to application signatures and policies ensure protection against new threats. This approach balances security with usability and allows precise control over different application traffic types.

Question 43:

You need FortiGate 7.6 to automatically block IPs that attempt multiple failed administrative logins. Which feature should be used?

A) Administrative Account Lockout → Configure thresholds and duration
B) Traffic Shaping → Apply per admin interface
C) SSL Inspection → Enable for admin traffic
D) Application Control → Block suspicious apps

Answer: A) – Administrative Account Lockout → Configure thresholds and duration

Explanation

FortiGate 7.6 includes Administrative Account Lockout to protect admin accounts from brute-force attacks. The system locks accounts after a configurable number of failed login attempts within a time window. Accounts are temporarily disabled, and alerts can be generated to notify administrators.

 (Traffic Shaping) Only controls bandwidth, not login security. Option C (SSL Inspection) inspects traffic but does not prevent authentication attacks. Option D (Application Control) manages applications, not administrative access.

Implementation involves setting thresholds (e.g., 5 failed attempts), lockout duration (e.g., 15 minutes), and monitoring attempts via logs. For example, if an attacker attempts repeated failed logins, the account is automatically locked, and IT receives alerts. Combining this with two-factor authentication (FortiToken) strengthens security. Regular review ensures lockout settings remain effective while preventing unintentional disruptions. This mitigates the risk of credential compromise and unauthorized administrative access.

Question 44:

You want FortiGate 7.6 to analyze traffic and identify potential command-and-control communications from infected devices. Which feature should be configured?

A) IPS Sensor → Enable Botnet C&C signatures → Apply to firewall policies
B) Traffic Shaping → Apply per user group
C) SSL Inspection → Apply without exceptions
D) Web Filtering → Block social media

Answer: A) – IPS Sensor → Enable Botnet C&C signatures → Apply to firewall policies

Explanation

FortiGate 7.6’s IPS (Intrusion Prevention System) can detect traffic associated with botnet command-and-control (C&C) activity. Administrators can enable specific IPS signatures for botnets, malware, or known malicious IP addresses. Policies can be applied to inspect inbound and outbound traffic, blocking suspicious connections.

 (Traffic Shaping) manages bandwidth and does not detect threats. Option C (SSL Inspection) allows traffic decryption, but without IPS signatures, malware C&C detection is not possible. Option D (Web Filtering) restricts web access but cannot detect botnet communications.

Implementation involves enabling IPS signatures for botnet activity, applying them to relevant firewall policies, and monitoring logs for alerts. For example, an infected internal workstation attempting to contact a known C&C server is blocked and logged for investigation. Regular updates to IPS signatures are essential to detect new threats. Combining IPS with logging and alerts provides visibility into malicious behavior, helping administrators respond to compromises and protect the network proactively.

Question 45:

You need FortiGate 7.6 to provide centralized monitoring and reporting of multiple FortiGate devices across branches. Which solution should be implemented?

A) FortiManager → Add FortiGate devices → Centralized management and reporting
B) SD-WAN → Apply to all branch devices
C) SSL VPN → Enable endpoint compliance
D) Traffic Shaping → Apply to all WAN interfaces

Answer: A) – FortiManager → Add FortiGate devices → Centralized management and reporting.

Explanation

FortiManager allows centralized management of multiple FortiGate devices, including configuration backups, firmware updates, policy deployment, and monitoring. By adding FortiGate units to FortiManager, administrators gain a unified view of network health, logs, and security events, simplifying operations across distributed branches.

 (SD-WAN) optimizes traffic routing but does not provide centralized management. Option C (SSL VPN) is for remote user access, not device management. Option D (Traffic Shaping) controls bandwidth but does not provide reporting or centralized monitoring.

Implementation involves configuring FortiGate devices to allow FortiManager access, authorizing them, and mapping policies or profiles. Administrators can deploy security profiles consistently, generate reports, and monitor events across all devices. For example, applying new web filtering rules to all branch FortiGates simultaneously ensures consistent policy enforcement. Centralized logging enables audit trails and compliance reporting. Regular monitoring and maintenance through FortiManage improves operational efficiency, reducess configuration errors, and provides a proactive security posture for the entire network.

Question 46:

You need FortiGate 7.6 to detect and block traffic from devices infected with malware before it reaches internal resources. Which feature should be used?

A) IPS Sensor → Enable malware and exploit signatures → Apply to inbound policies
B) Traffic Shaping → Apply per user group
C) SSL Inspection → Apply globally
D) Web Filtering → Block suspicious URLs

Answer: A) – IPS Sensor → Enable malware and exploit signatures → Apply to inbound policies

Explanation

FortiGate 7.6’s IPS (Intrusion Prevention System) inspects traffic for known vulnerabilities, malware behavior, and exploit patterns. By enabling malware and exploit signatures, administrators can detect malicious traffic originating from infected devices and block it before it reaches internal resources. This provides proactive protection against compromised devices or external threats attempting to infiltrate the network.

 (Traffic Shaping) controls bandwidth, not threat detection. Option C (SSL Inspection) decrypts traffic but requires IPS/antivirus signatures for malware detection. Option D (Web Filtering) only blocks malicious websites, not all exploit or malware traffic.

Implementation involves enabling relevant IPS signatures, applying the sensor to inbound firewall policies, and configuring alerting and logging. For example, an endpoint infected with a Trojan attempting to communicate externally is detected and blocked. Regular signature updates are critical to maintain protection against evolving threats. Logs provide visibility into blocked attacks, aiding in threat analysis and incident response. This approach ensures that malware attempts are intercepted at the network perimeter, reducing potential compromise of internal systems and improving overall network security posture.

Question 47:

A FortiGate 7.6 administrator wants to block users from accessing all unencrypted HTTP websites while allowing HTTPS traffic. Which feature should be applied?

A) Web Filtering → Enable HTTP-only blocking → Apply to firewall policies
B) SSL Inspection → Enable for HTTPS traffic
C) Traffic Shaping → Limit HTTP traffic
D) IPS Sensor → Apply to all traffic

Answer: A) – Web Filtering → Enable HTTP-only blocking → Apply to firewall policies

Explanation

FortiGate 7.6’s Web Filtering can block access to specific URL schemes. By enabling HTTP-only blocking, administrators can prevent users from visiting unencrypted websites while allowing HTTPS traffic. This improves security by enforcing encrypted communication and protecting data integrity.

 (SSL Inspection) decrypts HTTPS traffic but does not block unencrypted HTTP traffic. Option C (Traffic Shaping) can limit bandwidth but cannot enforce HTTP blocking. Option D (IPS Sensor) inspects for threats but does not control unencrypted access.

Implementation involves creating a Web Filtering profile, enabling HTTP-only blocking, and applying it to outbound firewall policies. For example, users attempting to access a plain HTTP site will be blocked, while encrypted HTTPS access continues uninterrupted. Logs provide insight into blocked attempts and allow administrators to adjust exceptions for legitimate business needs. This ensures secure browsing practices, reducing the risk of data interception or injection attacks over unencrypted connections. Regular policy reviews help maintain compliance and adapt to new business requirements.

Question 48:

You want FortiGate 7.6 to allow critical cloud applications to bypass SSL Deep Inspection while still inspecting all other HTTPS traffic. Which configuration is correct?

A) SSL Deep Inspection → Create application bypass rules → Apply to firewall policies
B) SSL Certificate Inspection → Apply to all traffic
C) Transparent Mode → Bridge all traffic
D) IPS Sensor → Apply to SSL VPN

Answer: A) – SSL Deep Inspection → Create application bypass rules → Apply to firewall policies.

Explanation

Some cloud applications, particularly SaaS services or banking apps, use certificate pinning and will fail if SSL Deep Inspection is applied. FortiGate 7.6 allows creating bypass rules for trusted applications while inspecting all other HTTPS traffic. This ensures malware detection and security enforcement without disrupting legitimate services.

 (SSL Certificate Inspection) validates certificates but cannot inspect content. Option C (Transparent Mode) bridges traffic but does not decrypt or inspect. Option D (IPS Sensor → SSL VPN) detects exploits but cannot selectively bypass applications.

Implementation involves defining an SSL/SSH inspection profile, applying it to relevant firewall policies, and specifying trusted application bypasses. For example, Office 365 traffic is bypassed to maintain functionality, while all other HTTPS traffic is decrypted and inspected for malware. Logging ensures visibility into inspected and bypassed traffic. Periodic review of bypass lists ensures new applications or updates do not inadvertently break functionality. This approach balances security with operational continuity, maintaining high inspection coverage without affecting trusted applications.

Question 49:

A FortiGate 7.6 administrator wants to identify top bandwidth-consuming applications and users on the network for optimization purposes. Which feature should be used?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Application Control → Block unknown applications
C) SSL Inspection → Enable globally
D) Web Filtering → Block non-business sites

Answer: A) – FortiView → Traffic Log Analysis → Application and User Reports

Explanation

FortiView provides real-time and historical traffic analysis on FortiGate devices. Administrators can view bandwidth usage by application, user, or IP, allowing identification of top consumers. This enables informed traffic shaping, prioritization, and policy adjustments to optimize network performance.

 (Application Control) identifies apps for security but does not provide detailed consumption metrics. Option C (SSL Inspection) inspects traffic but does not analyze usage statistics. Option D (Web Filtering) restricts access but does not measure bandwidth usage per user or application.

Implementation involves enabling logging for all relevant firewall policies, using FortiView dashboards to analyze top applications and users, and generating reports for management. For example, streaming video might be identified as a high-bandwidth application during peak hours, allowing traffic shaping policies to prioritize critical business traffic. FortiView provides visualization tools, historical trends, and drill-down analysis. Regular analysis helps improve network efficiency, reduce congestion, and support capacity planning. Proper monitoring ensures that critical applications receive adequate bandwidth while limiting non-essential usage.

Question 50:

You want FortiGate 7.6 to automatically distribute updated antivirus, IPS, and application signatures to all devices in the network without manual intervention. Which configuration is correct?

A) Enable FortiGuard Security Services → Configure automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Manually update signatures

Answer: A) – Enable FortiGuard Security Services → Configure automatic updates → Apply to all security profiles

Explanation

FortiGate 7.6 integrates with FortiGuard Security Services, which provides automatic updates for antivirus, IPS, and application control signatures. Enabling automatic updates ensures that all devices receive the latest threat intelligence without manual intervention, reducing the window of vulnerability to new malware and exploits.

 (SSL Inspection) decrypts traffic but does not update signatures. Option C (Traffic Shaping) manages bandwidth and cannot update security definitions. Option D (Application Control → Manual updates) requires administrators to perform updates manually, increasing the risk of outdated protection.

Implementation involves subscribing to FortiGuard services, enabling automatic updates, and applying them to all security profiles (Antivirus, IPS, Application Control). Logs and dashboards track update success and failures. For example, new malware definitions are automatically pushed to all devices daily, ensuring real-time protection. Periodic review ensures updates are applied consistently and devices remain synchronized. This reduces administrative overhead, strengthens security posture, and ensures that inspection and threat prevention remain effective across the network.

Question 51:

A FortiGate 7.6 administrator wants to ensure that all DNS queries from internal users are filtered for malicious domains, regardless of whether the traffic is encrypted. Which configuration should be applied?

A) DNS Filter Profile → Apply to firewall policies → Enable malware domain filtering
B) Web Filtering → Apply only to HTTP traffic
C) SSL Inspection → Apply globally
D) Application Control → Block unknown DNS clients

Answer: A) – DNS Filter Profile → Apply to firewall policies → Enable malware domain filtering

Explanation

FortiGate 7.6 includes DNS Filtering, which allows administrators to inspect DNS queries and block requests to malicious or unwanted domains. This works for both traditional unencrypted DNS and DNS-over-HTTPS (DoH) when combined with SSL inspection. Administrators can enforce policies to filter phishing sites, botnet C&C domains, and malware-related domains.

(Web Filtering) only inspects HTTP/HTTPS traffic, not DNS queries directly. Option C (SSL Inspection) decrypts encrypted traffic but does not inherently block malicious domains without DNS filtering. Option D (Application Control) identifies applications but does not filter DNS requests.

Implementation involves creating a DNS Filter profile, enabling malware and content filtering, and applying it to the firewall policies governing user traffic. Logging enables administrators to see blocked queries and user attempts to access restricted domains. For example, if an internal user’s system is compromised and attempts to contact a known botnet domain, DNS filtering blocks the request before malicious communication occurs. Regular updates to DNS filter lists and integration with FortiGuard ensure protection against new and evolving threats. By proactively blocking dangerous domains at the DNS level, organizations can reduce malware spread and phishing risks.

Question 52:

You want FortiGate 7.6 to enforce bandwidth limits for specific SaaS applications during peak hours while allowing other traffic unrestricted access. Which feature is correct?

A) SD-WAN → Application-based routing with Traffic Shaping → Apply per schedule
B) Web Filtering → Block all SaaS applications
C) SSL Inspection → Apply globally
D) IPS Sensor → Enable for SaaS traffic

Answer: A) – SD-WAN → Application-based routing with Traffic Shaping → Apply per schedule

Explanation

FortiGate 7.6’s SD-WAN can identify applications and apply traffic shaping policies to control bandwidth usage. By combining SD-WAN with application-aware routing and scheduling, administrators can limit bandwidth for specific SaaS applications during peak hours without affecting other traffic.

(Web Filtering) blocks or allows web categories, but does not manage bandwidth. Option C (SSL Inspection) inspects traffic but does not control throughput. Option D (IPS Sensor) inspects for threats but does not prioritize or limit traffic.

Implementation involves creating an SD-WAN zone with member WAN links, defining application-based traffic shaping policies, and setting schedules for peak and off-peak hours. For example, streaming video from a SaaS platform can be limited to 5 Mbps during 9 AM–5 PM, while ERP and VoIP traffic are given higher priority. FortiView provides monitoring of traffic utilization, ensuring that critical applications maintain performance. Regular review of usage statistics allows fine-tuning of policies to maintain efficiency and network performance while ensuring business-critical applications remain unaffected.

Question 53:

You need FortiGate 7.6 to ensure that all firewall events are sent to a centralized location for compliance reporting. Which solution is correct?

A) FortiAnalyzer → Configure log forwarding → Enable retention and filtering
B) SD-WAN → Monitor WAN usage
C) SSL Inspection → Apply globally
D) Application Control → Enable logging

Answer: A) – FortiAnalyzer → Configure log forwarding → Enable retention and filtering

Explanation

FortiAnalyzer allows centralized logging, reporting, and analysis for multiple FortiGate devices. By forwarding firewall logs, security events, and policy violations to FortiAnalyzer, administrators can generate compliance reports, audit access, and track security incidents. Log retention policies ensure historical data is available for audits and regulatory requirements.

(SD-WAN) monitors traffic paths but does not provide centralized log management. Option C (SSL Inspection) decrypts traffic but does not store or analyze logs centrally. Option D (Application Control → Logging) generates application-level logs but does not provide centralized reporting.

Implementation involves configuring each FortiGate device to forward logs to FortiAnalyzer using secure channels, enabling logging for all relevant events, and setting up retention policies. Reports can be scheduled for regulatory compliance and incident investigation. For example, blocked traffic attempts, IPS alerts, and web filtering logs are aggregated and analyzed centrally. Regular auditing of logs and reports ensures adherence to corporate policies, improves incident response times, and helps identify patterns of malicious activity or policy violations. Centralized logging reduces operational complexity and ensures visibility across distributed FortiGate deployments.

Question 54:

You want FortiGate 7.6 to prevent users from uploading sensitive data to cloud storage services. Which configuration is correct?

A) DLP Profile → Apply to firewall policies → Inspect outbound traffic for predefined sensitive data patterns
B) Web Filtering → Block cloud storage sites
C) SSL Inspection → Enable without exceptions
D) Traffic Shaping → Limit upload speed

Answer: A) – DLP Profile → Apply to firewall policies → Inspect outbound traffic for predefined sensitive data patterns.

Explanation

FortiGate 7.6’s Data Loss Prevention (DLP) allows administrators to scan outbound traffic for sensitive content such as financial information, personal data, or confidential documents. By applying DLP profiles to firewall policies controlling outbound traffic, organizations can block or log unauthorized attempts to upload sensitive information to cloud storage services.

(Web Filtering) can block access to cloud storage, but does not inspect file contents. Option C (SSL Inspection) decrypts traffic, but without DLP scanning, ng cannot prevent data leakage. Option D (Traffic Shaping) limits bandwidth but does not enforce security policies.

Implementation involves creating a DLP profile with patterns, keywords, or file signatures to detect sensitive data. The profile is applied to relevant firewall policies, and alerts/logging are enabled. For example, if an employee attempts to upload a document containing customer credit card information to a cloud file-sharing service, the transfer is blocked, and an alert is generated. Regular review of DLP logs and pattern updates ensures ongoing effectiveness. This approach enforces data security policies, reduces the risk of regulatory violations, and helps prevent accidental or intentional data exfiltration.

Question 55:

A FortiGate 7.6 administrator wants to ensure that VoIP traffic has the lowest latency while other traffic is managed based on bandwidth policies. Which configuration is correct?

A) Traffic Shaping Policy → Apply per application (VoIP priority) → Set guaranteed bandwidth
B) SD-WAN → Enable load balancing only
C) IPS Sensor → Enable for VoIP
D) SSL Inspection → Enable globally

Answer: A) – Traffic Shaping Policy → Apply per application (VoIP priority) → Set guaranteed bandwidth

Explanation

Traffic shaping in FortiGate 7.6 enables administrators to prioritize critical applications like VoIP to reduce latency and ensure call quality. By applying per-application shaping policies, VoIP traffic receives guaranteed bandwidth and higher priority, while non-critical applications are managed separately.

(SD-WAN load balancing) optimizes path selection but does not prioritize applications within the LAN/WAN effectively. Option C (IPS Sensor) inspects for threats but does not influence traffic performance. Option D (SSL Inspection) decrypts traffic but cannot prioritize bandwidth.

Implementation involves creating a traffic shaping policy targeting VoIP ports or application signatures, assigning guaranteed bandwidth and priority, and applying the policy to relevant firewall policies. For example, SIP or RTP traffic is prioritized during peak network usage, ensuring voice calls maintain high quality. Non-critical applications such as video streaming can be throttled to preserve bandwidth for essential services. FortiView can monitor traffic performance and verify policy effectiveness. Regular updates to traffic shaping policies ensure optimal performance as applications or usage patterns change. This configuration balances network efficiency while maintaining quality for business-critical communications.

Question 56:

You want FortiGate 7.6 to allow remote SSL VPN users to access only specific internal servers based on group membership. Which configuration should be applied?

A) SSL VPN → Configure user groups → Assign per portal and define restricted resources
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all internal sites
D) Traffic Shaping → Apply per SSL VPN user

Answer: A) – SSL VPN → Configure user groups → Assign per portal and define restricted resources

Explanation

FortiGate 7.6 allows SSL VPN portals to restrict access to internal resources based on user groups. By creating user groups and mapping them to specific SSL VPN portals, administrators can control which servers or subnets are accessible to remote users. This provides a granular access control model, ensuring users only reach authorized systems while maintaining security.

 (IPsec VPN) provides encrypted site-to-site tunnels but does not offer user-level resource restriction. Option C (Web Filtering) controls web access, not VPN resource access. Option D (Traffic Shaping) manages bandwidth but does not restrict resources.

Implementation involves defining user groups in FortiGate, creating SSL VPN portals with specified accessible resources, and applying group memberships. For example, finance users are granted access only to the accounting server and ERP system, while HR users access HR applications. Logging of user activity provides visibility into portal usage. Endpoint compliance can be combined to enforce additional security checks before allowing access. Regular review of portal assignments and group memberships ensures alignment with evolving business requirements and prevents unauthorized resource access. This method improves security, reduces attack surface, and enables controlled remote access.

Question 57:

You want FortiGate 7.6 to inspect and block malware in encrypted HTTPS traffic but avoid inspecting critical SaaS applications. Which configuration is correct?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Application Control → Block SaaS applications
D) Traffic Shaping → Limit HTTPS traffic

Answer: A) – SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS..

Explanation

SSL Deep Inspection decrypts HTTPS traffic to allow malware scanning, IPS enforcement, and application control. However, some SaaS applications use certificate pinning and fail under deep inspection. FortiGate 7.6 allows administrators to create bypass rules for these trusted SaaS applications to maintain service continuity.

Option A, SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS, is the correct approach for inspecting encrypted traffic while maintaining performance and trust for critical cloud services. SSL Deep Inspection allows the firewall to decrypt, inspect, and re-encrypt HTTPS traffic to detect threats, enforce content policies, and apply security profiles such as antivirus, web filtering, and application control. Enabling scanning ensures that all encrypted traffic is examined in real-time, protecting users from malware, phishing attempts, or data exfiltration attempts hidden within SSL/TLS traffic.

Because many organizations rely on trusted SaaS applications—such as Office 365, Salesforce, or Google Workspace—it is critical to configure bypass rules for these services. Bypassing trusted SaaS ensures that SSL decryption does not interfere with legitimate applications, prevents certificate errors, and maintains optimal performance. Administrators can define policies based on IP addresses, FQDNs, or categories to exclude specific applications from decryption, balancing security with usability. This approach maintains comprehensive threat inspection across the network while avoiding disruptions to essential business applications.

Option B, SSL Certificate Inspection → Apply globally, differs from Deep Inspection in that it performs only certificate validation without decrypting the traffic. SSL Certificate Inspection can detect expired, invalid, or untrusted certificates, protecting against man-in-the-middle attacks. However, it does not allow content-level inspection, meaning malware, phishing, or sensitive data leaks within HTTPS traffic will go undetected. Applying it globally provides some security benefit, but it cannot replace SSL Deep Inspection for organizations that require full visibility into encrypted traffic.

Option C, Application Control → Block SaaS applications, is a broad enforcement action targeting SaaS applications, which may be unnecessary or overly restrictive. While Application Control can identify and block unauthorized SaaS applications, it does not inspect the content of encrypted traffic or detect threats hidden within HTTPS sessions. Blocking entire SaaS categories without inspecting traffic could disrupt business operations, especially when trusted applications are widely used. It is also less precise than Deep Inspection combined with bypass rules, which allows security scanning without impacting legitimate SaaS services.

Option D, Traffic Shaping → Limit HTTPS traffic, addresses network performance rather than security. Traffic shaping can restrict bandwidth usage for HTTPS sessions to prevent congestion or prioritize critical applications. While useful for quality-of-service (QoS) management, it does not provide any threat detection, malware scanning, or content inspection. Limiting HTTPS traffic may improve performance in some cases, but leaves encrypted traffic unexamined, allowing potential threats to pass undetected.

In practice, Option A provides a balanced, effective approach. By enabling SSL Deep Inspection and configuring scanning, administrators gain full visibility into encrypted traffic, ensuring that malware, phishing, and policy violations are detected. Bypass rules for trusted SaaS maintain application performance and prevent unnecessary certificate warnings. This combination enables organizations to secure modern networks where HTTPS dominates without disrupting critical business operations. SSL Deep Inspection integrates seamlessly with other FortiGate security features, such as IPS, antivirus, and web filtering, providing layered protection.

In conclusion, SSL Deep Inspection with scanning and selective bypass rules is the most effective method to inspect encrypted traffic. Options B, C, and D provide partial benefits but cannot deliver full content-level inspection or maintain secure access to trusted SaaS applications. Option A ensures robust threat detection, operational continuity, and optimal network performance, making it the preferred configuration for modern enterprise environments.

(SSL Certificate Inspection) validates certificates but does not scan content. Option C (Application Control → Block SaaS applications) would block access rather than selectively inspect. Option D (Traffic Shaping) controls bandwidth, not inspection.

Implementation involves creating an SSL/SSH inspection profile, enabling malware scanning and IPS, and defining exceptions for critical SaaS applications. For example, Office 365 traffic bypasses deep inspection, while other encrypted traffic is fully scanned. Logging captures both inspected and bypassed traffic. Periodic review of bypass rules ensures new SaaS applications are correctly handled without disrupting business operations. This approach provides a balance between security and application functionality, protecting against threats while maintaining productivity.

Question 58:

A FortiGate 7.6 administrator wants to prevent multiple failed login attempts to the web portal from causing account compromise. Which feature is correct?

A) Administrative Account Lockout → Configure threshold and lockout duration
B) Traffic Shaping → Apply per admin interface
C) SSL Inspection → Apply to admin traffic
D) IPS Sensor → Enable login brute-force detection

Answer: A) – Administrative Account Lockout → Configure threshold and lockout duration

Explanation

Administrative Account Lockout protects against brute-force attacks by automatically locking accounts after a configurable number of failed login attempts within a specified time window. This prevents attackers from repeatedly guessing credentials and gaining unauthorized access.

 (Traffic Shaping) manages bandwidth, not login security. Option C (SSL Inspection) decrypts traffic but does not enforce account lockouts. Option D (IPS Sensor) detects network threats but does not directly lock admin accounts.

Implementation involves configuring thresholds (e.g., 5 failed attempts) and lockout durations (e.g., 15 minutes), along with logging and alerts. For example, if an attacker tries to brute-force an admin account, the account locks, and an alert is generated. Combining this with FortiToken two-factor authentication further secures administrative access. Regular monitoring and review of lockout settings ensure effectiveness without accidentally locking legitimate users. This configuration reduces the risk of account compromise and enhances overall network security.

Question 59:

You want FortiGate 7.6 to identify and report top bandwidth-consuming applications and users for capacity planning. Which feature should be used?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Web Filtering → Block non-business sites
C) IPS Sensor → Apply to all traffic
D) Traffic Shaping → Apply per firewall policy

Answer: A) – FortiView → Traffic Log Analysis → Application and User Reports

Explanation

FortiView provides real-time and historical traffic analysis, including top bandwidth-consuming users, applications, and devices. Administrators can generate reports for capacity planning, identify performance bottlenecks, and optimize network usage.

 (Web Filtering) restricts access but does not provide detailed usage statistics. Option C (IPS Sensor) inspects traffic for threats but does not provide bandwidth reporting. Option D (Traffic Shaping) controls bandwidth allocation but does not generate consumption reports.

Implementation involves enabling logging for all firewall policies, accessing FortiView dashboards, and analyzing bandwidth usage by application, user, or IP. For example, identifying video streaming or SaaS services as high-bandwidth users allows administrators to adjust traffic shaping policies accordingly. Reports can be scheduled for management or compliance purposes. Periodic analysis helps plan infrastructure upgrades, optimize traffic flows, and ensure that critical applications receive adequate resources. This proactive approach ensures efficient network operation and improved service delivery.

Question 60:

You want FortiGate 7.6 to automatically update antivirus, IPS, and application signatures without manual intervention. Which configuration is correct?

A) Enable FortiGuard Security Services → Configure automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – Enable FortiGuard Security Services → Configure automatic updates → Apply to all security profiles

Explanation

FortiGate 7.6 integrates with FortiGuard Security Services for real-time updates of antivirus, IPS, and application control signatures. Automatic updates ensure all devices remain protected against newly discovered threats without manual intervention.

Option A, Enable FortiGuard Security Services → Configure, is the correct approach for leveraging Fortinet’s cloud-based threat intelligence to protect network resources. FortiGuard Security Services provides real-time updates for antivirus, IPS, web filtering, application control, antispam, and other security profiles. Enabling FortiGuard ensures that your FortiGate device can automatically receive the latest threat signatures and intelligence, protecting against newly discovered malware, exploits, and other vulnerabilities without manual intervention. After enabling the service, administrators can configure specific FortiGuard features, such as defining which services to apply to traffic, setting action responses (block, monitor, or allow), and integrating with firewall policies. For example, by enabling FortiGuard IPS and configuring it in security policies, the FortiGate can block attempts to exploit newly discovered vulnerabilities in web applications or network services. Similarly, enabling FortiGuard Antivirus ensures that malware-laden files and email attachments are detected and quarantined. Regular configuration review ensures policies remain aligned with evolving threats and organizational risk tolerance, providing robust, automated protection with minimal administrative effort.

Option B, Enable antivirus manually → Apply to each firewall policy, is partially related but significantly less efficient. While manually enabling antivirus on each firewall policy provides basic protection, it requires continuous manual updates and intervention. Without integration with FortiGuard, signatures will become outdated quickly, leaving the network vulnerable to zero-day threats and newly discovered malware. Additionally, manual configuration across multiple policies increases the risk of inconsistencies, misconfigurations, and gaps in protection, especially in large networks with numerous firewall rules. Therefore, while feasible, it is not the recommended enterprise approach compared to leveraging automated FortiGuard Security Services.

Option C, Traffic Shaping → Apply per security profile, is a network performance optimization feature rather than a security mechanism. Traffic shaping allows administrators to prioritize bandwidth for critical applications, limit bandwidth for non-essential traffic, or control traffic flow based on categories. While important for maintaining quality of service (QoS) and ensuring that high-priority traffic, such as VoIP or business-critical applications, receives sufficient bandwidth, traffic shaping does not protect against malware, exploits, or other threats. Therefore, applying traffic shaping per security profile addresses network performance but does not replace the automated threat protection offered by FortiGuard.

Option D, Application Control → Update signatures manually, is related to threat detection but is inefficient in practice. Application Control uses signatures to identify and control applications traversing the network. Manually updating these signatures can be time-consuming and error-prone, especially in environments with hundreds or thousands of applications and frequent updates. Without automated updates from FortiGuard, the system may miss new or modified applications, allowing users to run unauthorized software or potentially risky applications. FortiGuard provides automatic signature updates, ensuring Application Control remains current and accurate without requiring continuous manual intervention.

In practice, enabling FortiGuard Security Services provides a centralized, automated, and continuously updated security intelligence feed. It reduces administrative burden, ensures consistent protection across all firewall policies, and integrates with multiple security features such as antivirus, IPS, web filtering, and application control. Options B, C, and D, while useful for specific tasks like manual antivirus configuration, traffic management, or selective application control, cannot provide the same level of automated, comprehensive, and proactive security coverage. By selecting Option A, organizations ensure their network defenses remain current, effective, and scalable, protecting against evolving threats while simplifying ongoing management and compliance.

Implementation involves subscribing to FortiGuard services, enabling automatic updates for antivirus, IPS, and application control, and applying them to all security profiles. Logs track update success and failures. For example, new malware definitions and IPS signatures are automatically pushed daily to all devices, reducing vulnerability windows. Regular monitoring ensures all updates are applied successfully. Automatic updates enhance security, reduce administrative workload, and maintain consistent protection across the network. This proactive configuration strengthens the overall security posture and ensures continuous threat defense.