Fortinet FCP_FGT_AD-7.6 FCP – FortiGate 7.6 Administrator Exam Dumps and Practice Test Questions Set 6 Q101-120

Visit here for our full Fortinet FCP_FGT_AD-7.6 exam dumps and practice test questions.

Question 101:

A FortiGate 7.6 administrator wants to allow only corporate-managed devices to access internal web applications while blocking unmanaged devices. Which solution should be implemented?

A) SSL VPN → Enable device certificate authentication → Apply per user group
B) Web Filtering → Block all external devices
C) Traffic Shaping → Apply per IP
D) Application Control → Block unknown devices

Answer: A) – SSL VPN → Enable device certificate authentication → Apply per user group

Explanation

Device certificate authentication ensures that only endpoints with trusted certificates can establish SSL VPN connections. In FortiGate 7.6, administrators can configure SSL VPN portals to require device certificates along with user credentials. Unmanaged or unauthorized devices lacking the certificate are blocked, enforcing endpoint compliance.

SSL VPN → Enable device certificate authentication → Apply per user group, because this method provides the strongest and most reliable way to ensure that only trusted and authorized devices can access the organization’s internal resources. When SSL VPN is configured with device certificate authentication, the system verifies not only the user’s identity but also the device’s identity before allowing network connectivity. This creates a dual-layer authentication structure where the device must possess a valid certificate issued by the organization’s certificate authority. If the certificate is absent, expired, revoked, or does not match the expected profile, the VPN connection is denied automatically, even if the user has valid login credentials. This prevents unauthorized personal devices, unmanaged laptops, stolen machines, and potentially compromised endpoints from gaining access. Because certificate authentication is cryptographic, it is extremely difficult to forge or bypass. Additionally, applying this configuration per user group allows administrators to enforce different certificate standards depending on role, sensitivity level, or department. For example, administrators and finance teams may be required to use stricter certificate validation and endpoint compliance checks, while general employees may have a more flexible configuration. This aligns with Zero Trust security principles because every access request is evaluated for both user identity and device trustworthiness. The combination of SSL VPN and certificate authentication is the only option among the provided choices that directly controls device-level access based on strong identity verification.

Option B, which states “Web Filtering → Block all external devices,” is incorrect because web filtering is not capable of blocking devices from network access. Web filtering functions only after a device has already connected to the network. It works by analyzing, categorizing, and controlling HTTP and HTTPS requests, preventing users from visiting malicious websites or accessing restricted categories of content. Since it operates at the application layer and deals only with web traffic, it cannot authenticate, verify, or restrict devices at the network access level. Even if an administrator attempted to configure strict filtering rules, web filtering would still not prevent an unauthorized device from establishing a VPN session or accessing internal systems. Therefore, it does not meet the requirement of validating devices before granting access.

Option C, “Traffic Shaping → Apply per IP,” is also incorrect because traffic shaping is a performance optimization mechanism rather than a security enforcement tool. Traffic shaping is designed to manage bandwidth usage, prioritize business-critical applications, limit peer-to-peer traffic, or ensure fair bandwidth allocation among users. While it can control the speed, priority, and quality of network traffic for certain IP addresses, it does not control the identity or legitimacy of the devices producing that traffic. Traffic shaping does not authenticate devices, validate certificates, or determine whether a device is authorized to join the network. Applying it on a per-IP basis cannot stop unauthorized devices from connecting; it can only affect how much bandwidth they use once connected. Thus, it has no relevance to device authentication.

Option D, “Application Control → Block unknown devices,” is incorrect because application control cannot block devices. It inspects network traffic to determine which applications are running, such as Dropbox, Skype, Tor, or unknown application signatures. It analyzes application-layer behavior—not device identity—and enforces rules based on allowed or blocked applications. Application control cannot detect whether a device is trusted, managed, or authorized. Since it operates at the application level and examines application signatures, not device identifiers, it cannot be used to prevent unknown devices from accessing the system.

In conclusion, only Option A provides true device-level authentication and the ability to restrict VPN access exclusively to trusted, certified, and authorized devices.

Implementation involves issuing certificates to corporate devices, configuring SSL VPN portals to enforce certificate checks, and associating them with user groups. For example, a corporate laptop with the correct certificate can access intranet apps, while personal laptops are denied. Logs record authentication attempts, allowing auditing. Regularly updating certificates and maintaining device inventories ensures continued security. This method provides strong access control, reduces the risk of data leaks from unmanaged devices, and supports compliance policies.

Question 102:

You want FortiGate 7.6 to prevent unauthorized applications from running on internal devices while allowing critical business apps. Which configuration is correct?

A) Application Control → Block unknown or risky applications → Allow whitelisted apps
B) Web Filtering → Block non-business sites
C) SSL Inspection → Apply globally
D) IPS Sensor → Enable vulnerability detection

Answer: A) – Application Control → Block unknown or risky applications → Allow whitelisted apps

Explanation

Application Control → Block unknown or risky applications → Allow whitelisted apps because Application Control is the only feature in the list specifically designed to identify, detect, classify, and control applications running across a network. Application Control allows administrators to explicitly block risky, unknown, or unauthorized applications while simultaneously allowing approved business applications. In most modern security policies, organizations want to prevent the use of unapproved software such as file-sharing tools, remote-access utilities, anonymizers, or risky cloud applications that may expose sensitive data. With Application Control, security teams can create custom policies that whitelist only the applications that are required for business use, while automatically blocking everything else that does not match approved signatures. Application Control has deep visibility into thousands of application signatures, behavioral indicators, and traffic patterns. It can identify applications even when they use non-standard ports, encrypted traffic, or disguised communication methods. This is why it is the most appropriate solution when the objective is to block unknown or risky applications while permitting only a controlled list of trusted ones. Additionally, Application Control logs application usage, alerts administrators of suspicious behavior, and integrates with other security profiles to create layered protection. Because it directly enforces which applications are allowed on the network, it fulfills the requirement more effectively than any of the other options listed.

Option B, “Web Filtering → Block non-business sites,” is not the correct choice because Web Filtering does not identify or control applications—it only manages access to websites based on URL categories, domain reputation, or manually created allow/block lists. Although Web Filtering is excellent for preventing access to inappropriate, malicious, or non-business web pages, it cannot control actual applications running in the network. For example, if a user runs an unauthorized peer-to-peer application, a remote desktop tool, or a risky file-sharing client, Web Filtering will not detect it because these applications may operate independently of the web browser and may not rely on HTTP/HTTPS website visits. Web Filtering is a content-based control, not an application-based control. Therefore, it cannot meet the requirement of blocking unknown or risky applications. It may help reduce general internet misuse, but it cannot replace true application-layer enforcement.

Option C, “SSL Inspection → Apply globally,” is incorrect because SSL Inspection is a traffic-decryption mechanism, not an access-control solution. Its purpose is to decrypt encrypted traffic so that other security features—such as Application Control, IPS, or Web Filtering—can analyze the contents. SSL Inspection alone does not block applications, categorize them, or enforce specific allow/block rules. Applying SSL Inspection globally may increase visibility, but it does not inherently prevent unwanted applications. Without Application Control or other security profiles layered on top, SSL Inspection simply decrypts data without enforcing policy decisions. Additionally, applying SSL Inspection globally may cause operational issues, break services that rely on certificate pinning, or increase CPU load. Therefore, it does not directly satisfy the requirement of blocking unknown applications.

Option D, “IPS Sensor → Enable vulnerability detection,” is also not the correct answer because an Intrusion Prevention System focuses on detecting and blocking network-based threats, exploit attempts, and known vulnerabilities—not identifying applications. IPS analyzes packet signatures and behavioral patterns to prevent attacks like buffer overflows, SQL injection, and protocol exploits. While IPS is important for security, it does not differentiate between allowed and disallowed applications. It cannot enforce application whitelisting or block risky software unless the activity triggers a vulnerability signature. IPS is a threat-focused tool, not an application-management tool. Therefore, it cannot replace application control in this context.

Option A directly addresses the requirement of blocking unknown or risky applications while allowing approved ones by using a feature designed specifically for application-level visibility and control.

Implementation involves creating an application control profile, selecting risky categories, adding exceptions for approved apps, and applying the profile to firewall policies. For example, Outlook and Teams are allowed, but file-sharing apps are blocked. FortiView dashboards help monitor blocked applications and user behavior. Regular reviews ensure the whitelist reflects organizational requirements. This ensures secure network usage, reduces security risks, and enforces policy compliance.

Question 103:

A FortiGate 7.6 administrator wants to ensure that SSL VPN users can only download files from a specific internal file server while restricting access to all other servers. Which configuration is correct?

A) SSL VPN → Configure user groups → Define restricted resources per portal
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all internal servers
D) Traffic Shaping → Apply per SSL VPN user

Answer: A) – SSL VPN → Configure user groups → Define restricted resources per portal

Explanation

FortiGate SSL VPN portals allow granular resource control, limiting access to specific servers or subnets. By defining user groups and associating them with portals, administrators ensure users only access approved internal resources.

Option B (IPsec VPN) provides encrypted connectivity but lacks resource-specific restrictions. Option C (Web Filtering) blocks websites but cannot restrict VPN resource access. Option D (Traffic Shaping) only controls bandwidth.

Implementation involves creating a user group for file server access, defining the portal with the allowed server IP and ports, and assigning users to the group. Endpoint compliance checks can further restrict access. For example, finance team members can access the accounting server, but attempts to access HR or development servers are blocked. Logging provides detailed records for auditing and compliance. Periodic reviews ensure portal access aligns with current organizational roles. This method enforces the principle of least privilege and reduces security risks.

Question 104:

You want FortiGate 7.6 to automatically block malware in encrypted email attachments before reaching internal users. Which configuration is correct?

A) Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies
B) IPS Sensor → Apply to email servers
C) Web Filtering → Block suspicious domains
D) Application Control → Block email clients

Answer: A) – Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies

Explanation:

FortiGate antivirus profiles can scan SMTP traffic for malware in attachments. By applying the profile to inbound email traffic, administrators prevent malicious files from reaching internal users.

Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies because an Antivirus profile with SMTP scanning specifically targets and inspects email traffic for malware, viruses, Trojans, and malicious attachments before the email reaches the mail server or the end user. SMTP is the protocol used for sending and transferring email, and enabling SMTP inspection allows the security device to analyze the contents of inbound email streams. This includes scanning attachments, embedded scripts, compressed files, and MIME objects to detect harmful payloads. When the Antivirus profile is properly configured and applied to the inbound firewall policy handling email traffic, the system can quarantine suspicious attachments, block malicious content, and automatically remove infected files. This prevents malware outbreaks originating from phishing emails or compromised external senders. Antivirus scanning also integrates with FortiGuard updates, ensuring the signatures remain current and capable of detecting emerging threats. Because SMTP-based attacks are one of the most common vectors for malware propagation, using an Antivirus profile specifically designed to inspect SMTP is the most accurate and effective method among the options listed.

Option B, “IPS Sensor → Apply to email servers,” is not the best answer because although an IPS sensor is valuable for detecting exploit attempts, protocol attacks, and vulnerabilities targeting servers, it does not replace the need for content-level scanning of email traffic. IPS focuses on identifying malicious patterns at the network and protocol level, such as buffer overflows, SMTP command exploits, malformed packets, and server vulnerabilities. While an IPS sensor can protect the email server from targeted attacks or exploitation attempts, it does not inspect attachments or detect typical email-borne malware such as ransomware, infected PDFs, malicious Office documents, or compressed executables. IPS detects attacks on the SMTP service, not the contents of the email itself. Therefore, it provides additional protection but does not fulfill the requirement of scanning inbound emails for viruses and malicious attachments.

Option C, “Web Filtering → Block suspicious domains,” is also not the correct answer because Web Filtering only affects HTTP and HTTPS browsing activity. It controls which websites users can visit by categorizing domains and URLs, blocking malicious or untrusted websites, and preventing access to phishing sites. While blocking suspicious domains can reduce the likelihood of users navigating to malicious web pages and downloading malware, it does not inspect inbound email traffic. Web Filtering does not scan attachments, evaluate SMTP streams, or protect mailboxes from embedded malware. Even if suspicious domains are blocked, attackers often send infected files directly via email without requiring any web interaction. Therefore, Web Filtering cannot fulfill the requirement.

Option D, “Application Control → Block email clients,” is incorrect because it does not address scanning email content. Application Control identifies and controls applications such as Outlook, Thunderbird, or other email clients. Blocking all email clients would disable legitimate email usage entirely, which is not the objective. Application Control can block unwanted applications, but cannot inspect email attachments or detect viruses within email protocols. Blocking email clients is an overly restrictive measure that would disrupt normal business operations without solving the problem of inspecting inbound email traffic for malware.

Option A directly meets the requirement by enabling SMTP-level malware scanning and applying it to inbound email traffic, ensuring that harmful attachments and malicious messages are intercepted before reaching users or servers.

Implementation involves creating an antivirus profile with SMTP scanning enabled, applying it to inbound firewall policies, and enabling logging. For example, a Word document containing a macro virus is blocked, and an alert is generated. FortiGuard signature updates ensure new threats are detected. SSL inspection may be required for encrypted SMTP. Logs provide auditing and compliance records. This configuration mitigates email-borne malware risks and protects internal devices.

Question 105:

A FortiGate 7.6 administrator wants to reduce the impact of large file transfers on critical business applications. Which configuration is correct?

A) Traffic Shaping Policy → Limit bandwidth for non-critical applications → Guarantee bandwidth for critical apps
B) SD-WAN → Load balance traffic
C) SSL Inspection → Enable globally
D) IPS Sensor → Enable for large file transfers

Answer: A) – Traffic Shaping Policy → Limit bandwidth for non-critical applications → Guarantee bandwidth for critical apps

Explanation

Traffic Shaping allows administrators to prioritize bandwidth for critical applications while throttling less important traffic. By defining limits for non-critical applications, FortiGate ensures QoS for business-critical apps.

Traffic Shaping Policy → Limit bandwidth for non-critical applications → Guarantee bandwidth for critical apps because Traffic Shaping is specifically designed to control how bandwidth is allocated across different applications, services, or user groups. When organizations need to ensure that mission-critical applications—such as VoIP, video conferencing, CRM, ERP, POS, or essential cloud services—receive sufficient bandwidth even during peak usage periods, traffic shaping is the appropriate tool. It allows administrators to categorize traffic based on application signatures, protocols, or IP addresses and then assign minimum guaranteed bandwidth, maximum limits, or priority levels. By limiting non-critical or recreational traffic (such as streaming, social media, or large file downloads), the organization ensures that essential business applications remain fast, responsive, and stable. Bandwidth management prevents congestion, enhances user experience, and ensures continuity of operations. Additionally, traffic shaping policies can be applied per interface, per policy, or per user group, offering precise control over how limited bandwidth is distributed. This option directly addresses both aspects of the requirement: controlling non-essential traffic and guaranteeing performance for critical applications.

Option B, “SD-WAN → Load balance traffic,” is not the most suitable answer because although SD-WAN can intelligently distribute traffic across available WAN links and improve overall network performance, it does not inherently limit bandwidth for non-critical applications nor guarantee dedicated bandwidth for critical ones. SD-WAN path selection chooses the best available link based on performance metrics such as latency, jitter, and packet loss. While it enhances reliability and may improve performance by selecting optimal paths, it does not directly enforce fine-grained bandwidth controls or application-specific shaping. SD-WAN is more focused on routing optimization rather than direct traffic throttle or guaranteed minimum bandwidth allocation. Therefore, SD-WAN may complement traffic shaping but cannot fulfill the core requirement by itself.

Option C, “SSL Inspection → Enable globally,” is also not correct because SSL Inspection has nothing to do with bandwidth management or application prioritization. SSL Inspection decrypts encrypted traffic so that security profiles such as Web Filtering, IPS, or Application Control can inspect it. Enabling SSL Inspection globally increases visibility but also increases CPU usage and may impact performance. It does not allocate bandwidth, prioritize critical applications, or limit non-essential ones. In fact, enabling SSL inspection globally without careful configuration may even worsen network performance instead of improving it. Therefore, SSL Inspection does not provide a solution for managing or guaranteeing bandwidth.

Option D, “IPS Sensor → Enable for large file transfers,” is not the right choice because IPS is designed to detect and block intrusion attempts, exploits, or protocol violations. IPS Sensor rules target vulnerabilities, malware signatures, and attack patterns—not bandwidth-related issues. Enabling IPS for large file transfers may help detect malicious payloads hidden inside file traffic, but it does not limit or prioritize traffic based on application criticality. IPS cannot guarantee minimum bandwidth for critical apps and cannot throttle or deprioritize non-critical applications. As such, IPS plays an important security role but has no relevance to bandwidth shaping or performance guarantees.

Implementation involves creating shaping policies, selecting throttling applications, assigning guaranteed bandwidth to essential apps, and applying firewall policies. For example, email and ERP traffic are guaranteed, while cloud backup traffic is limited. FortiView dashboards monitor usage and ensure policy effectiveness. Regular reviews ensure the policy adapts to evolving business requirements. This ensures consistent performance for critical services while controlling network congestion.

Question 106:

A FortiGate 7.6 administrator wants to block access to streaming video and social media during working hours but allow access during lunch breaks. Which configuration is correct?

A) Web Filtering → Apply to firewall policies → Configure schedule-based rules
B) Application Control → Block unknown apps
C) SSL Deep Inspection → Enable globally
D) Traffic Shaping → Limit bandwidth only

Answer: A) – Web Filtering → Apply to firewall policies → Configure schedule-based rules..

Explanation

Web Filtering allows category-based blocking, URL filtering, and can be combined with time-based schedules. By applying a Web Filtering profile to outbound firewall policies and defining a schedule (e.g., block 9 AM–5 PM, allow 12 PM–1 PM), administrators can restrict access to social media and streaming services during work hours while permitting access during breaks.

Option B (Application Control) controls application usage but cannot enforce time-based restrictions effectively. Option C (SSL Deep Inspection) decrypts traffic but does not enforce scheduled access. Option D (Traffic Shaping) only limits bandwidth, which may not fully block access.

Implementation involves creating a Web Filtering profile, adding categories “Social Media” and “Streaming Media” to block lists, applying the profile to policies, and setting a schedule. Logs provide insight into blocked attempts, and FortiView allows reporting on policy compliance and exceptions. Periodic review ensures the schedule matches organizational needs. This approach balances productivity, compliance, and employee satisfaction while controlling non-business network usage.

Question 107:

A FortiGate 7.6 administrator wants to inspect SSL traffic for malware without breaking trusted SaaS applications like Office 365. Which configuration is correct?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Traffic Shaping → Apply per application
D) IPS Sensor → Enable for SSL

Answer: A) – SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS

Explanation

SSL Deep Inspection decrypts HTTPS traffic to scan for malware, IPS threats, and enforce security policies. Some SaaS applications use certificate pinning, which fails under deep. Inspection. FortiGate 7.6 allows bypass rules for trusted SaaS, maintaining functionality while inspecting all other traffic.

Option B (SSL Certificate Inspection) validates certificates but does not scan encrypted traffic. Option C (Traffic Shaping) controls bandwidth, not malware scanning. Option D (IPS) can detect threats, but SSL traffic must be decrypted first.

Implementation involves creating an SSL/SSH inspection profile, enabling deep inspection for malware, IPS, and application control, and adding bypass rules for trusted SaaS applications. For example, Office 365 traffic bypasses inspection, while other HTTPS traffic is scanned. Logs provide visibility into both inspected and bypassed traffic. Periodic review ensures new SaaS apps are added as necessary. This balances protection and operational continuity, avoiding disruption of critical business applications.

Question 108:

You want FortiGate 7.6 to detect botnet command-and-control traffic originating from internal devices. Which configuration is correct?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Traffic Shaping → Apply per user group
C) SSL Inspection → Enable globally
D) Web Filtering → Block suspicious URLs

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

IPS (Intrusion Prevention System) in FortiGate detects malicious traffic, including botnet C&C communications. Enabling botnet IPS signatures ensures that infected devices attempting to contact external C&C servers are blocked.

Option B (Traffic Shaping) controls bandwidth but does not detect malware. Option C (SSL Inspection) decrypts traffic but needs IPS or antivirus for threat detection. Option D (Web Filtering) blocks URLs but cannot detect non-web-based botnet traffic.

Implementation involves enabling botnet signatures, applying the IPS sensor to firewall policies, and monitoring logs. For example, a compromised workstation contacting a known C&C server is blocked, and alerts are generated. FortiGuard signature updates ensure new botnets are detected. Combining IPS with SSL inspection and antivirus scanning provides comprehensive threat detection. Regular log review allows rapid response and reduces the risk of malware spreading or participating in botnets.

Question 109:

A FortiGate 7.6 administrator wants to enforce Multi-Factor Authentication (MFA) for external users accessing corporate applications while allowing seamless access from trusted internal devices. Which configuration is correct?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply to external users only
D) Azure AD B2B Collaboration → Manage guest accounts

Answer: A) – Conditional Access → Require MFA for external access → Apply per user group

Explanation

FortiGate integrates with identity providers like Azure AD to enforce Conditional Access policies, requiring MFA based on network location, device compliance, or user group. This protects sensitive resources while minimizing friction for users on trusted internal devices.

Option B (Security Defaults) enforces MFA globally and cannot selectively apply location-based MFA. Option C (Pass-through Authentication) validates credentials but does not enforce conditional MFA. Option D (Azure AD B2B) manages guest accounts but does not control MFA for internal users.

Implementation involves creating a Conditional Access policy, targeting user groups, defining trusted networks, and requiring MFA for external connections. For example, a user signing in from home receives an MFA prompt, while a corporate laptop at the office is granted seamless access. Logs provide auditing and compliance data. This approach strengthens security for high-risk scenarios while maintaining productivity for internal users.

Question 110:

A FortiGate 7.6 administrator wants to automatically update antivirus, IPS, and application control signatures across all devices without manual intervention. Which configuration is correct?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

FortiGuard Security Services provides automated updates for antivirus, IPS, and application control signatures. Enabling automatic updates ensures all FortiGate devices are protected against emerging threats without manual administration, maintaining a consistent security posture.

Option B (SSL Inspection) decrypts traffic but does not manage signature updates. Option C (Traffic Shaping) controls bandwidth but does not update threat intelligence. Option D (Application Control → Manual updates) increases administrative effort and risks outdated protection.

Implementation involves subscribing to FortiGuard services, enabling automatic updates on all security profiles, and monitoring logs to ensure updates are applied successfully. For example, malware and IPS signatures are automatically pushed daily, reducing exposure to new threats. Regular monitoring ensures all devices remain updated. Automated updates reduce administrative overhead, maintain a high security posture, and provide continuous protection against evolving threats, ensuring compliance and minimizing vulnerabilities.

Question 111:

A FortiGate 7.6 administrator wants to inspect all SSL traffic for malware but avoid breaking Office 365 and Salesforce applications. Which configuration is correct?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Traffic Shaping → Limit bandwidth for SSL traffic
D) IPS Sensor → Enable SSL scanning

Answer: A) – SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS

Explanation

SSL Deep Inspection decrypts HTTPS traffic to scan for malware, IPS threats, and enforce security policies. Some SaaS applications use certificate pinning, which can fail under deep inspection. FortiGate allows bypass rules for trusted SaaS, ensuring operational continuity.

Option B (SSL Certificate Inspection) validates certificates but does not scan traffic. Option C (Traffic Shaping) controls bandwidth, not malware detection. Option D (IPS) needs decrypted traffic to detect threats.

Implementation involves creating an SSL/SSH inspection profile, enabling deep inspection for malware and IPS, and specifying trusted SaaS bypass rules. For example, Office 365 traffic bypasses inspection, while all other traffic is scanned. Logs show both inspected and bypassed sessions. Regular reviews ensure newly adopted SaaS apps are added to bypass rules. This approach balances security and usability, preventing malware while maintaining business-critical application functionality.

Question 112:

You want FortiGate 7.6 to prevent internal devices from participating in botnets. Which configuration is correct?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Web Filtering → Block all external URLs
C) Traffic Shaping → Limit bandwidth for unknown applications
D) Application Control → Block email clients

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

IPS (Intrusion Prevention System) detects malicious traffic patterns, including botnet C&C communications. Enabling botnet signatures ensures infected devices attempting to contact external servers are blocked, preventing botnet participation.

Option B (Web Filtering) blocks web URLs but cannot detect non-web botnet communications. Option C (Traffic Shaping) limits bandwidth but does not block malware. Option D (Application Control) manages apps but cannot detect botnet activity.

Implementation involves enabling botnet IPS signatures, applying the IPS sensor to relevant firewall policies, and monitoring logs for alerts. For example, a malware-infected workstation attempting to reach a C&C server is blocked. FortiGuard ensures signatures are updated for emerging botnets. Combining IPS with SSL inspection and antivirus provides comprehensive protection. Regular review of logs allows rapid response, reducing the risk of compromised devices contributing to attacks or data exfiltration.

Question 113:

A FortiGate 7.6 administrator wants to enforce MFA for external VPN users while allowing seamless access for internal corporate devices. Which configuration is correct?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply to external users only
D) Azure AD B2B Collaboration → Manage guest accounts

Answer: A) – Conditional Access → Require MFA for external access → Apply per user group

Explanation

FortiGate integrates with identity providers like Azure AD to enforce Conditional Access policies. MFA can be required selectively based on network location or device compliance, reducing security risk while minimizing friction for trusted internal users.

Option B (Security Defaults) enforces MFA globally and cannot apply location-based conditions. Option C (Pass-through Authentication) validates credentials but cannot enforce conditional MFA. Option D (Azure AD B2B) manages guest accounts but does not enforce MFA for internal users.

Implementation involves defining user groups, creating Conditional Access policies targeting external access, and configuring MFA enforcement. For example, a user signing in from home is prompted for MFA, while a corporate laptop at the office accesses resources seamlessly. Logs provide auditing and compliance visibility. This configuration strengthens security where risk is higher while preserving productivity for trusted devices.

Question 114:

A FortiGate 7.6 administrator wants to automatically update all antivirus, IPS, and application control signatures across the network. Which configuration is correct?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

FortiGuard Security Services provides automated updates for antivirus, IPS, and application control signatures. Enabling automatic updates ensures all devices are protected without manual intervention, maintaining a consistent security posture across the network.

Option B (SSL Inspection) decrypts traffic but does not update signatures. Option C (Traffic Shaping) controls bandwidth, not security intelligence. Option D (Application Control → Manual updates) increases administrative effort and risks outdated protection.

Implementation involves subscribing to FortiGuard services, enabling automatic updates in all security profiles, and monitoring logs to confirm updates are applied. For example, daily malware and IPS updates are pushed automatically. Regular monitoring ensures all devices are current. Automated updates reduce administrative overhead, strengthen security, and ensure continuous protection against emerging threats, supporting compliance and minimizing vulnerabilities.

Question 115:

A FortiGate 7.6 administrator wants to analyze bandwidth usage by applications and users to optimize network performance. Which configuration is correct?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Application Control → Block unknown applications
C) SSL Inspection → Apply globally
D) Web Filtering → Block non-business sites

Answer: A) – FortiView → Traffic Log Analysis → Application and User Reports

Explanation

FortiView provides detailed real-time and historical analysis of network traffic by application, user, IP, and interface. This allows identification of top bandwidth consumers, bottlenecks, and areas requiring optimization.

Option B (Application Control) blocks or allows applications but does not provide detailed bandwidth reporting. Option C (SSL Inspection) decrypts traffic but does not generate usage analytics. Option D (Web Filtering) restricts website access but does not measure usage by application or user.

Implementation involves enabling logging on firewall policies, accessing FortiView dashboards, and generating reports. For example, YouTube streaming may consume significant bandwidth during peak hours, prompting adjustments in traffic shaping policies. Historical data allows capacity planning and prioritization of critical applications. Regular review ensures network efficiency, optimal resource allocation, and QoS for business-critical traffic, preventing congestion while maximizing productivity.

Question 116:

A FortiGate 7.6 administrator wants to prevent unauthorized cloud storage uploads during business hours while allowing access during lunch breaks. Which configuration is correct?

A) Web Filtering → Apply to firewall policies → Configure schedule-based rules
B) Application Control → Block all cloud applications
C) Traffic Shaping → Limit upload bandwidth
D) SSL Deep Inspection → Enable globally

Answer: A) – Web Filtering → Apply to firewall policies → Configure schedule-based rules

Explanation

Web Filtering allows category-based restrictions, such as Cloud Storage, and can be combined with time-based schedules. Applying this profile to firewall policies and defining a schedule. Let the administrator block cloud uploads during working hours and allow them at lunch. Logs provide visibility into blocked attempts, and periodic reviews ensure the policy aligns with business needs.

Application Control can block applications, but cannot enforce time-specific policies. Blocking all cloud apps indiscriminately could disrupt legitimate workflows. Traffic Shaping can throttle bandwidth but does not completely block unauthorized access, allowing large files to still be uploaded. SSL Deep Inspection decrypts traffic to inspect content, but does not enforce time-based blocking. This configuration ensures compliance, productivity, and controlled network usage without breaking essential business workflows.

Question 117:

A FortiGate 7.6 administrator wants to inspect encrypted SSL traffic for malware but avoid breaking Office 365 functionality. Which configuration is correct?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Traffic Shaping → Limit HTTPS traffic
D) IPS Sensor → Enable SSL

Answer: A) – SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS

Explanation

SSL Deep Inspection decrypts HTTPS traffic to allow malware scanning and IPS enforcement. Certain SaaS applications like Office 365 use certificate pinning, which can fail under deep.p inspection. Bypass rules ensure these applications continue functioning while other encrypted traffic is inspected.

SSL Certificate Inspection validates certificates but does not scan for malware, so threats in encrypted traffic may go undetected. Traffic Shaping manages bandwidth but does not provide malware detection or threat prevention. IPS can detect threats but cannot inspect SSL traffic unless it is decrypted, making deep inspection necessary. Creating bypass rules for trusted SaaS protects functionality while ensuring network security.

Question 118:

You want FortiGate 7.6 to prevent internal devices from participating in botnets. Which configuration is correct?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Web Filtering → Block all external URLs
C) Traffic Shaping → Limit bandwidth for unknown applications
D) Application Control → Block email clients

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

IPS detects malicious traffic, including botnet C&C communications. Enabling these signatures on firewall policies blocks infected devices from communicating with external servers, preventing botnet participation. Logs provide alerts for proactive response.

Web Filtering can block known malicious URLs, but cannot detect non-web-based botnet traffic, leaving other infection channels open. Traffic Shaping limits bandwidth but does not block malware communication, so botnet attempts could succeed. Application Control can block specific apps, but cannot reliably prevent botnet traffic, which often uses standard protocols like HTTP/S or DNS. Combining IPS with SSL inspection ensures detection even for encrypted traffic, reducing the risk of compromised devices participating in botnets.

Question 119:

A FortiGate 7.6 administrator wants to enforce MFA for external users while allowing seamless access for trusted internal devices. Which configuration is correct?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply to external users only
D) Azure AD B2B Collaboration → Manage guest accounts

Answer: A) – Conditional Access → Require MFA for external access → Apply per user group

Explanation

Conditional Access policies allow MFA enforcement based on location, device compliance, and user group membership. External users are required to perform MFA, while internal trusted devices experience seamless access, reducing risk without impacting productivity.

Security Defaults enforce MFA globally and cannot selectively bypass trusted internal devices. Pass-through Authentication validates credentials but cannot enforce conditional MFA. Azure AD B2B manages guest accounts but does not enforce MFA for internal employees. Implementation involves defining user groups, trusted network locations, and MFA rules for external access, ensuring security while maintaining workflow efficiency.

Question 120:

A FortiGate 7.6 administrator wants to analyze network traffic by application and user to optimize bandwidth. Which configuration is correct?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Application Control → Block unknown applications
C) SSL Inspection → Apply globally
D) Web Filtering → Block non-business sites

Answer: A) – FortiView → Traffic Log Analysis → Application and User Reports

Explanation

FortiView provides real-time and historical traffic analysis by application, user, IP, and interface. Administrators can identify top bandwidth consumers, analyze trends, and plan traffic shaping or QoS policies to ensure critical applications receive priority.

Application Control can block or allow applications, but does not provide bandwidth or user-based analytics, making it insufficient for traffic optimization. SSL Inspection decrypts traffic but does not generate reports on bandwidth usage, so it cannot guide resource allocation decisions. Using FortiView dashboards allows analysis of peak usage, detection of heavy non-critical traffic, and informed adjustments for network optimization and capacity planning.