Fortinet FCP_FGT_AD-7.6 FCP – FortiGate 7.6 Administrator Exam Dumps and Practice Test Questions Set 5 Q81-100

Visit here for our full Fortinet FCP_FGT_AD-7.6 exam dumps and practice test questions.

Question 81:

A FortiGate 7.6 administrator wants to ensure all outbound DNS queries are filtered for malicious domains, even if the traffic is encrypted. Which configuration is correct?

A) DNS Filter Profile → Apply to firewall policies → Enable malware domain filtering
B) Web Filtering → Apply only to HTTP traffic
C) SSL Inspection → Apply globally
D) Application Control → Block unknown DNS clients

Answer: A) – DNS Filter Profile → Apply to firewall policies → Enable malware domain filtering

Explanation

FortiGate 7.6 provides DNS Filtering, which inspects DNS queries to block requests to malicious or unwanted domains. This protects against phishing, botnets, and malware communication. DNS filtering works for both plain DNS and DNS-over-HTTPS (DoH) when combined with SSL inspection.

Option B, Web Filtering, is designed to inspect and classify web traffic, particularly HTTP and HTTPS. While it can block access to websites after a DNS lookup has occurred, it cannot detect or block the DNS request itself. Web Filtering evaluates URL categories, web reputation, and site content only after the user or device has already resolved the domain name. This means malware that uses DNS for command-and-control (C2) communication, data exfiltration, DNS tunneling, or botnet check-ins can bypass Web Filtering entirely because such malicious traffic often does not involve a traditional “web browsing” session. For example, a trojan can send a DNS TXT query to a malicious domain and receive encoded commands without ever opening an HTTP/HTTPS session. Web Filtering has no visibility into these DNS-level communications and therefore cannot protect against DNS-based threats. This gap highlights why DNS filtering or DNS security profiles are essential in modern threat prevention strategies.

Option C, SSL Inspection, plays an important role in detecting threats hidden inside encrypted HTTPS traffic. It works by decrypting SSL/TLS sessions, inspecting the contents, and re-encrypting the data before forwarding it. However, SSL Inspection does not evaluate or control DNS queries. DNS queries are typically unencrypted (UDP/53 or TCP/53), although modern systems may use DoT (DNS over TLS) or DoH (DNS over HTTPS). Even then, SSL Inspection does not automatically decrypt DoH or DoT unless specifically configured—and many firewalls do not intercept DNS-over-HTTPS without explicit rules. More importantly, SSL Inspection focuses on content inspection, not domain reputation at the DNS layer. DNS queries may occur independently of HTTPS sessions. Malware often communicates using raw DNS packets to avoid SSL inspection entirely. Therefore, SSL Inspection alone cannot block access to malicious domains unless combined with DNS security controls.

Option D, Application Control, is built to identify, classify, and manage applications running on the network based on signatures, heuristics, and behavior. While Application Control can block specific apps (e.g., BitTorrent, TOR clients, VPN tools, or unauthorized cloud applications), it is not designed to analyze DNS traffic or evaluate the reputation of queried domains. Many malicious attacks use standard DNS queries that look like legitimate traffic from the system’s DNS service. Since DNS is not a separate “application” but a protocol, Application Control generally sees it as normal DNS traffic, making it ineffective at distinguishing between safe and malicious DNS requests. Even if malware uses DNS tunneling applications, Application Control may detect the tunneling behavior but only after the DNS traffic begins, and it still cannot block the domain being queried. It manages application behavior—not domain categorization or DNS threat intelligence—so it cannot prevent a device from resolving malicious domains.

This is why DNS Filtering or DNS Security Profiles are required in modern networks. DNS filtering evaluates domain reputation before resolution happens, blocking malicious queries at the earliest stage. This prevents malware from reaching C2 servers, reduces phishing exposure, and stops DNS-based exfiltration. DNS filtering relies on real-time threat intelligence—something Web Filtering, SSL Inspection, and Application Control do not apply directly to DNS queries. Because most modern malware families rely heavily on DNS for communication, blocking at the DNS layer is one of the most effective and proactive defenses.

In summary, while Web Filtering, SSL Inspection, and Application Control each serve important security functions, none of them directly analyze or block DNS queries. Only DNS filtering provides DNS-layer protection capable of stopping malicious domains and DNS-based attacks before they establish any connection or payload transfer.

Implementation involves creating a DNS Filter profile, enabling malware and content filtering, and applying it to firewall policies. For example, if a compromised internal host attempts to contact a known botnet domain, the DNS query is blocked before establishing a connection. FortiGuard’s threat intelligence ensures lists are up-to-date. Logs provide visibility into blocked queries and attempts. Regular reviews and integration with FortiView dashboards help administrators monitor patterns and adjust policies. This configuration reduces malware propagation and phishing risks by blocking malicious domains at the DNS level before any harmful traffic reaches internal systems.

Question 82:

You want FortiGate 7.6 to enforce Multi-Factor Authentication (MFA) for external SSL VPN users while allowing seamless access from trusted corporate devices. Which configuration is correct?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply to external users only
D) Azure AD B2B Collaboration → Manage guest accounts

Answer: A) – Conditional Access → Require MFA for external access → Apply per user group

Explanation

FortiGate 7.6 integrates with identity providers like Azure AD to enforce Conditional Access policies, which can require MFA selectively based on network location, device state, or user group. This protects critical resources while minimizing friction for users on trusted devices.

Option B, Security Defaults, is Microsoft’s baseline security configuration designed to provide fundamental protection for tenants without requiring advanced configuration. While Security Defaults enforce Multi-Factor Authentication (MFA) for all users, administrators cannot customize the MFA requirement based on conditions such as location, device compliance, risk levels, or application type. This lack of flexibility makes it unsuitable for scenarios where an organization wants to allow seamless access from the corporate network while challenging external users with MFA. Security Defaults apply an “all-or-nothing” enforcement approach, meaning MFA is mandatory regardless of whether a user signs in from a trusted IP range, a corporate device, or an untrusted network. As a result, organizations that need granular control over authentication flows must use Conditional Access policies, which allow selectively applying MFA only when risk is high or when users connect from outside the corporate network. Security Defaults offer basic protection but cannot support nuanced, scenario-based MFA enforcement.

Option C, Pass-through Authentication (PTA), enables users to sign in to Microsoft 365 services using on-premises Active Directory credentials. PTA authenticates users by forwarding the password to on-prem domain controllers for verification. However, PTA focuses solely on authentication, not authorization or access control. It does not provide the ability to enforce MFA conditions, evaluate risk levels, or apply any policies based on IP location or device state. Even though PTA can work together with Azure AD MFA, it cannot independently trigger MFA or enforce conditional requirements. Organizations that rely solely on PTA cannot achieve location-based MFA or conditional access logic; they must configure Conditional Access policies in Azure AD to enforce MFA dynamically. PTA serves an identity validation function, not a policy enforcement function, and therefore fails to provide the conditional, context-aware MFA capabilities required in this scenario.

Option D, Azure AD B2B (Business-to-Business), is designed to enable external users (guests) to collaborate with an organization while maintaining control over their access. B2B supports cross-tenant access, federation, external user identity management, and guest access restrictions. However, Azure AD B2B does not manage or enforce MFA policies for internal employees, nor does it support conditional MFA based on location for internal user accounts. It applies only to external identities and defines how guest users authenticate and access shared resources. Even though Conditional Access can be applied to both internal and guest users, B2B itself does not provide the functionality needed to enforce MFA based on location or risk. It simply handles external identity federation and collaboration scenarios. Therefore, Azure AD B2B cannot satisfy the requirement of enforcing MFA only when users connect from outside the corporate network.

In contrast, the correct solution—Conditional Access—enables organizations to define custom, risk-responsive authentication policies. With Conditional Access, administrators can enforce MFA only when users sign in from untrusted networks, unknown devices, or unusual locations. They can also create exceptions for corporate IP ranges, compliant devices, or low-risk conditions, allowing seamless access from trusted environments while maintaining high security externally. Conditional Access integrates with Azure AD Identity Protection to evaluate risk signals such as impossible travel, atypical behavior, or leaked credentials. This makes it the only option capable of providing adaptive, fine-grained MFA enforcement based on real-time context.

In summary, Security Defaults are too rigid, Pass-through Authentication cannot enforce MFA, and Azure AD B2B manages external identities rather than internal access requirements. Only Conditional Access delivers the dynamic, location-based MFA enforcement required by modern organizations.

Implementation involves creating a Conditional Access policy, targeting relevant user groups, defining trusted locations (corporate networks), and enabling MFA for external access. For example, a user signing in from home will be prompted for MFA, while a corporate laptop at the office allows seamless access. Logs enable monitoring for compliance and potential risky logins. This adaptive approach strengthens authentication security where risk is higher while maintaining productivity for trusted internal users.

Question 83:

A FortiGate 7.6 administrator wants to prevent sensitive financial data from being uploaded to cloud storage while allowing normal web browsing. Which configuration is correct?

A) DLP Profile → Apply to firewall policies → Inspect outbound traffic for sensitive data patterns
B) Web Filtering → Block all cloud storage
C) SSL Inspection → Enable globally
D) Application Control → Block email clients

Answer: A) – DLP Profile → Apply to firewall policies → Inspect outbound traffic for sensitive data patterns

Explanation

Data Loss Prevention (DLP) allows FortiGate to scan outbound traffic for sensitive information such as financial data, customer PII, or intellectual property. By applying DLP profiles to relevant firewall policies, administrators can block or log attempts to upload confidential files to cloud services or email.

Option B (Web Filtering) blocks sites but does not inspect file contents. Option C (SSL Inspection) decrypts traffic but without DLP cannot enforce data protection. Option D (Application Control) blocks applications but cannot analyze sensitive content.

Implementation involves creating DLP profiles with predefined patterns or custom regex rules, applying them to outbound policies, and enabling logging. For example, an employee attempting to upload a spreadsheet containing customer financial data to Google Drive will be blocked, and an alert is generated. Regular updates ensure protection against new sensitive data types. Combining DLP with SSL inspection ensures encrypted traffic is also inspected. This configuration enforces security policies, reduces regulatory risks, and prevents accidental or malicious data exfiltration while preserving legitimate web access.

Question 84:

A FortiGate 7.6 administrator wants to prioritize VoIP traffic while limiting bandwidth for video streaming. Which configuration is correct?

A) Traffic Shaping Policy → Apply per application → Assign guaranteed bandwidth and priority
B) SD-WAN → Load balance all traffic equally
C) IPS Sensor → Enable for VoIP
D) SSL Inspection → Enable globally

Answer: A) – Traffic Shaping Policy → Apply per application → Assign guaranteed bandwidth and priority

Explanation

Traffic Shaping allows FortiGate to assign priority and guaranteed bandwidth to critical applications like VoIP, ensuring minimal latency and jitter. Non-critical applications, such as video streaming, can be throttled to avoid impacting performance of essential services.

Option B (SD-WAN load balancing) selects optimal links but does not prioritize traffic at the bandwidth level. Option C (IPS Sensor) detects threats but does not manage traffic performance. Option D (SSL Inspection) decrypts traffic but does not control bandwidth.

Implementation involves defining traffic shaping policies targeting VoIP ports (RTP/SIP), assigning high priority and guaranteed bandwidth, and creating lower priority rules for video streaming applications. For example, video conferencing traffic gets high priority, while YouTube streaming is limited. FortiView dashboards allow monitoring of performance, bandwidth usage, and latency. Policies can be updated as application usage changes. This ensures consistent VoIP call quality while maintaining overall network efficiency.

Question 85:

A FortiGate 7.6 administrator wants all devices to automatically update antivirus, IPS, and application control signatures without manual intervention. Which configuration is correct?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

FortiGuard Security Services provides real-time updates for IPS, antivirus, and application control signatures. Enabling automatic updates ensures all FortiGate devices are protected against emerging threats without manual administration, reducing risk of outdated protection.

Option B (SSL Inspection) decrypts traffic but does not update signatures. Option C (Traffic Shaping) controls bandwidth but does not manage threat intelligence. Option D (Application Control → Manual updates) increases administrative effort and risks outdated signatures.

Implementation involves subscribing to FortiGuard services, enabling automatic updates for all security profiles, and monitoring logs to confirm updates are applied successfully. For example, new malware signatures and IPS rules are automatically pushed to all devices daily, ensuring timely protection. Regular monitoring ensures compliance and coverage across all devices. This reduces administrative overhead, strengthens security posture, and ensures continuous protection against evolving threats. Automated updates are critical for maintaining a secure and compliant network environment.

Question 86:

A FortiGate 7.6 administrator wants to ensure that branch offices can access SaaS applications over multiple WAN links and automatically route traffic through the fastest available path. Which configuration is correct?

A) SD-WAN → Application-based routing → Enable link performance monitoring
B) Static Routing → Configure multiple default gateways
C) Transparent Mode → Bridge WAN interfaces
D) SSL VPN → Enable per branch user

Answer: A) – SD-WAN → Application-based routing → Enable link performance monitoring

Explanation

SD-WAN in FortiGate 7.6 allows intelligent routing of traffic across multiple WAN links based on application type and link performance metrics such as latency, jitter, and packet loss. By using application-based routing, administrators can ensure that critical SaaS applications take the most optimal path while balancing non-critical traffic across other links.

Option B (Static Routing) only provides failover or multiple paths but cannot dynamically select the best-performing link based on metrics. Option C (Transparent Mode) bridges interfaces but does not optimize traffic or route applications. Option D (SSL VPN) provides remote access but does not manage branch-to-SaaS traffic optimization.

Implementation involves creating an SD-WAN zone, adding WAN members, defining performance SLAs, and creating application-based routing rules. For example, Office 365 traffic from a branch office is automatically routed over the lowest-latency link, while backup traffic can be sent over a lower-priority link. FortiView dashboards allow monitoring of traffic flows, performance metrics, and SLA compliance. Periodic review ensures that routing rules and link thresholds match evolving business requirements. This approach enhances SaaS performance, ensures reliability, and maintains security by applying standard inspection profiles to SD-WAN traffic.

Question 87:

You want FortiGate 7.6 to block access to social media sites during business hours but allow access during lunch breaks. Which configuration is correct?

A) Web Filtering → Apply to firewall policies → Configure schedule-based rules
B) Application Control → Block all unknown apps
C) SSL Deep Inspection → Apply globally
D) Traffic Shaping → Limit bandwidth for social media

Answer: A) – Web Filtering → Apply to firewall policies → Configure schedule-based rules

Explanation

Web Filtering allows administrators to block entire categories of websites, specific domains, or URLs. By combining Web Filtering with schedule-based rules, organizations can restrict access during working hours while allowing access during designated breaks, such as lunch hours.

Option B (Application Control) targets applications, not website categories, and cannot enforce time-based restrictions. Option C (SSL Deep Inspection) decrypts encrypted traffic but does not control access based on schedules. Option D (Traffic Shaping) throttles bandwidth but cannot fully block access.

Implementation involves creating a Web Filtering profile, adding the “Social Media” category to the blocked list, applying it to outbound firewall policies, and configuring schedules (e.g., block 9 AM–5 PM, allow 12 PM–1 PM). Logs provide visibility into blocked attempts and help refine policies. Periodic reviews ensure categories and schedules align with organizational requirements. This approach improves productivity while allowing controlled access, balancing security and employee convenience.

Question 88:

A FortiGate 7.6 administrator wants to detect botnet command-and-control (C&C) traffic originating from internal devices. Which configuration is correct?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Traffic Shaping → Apply per user group
C) SSL Inspection → Enable globally
D) Web Filtering → Block suspicious URLs

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

IPS (Intrusion Prevention System) in FortiGate can detect malicious traffic patterns, including botnet command-and-control (C&C) communications. By enabling the appropriate IPS signatures and applying the sensor to firewall policies, the system can block infected devices attempting to communicate with external malicious servers.

Option B (Traffic Shaping) manages bandwidth but cannot detect malware. Option C (SSL Inspection) decrypts traffic but requires IPS or antivirus to detect threats. Option D (Web Filtering) blocks access to malicious URLs but cannot detect non-web-based botnet communications.

Implementation involves enabling IPS signatures for botnet detection, applying the sensor to relevant firewall policies, and monitoring logs for alerts. For example, if a workstation infected by malware attempts to contact a C&C server, traffic is blocked and logged. FortiGuard regularly updates IPS signatures to ensure new threats are detected. Combining IPS with SSL inspection and antivirus scanning provides comprehensive protection. Regular review of IPS logs ensures timely detection and response, reducing the risk of compromised devices participating in botnets or data exfiltration.

Question 89:

You want FortiGate 7.6 to allow SSL VPN users to access only specific internal servers based on group membership. Which configuration is correct?

A) SSL VPN → Configure user groups → Assign per portal and define restricted resources
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all internal sites
D) Traffic Shaping → Apply per SSL VPN user

Answer: A) – SSL VPN → Configure user groups → Assign per portal and define restricted resources

Explanation

FortiGate 7.6 allows SSL VPN portals to restrict access based on user group membership, ensuring that remote users only access authorized internal servers, subnets, or applications. This enforces least-privilege access and reduces the network’s attack surface.

Option B (IPsec VPN) provides encrypted tunnels but does not offer user-level resource restriction. Option C (Web Filtering) controls web access but not VPN resource access. Option D (Traffic Shaping) manages bandwidth but cannot restrict resource access.

Implementation involves creating user groups, mapping them to SSL VPN portals, and defining accessible resources for each group. For example, finance users can access the accounting server, while HR users access only HR systems. Endpoint compliance checks can be added to enforce security posture. Logs capture portal access activity for auditing. Regular reviews ensure that group memberships and portal assignments reflect organizational changes. This configuration enhances security, enforces controlled remote access, and prevents unauthorized data exposure.

Question 90:

You want FortiGate 7.6 to automatically update antivirus, IPS, and application control signatures for all devices without manual intervention. Which configuration is correct?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

FortiGuard Security Services provides real-time updates for antivirus, IPS, and application control signatures. Enabling automatic updates ensures that all FortiGate devices are protected against emerging threats without manual administration, maintaining consistent protection across the network.

Option B (SSL Inspection) decrypts traffic but does not update signatures. Option C (Traffic Shaping) controls bandwidth but does not manage threat intelligence. Option D (Application Control → Manual updates) increases administrative effort and risks outdated protection.

Implementation involves subscribing to FortiGuard services, enabling automatic updates for all security profiles, and monitoring logs to confirm successful application of updates. For example, new malware definitions and IPS rules are automatically distributed daily, reducing exposure to new threats. Regular monitoring ensures updates are applied consistently across all devices. Automated updates reduce administrative overhead, maintain high security posture, and ensure continuous defense against evolving threats, which is critical for maintaining a secure and compliant network environment.

Question 91:

A FortiGate 7.6 administrator wants to prevent sensitive financial data from leaving the network via email or cloud storage while allowing normal web browsing. Which configuration is correct?

A) DLP Profile → Apply to firewall policies → Inspect outbound traffic for sensitive data patterns
B) Web Filtering → Block all cloud storage
C) SSL Inspection → Enable globally
D) Application Control → Block email clients

Answer: A) – DLP Profile → Apply to firewall policies → Inspect outbound traffic for sensitive data patterns

Explanation

Data Loss Prevention (DLP) in FortiGate 7.6 inspects outbound traffic to prevent leakage of sensitive information, including financial data, PII, or intellectual property. By applying a DLP profile to outbound firewall policies, administrators can block or log attempts to upload confidential files via email, cloud storage, or other protocols.

Option B (Web Filtering) only blocks access to certain websites but does not inspect file contents. Option C (SSL Inspection) decrypts traffic but without a DLP profile, it cannot prevent sensitive data leakage. Option D (Application Control) blocks applications but cannot analyze the data being transmitted.

Implementation involves creating a DLP profile with predefined patterns or custom regex rules, applying it to outbound policies, and enabling logging. For example, an attempt to upload a spreadsheet containing customer credit card information to Google Drive would be blocked and logged. FortiGuard ensures the DLP patterns are updated for new sensitive data types. Combining DLP with SSL inspection ensures encrypted traffic is also scanned. Regular monitoring and review maintain policy effectiveness, supporting compliance and reducing the risk of accidental or malicious data exfiltration while maintaining normal web usage.

Question 92:

A FortiGate 7.6 administrator wants to ensure branch offices can access SaaS applications over multiple WAN links and automatically route traffic through the fastest path. Which configuration is correct?

A) SD-WAN → Application-based routing → Enable link performance monitoring
B) Static Routing → Configure multiple default gateways
C) Transparent Mode → Bridge WAN interfaces
D) SSL VPN → Enable per branch user

Answer: A) – SD-WAN → Application-based routing → Enable link performance monitoring

Explanation

FortiGate 7.6 SD-WAN allows intelligent routing across multiple WAN links based on application type and link performance metrics such as latency, jitter, and packet loss. Application-based routing ensures critical SaaS applications use the optimal path while distributing less critical traffic over secondary links.

Option B (Static Routing) provides failover but does not dynamically select the best-performing path. Option C (Transparent Mode) bridges interfaces but does not optimize traffic routing. Option D (SSL VPN) provides remote access but does not manage branch-to-SaaS path optimization.

Implementation involves creating an SD-WAN zone, adding WAN members, defining performance SLAs, and configuring application-based routing. For example, Office 365 traffic from a branch office is routed over the lowest-latency WAN link while backup traffic uses a less critical path. FortiView dashboards monitor traffic flows and SLA compliance. Periodic reviews ensure routing policies remain aligned with business requirements. This configuration improves SaaS performance, reliability, and security by applying inspection policies to SD-WAN traffic.

Question 93:

You want FortiGate 7.6 to detect botnet command-and-control traffic originating from internal devices. Which configuration is correct?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Traffic Shaping → Apply per user group
C) SSL Inspection → Enable globally
D) Web Filtering → Block suspicious URLs

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

FortiGate 7.6 IPS (Intrusion Prevention System) detects malicious traffic, including botnet C&C communications. Enabling botnet IPS signatures on firewall policies ensures that infected devices attempting to contact external C&C servers are detected and blocked.

Option B (Traffic Shaping) controls bandwidth but does not detect threats. Option C (SSL Inspection) decrypts traffic but requires IPS or antivirus to identify threats. Option D (Web Filtering) blocks malicious URLs but cannot detect non-web-based botnet traffic.

Implementation involves enabling IPS botnet signatures, applying the sensor to relevant policies, and monitoring logs. For example, a workstation infected with malware trying to communicate with a C&C server is blocked, and an alert is generated. FortiGuard updates signatures regularly, ensuring new botnets are detected. Combining IPS with SSL inspection and antivirus scanning provides comprehensive protection. Regular monitoring of IPS logs allows quick response to threats, reducing the risk of compromised devices participating in botnets or data exfiltration.

Question 94:

A FortiGate 7.6 administrator wants to enforce Multi-Factor Authentication (MFA) for external users accessing corporate applications while allowing seamless access from trusted devices. Which configuration is correct?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply to external users only
D) Azure AD B2B Collaboration → Manage guest accounts

Answer: A) – Conditional Access → Require MFA for external access → Apply per user group

Explanation

FortiGate 7.6 integrates with identity providers like Azure AD to enforce Conditional Access policies. These policies can require MFA selectively based on network location, device state, or user group. This approach reduces risk while minimizing friction for users on trusted devices.

Option B (Security Defaults) enforces MFA globally and cannot selectively enforce location-based MFA. Option C (Pass-through Authentication) validates credentials but cannot enforce conditional MFA. Option D (Azure AD B2B) manages guest users but does not enforce conditional MFA for internal users.

Implementation involves creating a Conditional Access policy targeting relevant user groups, defining trusted locations, and requiring MFA for external connections. For example, a user signing in from home is prompted for MFA, while a corporate laptop at the office allows seamless access. Logging provides visibility for compliance auditing. This adaptive method strengthens authentication security in high-risk scenarios while maintaining productivity for trusted users.

Question 95:

You want FortiGate 7.6 to automatically update antivirus, IPS, and application control signatures for all devices without manual intervention. Which configuration is correct?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

FortiGuard Security Services provides automated updates for antivirus, IPS, and application control signatures. Enabling automatic updates ensures all FortiGate devices are protected against emerging threats without manual administration, maintaining consistent network security.

Option B (SSL Inspection) decrypts traffic but does not update threat signatures. Option C (Traffic Shaping) controls bandwidth but does not manage updates. Option D (Application Control → Manual updates) increases administrative overhead and risks outdated protection.

Implementation involves subscribing to FortiGuard services, enabling automatic updates for all security profiles, and monitoring logs to confirm successful updates. For example, new malware signatures and IPS rules are automatically pushed daily, ensuring timely protection. Regular review ensures updates are applied consistently across all devices. This configuration reduces administrative effort, strengthens security posture, and ensures continuous defense against evolving threats. Automated updates are critical for maintaining a secure and compliant network environment.

Question 96:

A FortiGate 7.6 administrator wants to allow SSL VPN users to access only specific internal servers based on group membership. Which configuration is correct?

A) SSL VPN → Configure user groups → Assign per portal and define restricted resources
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all internal sites
D) Traffic Shaping → Apply per SSL VPN user

Answer: A) – SSL VPN → Configure user groups → Assign per portal and define restricted resources

Explanation

FortiGate 7.6 allows administrators to configure SSL VPN portals and restrict access to specific resources based on user group membership, ensuring least-privilege access. Users only access the servers or subnets defined in their portal, reducing risk exposure.

Option B (IPsec VPN) creates encrypted tunnels but does not enforce user-level access restrictions. Option C (Web Filtering) restricts web access but not VPN-based resource access. Option D (Traffic Shaping) manages bandwidth but cannot control access to servers.

Implementation involves creating user groups, assigning users to groups, configuring SSL VPN portals, and specifying accessible internal resources per group. Endpoint compliance checks can ensure devices meet security requirements. For example, finance users may access accounting servers while HR users access only HR servers. Logs provide detailed access information for auditing. Periodic reviews ensure group memberships and portal resources remain aligned with organizational needs. This configuration ensures secure and controlled remote access while minimizing potential attack surfaces.

Question 97:

You want FortiGate 7.6 to detect and block malware in encrypted HTTPS traffic but bypass trusted SaaS applications like Office 365. Which configuration is correct?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Application Control → Block SaaS applications
D) Traffic Shaping → Limit HTTPS traffic

Answer: A) – SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS

Explanation

SSL Deep Inspection decrypts HTTPS traffic to allow antivirus scanning, IPS enforcement, and application control. However, some SaaS applications use certificate pinning and fail if deep inspection is applied. FortiGate 7.6 allows administrators to configure bypass rules for trusted SaaS apps, maintaining functionality while scanning all other traffic.

Option B (SSL Certificate Inspection) validates certificates but does not scan encrypted traffic for threats. Option C (Application Control → Block SaaS applications) would block traffic rather than selectively inspect it. Option D (Traffic Shaping) manages bandwidth but cannot scan traffic for malware.

Implementation involves creating an SSL/SSH inspection profile, enabling deep inspection for malware and IPS, and specifying exceptions for trusted SaaS applications. For example, Office 365 traffic bypasses deep inspection to prevent failures, while other encrypted traffic is inspected. Logging provides visibility into both inspected and bypassed traffic. Periodic reviews ensure new SaaS applications are added to bypass rules as necessary. This balances security and operational continuity, ensuring malware protection without disrupting business-critical SaaS applications.

Question 98:

A FortiGate 7.6 administrator wants to detect botnet command-and-control traffic originating from internal devices. Which configuration is correct?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Traffic Shaping → Apply per user group
C) SSL Inspection → Enable globally
D) Web Filtering → Block suspicious URLs

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

IPS (Intrusion Prevention System) in FortiGate detects malicious patterns, including botnet C&C traffic. Enabling botnet IPS signatures and applying them to firewall policies ensures that malware-infected devices attempting to communicate with external C&C servers are detected and blocked.

Option B (Traffic Shaping) controls bandwidth but does not detect malware. Option C (SSL Inspection) decrypts traffic but requires IPS or antivirus to detect threats. Option D (Web Filtering) blocks malicious URLs but cannot detect non-web botnet communications.

Implementation involves enabling botnet signatures, applying the IPS sensor to relevant policies, and monitoring alerts. For example, an infected workstation attempting to contact a known C&C server is blocked and logged. FortiGuard updates signatures regularly to detect new botnets. Combining IPS with SSL inspection and antivirus ensures comprehensive detection. Regular review of IPS logs enables rapid response to detected threats, reducing the risk of compromised devices participating in botnets or data exfiltration.

Question 99:

You want FortiGate 7.6 to automatically update antivirus, IPS, and application control signatures for all devices without manual intervention. Which configuration is correct?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

FortiGuard Security Services provides automated updates for IPS, antivirus, and application control signatures. Enabling automatic updates ensures all FortiGate devices are protected against new threats without manual intervention, maintaining consistent security across the network.

Option B (SSL Inspection) decrypts traffic but does not manage signature updates. Option C (Traffic Shaping) controls bandwidth but does not provide threat intelligence updates. Option D (Application Control → Manual updates) increases administrative workload and risks outdated protection.

Implementation involves subscribing to FortiGuard services, enabling automatic updates for all security profiles, and monitoring logs for successful updates. For example, new malware signatures and IPS rules are pushed automatically daily, ensuring timely protection. Regular review ensures all devices are updated consistently. Automated updates reduce administrative effort, maintain high security posture, and provide continuous defense against evolving threats, which is essential for maintaining compliance and minimizing exposure to vulnerabilities.

FortiGuard Security Services provides real-time threat intelligence, including antivirus, intrusion prevention, web filtering, and application control updates. Enabling automatic updates ensures that all security profiles receive the latest threat signatures, malware definitions, and protection rules without manual intervention. Applying these updates to all security profiles guarantees uniform protection across the network, reducing the risk of vulnerabilities due to outdated signatures and ensuring compliance with organizational security policies. Automatic updates also minimize administrative overhead and allow security teams to focus on strategic tasks rather than routine maintenance.

SSL Inspection, when applied globally, allows organizations to decrypt, inspect, and re-encrypt all encrypted traffic across the network. This ensures that threats hidden within SSL/TLS traffic, such as malware, ransomware, or policy violations, are detected before they reach endpoints. Global application of SSL inspection guarantees consistent monitoring for all users, devices, and network segments, preventing any encrypted traffic from bypassing security controls. This practice is critical in today’s environment, where a majority of internet traffic is encrypted, and it supports regulatory compliance by protecting sensitive data from unauthorized access or exfiltration.

Traffic Shaping, applied per security profile, allows organizations to prioritize, limit, or allocate bandwidth for specific types of traffic based on business needs. By tailoring traffic policies to individual security profiles, organizations can ensure that critical applications receive sufficient bandwidth while limiting non-essential or low-priority traffic. This improves network performance, reduces congestion, and enhances the user experience for business-critical applications. Applying traffic shaping per profile provides flexibility to manage different user groups or departments according to their unique operational requirements.

Application Control, updated manually, involves maintaining up-to-date signatures for identifying and managing applications on the network. While automatic updates provide convenience, manual updates allow administrators to review and approve changes before deployment, ensuring that critical business applications are not inadvertently blocked or restricted. Regular manual updates of application signatures help detect new or modified applications, control potentially risky software, and enforce organizational policies regarding acceptable use. This practice complements other security measures, contributing to a robust, multi-layered defense strategy.

Question 100:

A FortiGate 7.6 administrator wants to analyze bandwidth usage per application and user to optimize network performance. Which configuration is correct?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Application Control → Block unknown applications
C) SSL Inspection → Apply globally
D) Web Filtering → Block non-business sites

Answer: A) – FortiView → Traffic Log Analysis → Application and User Reports

Explanation

FortiView provides real-time and historical analysis of network traffic, enabling administrators to see bandwidth usage per application, user, IP, and interface. This allows identification of top bandwidth consumers, performance bottlenecks, and informed decisions for traffic shaping or network optimization.

Option B (Application Control) manages application access but does not provide detailed usage metrics. Option C (SSL Inspection) decrypts traffic but does not generate reports on bandwidth usage. Option D (Web Filtering) blocks sites but cannot analyze traffic volume per user or application.

Applying SSL inspection globally involves decrypting, inspecting, and then re-encrypting all SSL/TLS traffic across the network. By doing this, organizations ensure that encrypted traffic cannot bypass security controls, allowing hidden threats, malware, or policy violations within HTTPS traffic to be detected. Applying SSL inspection across the entire network guarantees that no device, user, or segment is left unmonitored, providing consistent enforcement of security policies. It also helps meet regulatory compliance requirements by securing sensitive data and preventing unauthorized data exfiltration. Proper configuration and continuous monitoring ensure that the inspection process is effective without disrupting legitimate business operations.

Web filtering, specifically blocking non-business sites, restricts access to websites that do not serve organizational purposes, such as social media, streaming platforms, gaming sites, or other recreational content. This improves employee productivity while reducing exposure to malware, phishing attacks, and other security risks often present on untrusted websites. Web filtering also helps manage network bandwidth by preventing non-essential traffic from consuming resources and ensures adherence to organizational policies and industry regulations.

When used together, SSL inspection and web filtering create a layered security approach. SSL inspection ensures that encrypted traffic is visible for analysis and threat detection, while web filtering enforces content access policies. This combination protects organizational resources, strengthens cybersecurity, reduces non-productive activity, and safeguards sensitive data from both internal and external threats.

Effective implementation requires ongoing management, regular updates of SSL certificates, filtering rules, and threat signatures. By continuously monitoring traffic patterns and refining policies, organizations can maintain security, regulatory compliance, and optimal network performance while minimizing impact on legitimate business operations. Over time, this proactive approach allows businesses to adapt to evolving cyber threats and operational needs.

Implementation involves enabling logging on firewall policies, accessing FortiView dashboards, and generating application/user bandwidth reports. For example, streaming media may be identified as consuming high bandwidth during peak hours, allowing administrators to throttle non-critical traffic while prioritizing business-critical applications. FortiView also supports historical trend analysis for capacity planning. Periodic reviews ensure network efficiency, optimize resource allocation, and maintain QoS for critical applications, preventing network congestion while maximizing productivity.