Fortinet FCP_FGT_AD-7.6 FCP – FortiGate 7.6 Administrator Exam Dumps and Practice Test Questions Set 7 Q121-140

Visit here for our full Fortinet FCP_FGT_AD-7.6 exam dumps and practice test questions.

Question 121:

A FortiGate 7.6 administrator wants to allow SSL VPN access only to users on compliant, corporate-managed devices while blocking unmanaged devices. Which configuration should be used?

A) SSL VPN → Enable device certificate authentication → Apply per user group
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all external devices
D) Traffic Shaping → Limit SSL VPN bandwidth

Answer: A) – SSL VPN → Enable device certificate authentication → Apply per user group

Explanation

To secure SSL VPN access, it is essential to enforce endpoint compliance. FortiGate 7.6 provides device certificate authentication, ensuring that only devices with issued corporate certificates can establish SSL VPN connections. This ensures that unmanaged devices, personal laptops, or potentially compromised endpoints cannot access sensitive internal resources.

By configuring SSL VPN portals with device certificate checks and associating them with user groups, administrators create a granular access model. Only compliant devices with valid certificates can authenticate, adding a layer of security beyond username/password. This approach aligns with Zero Trust principles, ensuring that even if credentials are compromised, only managed endpoints are allowed access. Administrators can generate logs detailing successful and failed authentication attempts, providing an audit trail for compliance and incident investigation. For example, a finance employee’s corporate laptop can access the finance portal, while a personal laptop or tablet is denied. Endpoint compliance checks can be enhanced by verifying OS versions, antivirus status, and patch levels, ensuring the device meets organizational security standards.

IPsec VPN provides encrypted tunnels but does not enforce device-level compliance or certificate validation. While secure in transit, IPsec cannot distinguish between managed and unmanaged endpoints. Using IPsec alone leaves a potential attack vector if user credentials are stolen.

Web Filtering can restrict access to websites, but it cannot enforce device-level access for VPN connections. It is primarily used for content control and URL categorization, making it unsuitable for endpoint-based SSL VPN restrictions.

Traffic shaping limits bandwidth for VPN users, which can control network performance but does not enforce compliance or restrict access based on device trust. While shaping may optimize bandwidth allocation, it does not enhance security against unauthorized endpoints.

Implementation: The administrator must issue device certificates to all corporate-managed devices. SSL VPN portals are configured with certificate authentication enabled. User groups are associated with the relevant portals, ensuring proper access rights. Combined with firewall policies, endpoint compliance checks, and logging, this ensures only trusted devices access sensitive resources. Regular audits confirm that devices remain compliant, and expired or revoked certificates are promptly removed from the system.

In conclusion, enabling device certificate authentication on SSL VPN portals provides a robust mechanism to enforce endpoint compliance, prevent unauthorized access, and maintain a secure remote access environment while allowing granular control per user group.

Question 122:

A FortiGate 7.6 administrator wants to prevent malware in encrypted email attachments from reaching internal users. Which configuration should be used?

A) Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies
B) IPS Sensor → Apply to email servers
C) Web Filtering → Block suspicious domains
D) Application Control → Block email clients

Answer: A) – Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies.

Explanation

Email remains one of the primary vectors for malware, including ransomware and malicious macros. FortiGate 7.6 provides antivirus scanning capabilities, which can inspect SMTP traffic and attachments for malicious content before delivery.

Enabling SMTP scanning in an antivirus profile ensures that all inbound email traffic passing through the FortiGate firewall is scanned for malware. This prevents infected attachments from reaching internal users, reducing the risk of endpoint compromise, data exfiltration, or lateral movement within the network. By applying the antivirus profile to inbound firewall policies, administrators can control which traffic is scanned while maintaining operational efficiency. Logs and alerts provide detailed visibility of blocked or quarantined messages, supporting compliance audits and incident response. FortiGuard antivirus updates provide continuously refreshed signatures to detect emerging threats, ensuring protection against newly discovered malware variants. The solution can also integrate with sandboxing or advanced threat protection for suspicious attachments, allowing proactive threat mitigation.

IPS sensors detect network exploits and suspicious traffic, but cannot inspect email attachments for embedded malware. While IPS may block malware propagation at the network level, it is insufficient for file-level scanning within emails.

Web Filtering can block known malicious domains, which can prevent users from accessing phishing or malware-hosting websites. However, it does not scan email attachments directly, leaving the network exposed to threats delivered via legitimate mail servers.

Application Control can block access to email clients, but it is impractical as it prevents legitimate email usage. It does not provide content-level inspection or malware detection.

Implementation: Administrators must create an antivirus profile with SMTP scanning enabled and apply it to all inbound firewall policies. FortiGuard subscription ensures up-to-date threat intelligence. Alerts should be configured to notify administrators of malware detections. Email quarantine and reporting can be enabled to review blocked messages. For example, a Word document containing malicious macros attached to an external email is automatically blocked, and the recipient is prevented from executing the file.

In conclusion, configuring an Antivirus profile with SMTP scanning ensures that malware in encrypted email attachments is detected and blocked at the network edge, protecting internal devices while supporting compliance and maintaining operational continuity.

Question 123:

A FortiGate 7.6 administrator wants to control application usage and block unauthorized or risky apps while allowing critical business applications. Which configuration should be used?

A) Application Control → Block unknown or risky applications → Allow whitelisted apps
B) Web Filtering → Block non-business sites
C) SSL Deep Inspection → Enable globally
D) IPS Sensor → Enable vulnerability detection

Answer: A) – Application Control → Block unknown or risky applications → Allow whitelisted apps

Explanation

Application Control in FortiGate 7.6 enables administrators to manage application traffic at a granular level. This ensures that business-critical applications function without interruption while reducing risks posed by unauthorized or potentially malicious apps.

Creating an application control profile to block unknown or risky applications while allowing whitelisted apps ensures least privilege application usage. Administrators can select categories such as peer-to-peer file sharing, gaming, or unapproved collaboration tools, while explicitly allowing enterprise apps like Outlook, Teams, and ERP systems. FortiView provides insight into attempted access to blocked apps, helping administrators refine policies and monitor compliance. Regular updates through FortiGuard ensure new applications or versions are properly categorized. For example, a finance application is whitelisted while an unapproved file-sharing tool is blocked, preventing potential data leaks and malware introduction.

Web Filtering restricts access to websites but does not block applications or enforce per-application security policies. While useful for content control, it cannot enforce granular application-level restrictions.

SSL Deep Inspection decrypts HTTPS traffic to enable scanning for malware or policy enforcement, but does not manage applications directly. It is a complementary security measure, but not sufficient for application control.

IPS sensors detect known vulnerabilities and network exploits, but cannot block the usage of specific applications. It mitigates exploit-based attacks rather than controlling legitimate application use.

Implementation: Administrators must create an application control profile, select risky application categories for blocking, whitelist approved business applications, and apply the profile to relevant firewall policies. Regular monitoring of FortiView dashboards helps identify new unauthorized app usage. Integration with SSL inspection ensures encrypted traffic is properly scanned. Periodic review ensures the whitelist remains aligned with organizational requirements.

In conclusion, Application Control with selective blocking and whitelisting provides both security and operational flexibility, preventing unauthorized applications while ensuring critical business apps remain accessible, supporting productivity and regulatory compliance.

Question 124:

A FortiGate 7.6 administrator wants to optimize network bandwidth by prioritizing critical business applications over non-essential traffic. Which configuration should be used?

A) Traffic Shaping → Limit bandwidth for non-critical apps → Guarantee bandwidth for critical apps
B) SD-WAN → Load balance traffic
C) SSL Inspection → Enable globally
D) IPS Sensor → Enable for large file transfers

Answer: A) – Traffic Shaping → Limit bandwidth for non-critical apps → Guarantee bandwidth for critical apps

Explanation

Traffic Shaping allows administrators to prioritize network traffic and ensure quality of service (QoS) for critical applications. By setting bandwidth limits for non-critical applications and guaranteeing resources for essential business apps, FortiGate ensures efficient network utilization and optimal performance.

Administrators can define shaping policies to throttle low-priority applications such as streaming media or non-business cloud backups while allocating guaranteed bandwidth for email, ERP, and VoIP systems. Policies are applied per firewall policy or per interface. FortiView reporting shows bandwidth consumption, allowing adjustment based on usage patterns. For example, during peak hours, ERP traffic receives priority, ensuring responsiveness, while non-critical uploads are throttled. Shaping can also include priority queues, burst control, and per-user enforcement.

SD-WAN balances traffic across multiple WAN links but does not provide per-application prioritization. It optimizes link utilization rather than enforcing QoS for specific apps.

SSL Inspection decrypts traffic for inspection but does not manage bandwidth allocation or prioritization. While essential for security, it does not optimize network performance.

IPS detects network attacks but cannot manage application bandwidth. Enabling IPS for large files may detect exploits, but it does not prioritize legitimate business traffic.

Implementation: Administrators must create traffic shaping policies, classify applications by priority, define bandwidth limits and guarantees, and apply the policies to firewall rules. FortiView monitoring ensures effectiveness and allows adjustments. Periodic reviews ensure that evolving business needs and new applications are accommodated. This ensures a predictable, high-performance network for mission-critical applications while controlling non-essential traffic.

Question 125:

A FortiGate 7.6 administrator wants to allow SSL VPN users to access specific internal servers based on group membership while preventing access to all other resources. Which configuration should be used?

A) SSL VPN → Configure user groups → Assign per portal → Define restricted resources
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all internal sites
D) Traffic Shaping → Apply per SSL VPN user

Answer: A) – SSL VPN → Configure user groups → Assign per portal → Define restricted resources

Explanation

SSL VPN portals allow granular resource control. By creating user groups and associating them with portals, administrators define exactly which internal servers users can access. This follows the principle of least privilege, reducing risk exposure.

Administrators define user groups, configure portal access, and assign restricted resources such as IP addresses, ports, and specific applications. Users attempting to access unassigned resources are blocked. Logs track activity for auditing. For example, HR staff can access the HR server but are blocked from accounting or development servers. Endpoint compliance checks ensure only secure devices connect. Bypassing this control could allow lateral movement in case of compromised credentials.

IPsec VPN provides secure tunnels but cannot enforce user-specific resource restrictions within the network. While encrypted, it lacks granular portal access.

Web Filtering blocks web access, but cannot control access to internal servers over VPN. It is limited to HTTP/S traffic.

Traffic Shaping manages bandwidth but does not restrict access to specific internal resources. Users could still reach unauthorized servers.

Implementation: Configure SSL VPN portals, assign user groups, define restricted resources, and apply endpoint compliance checks. Logs and FortiView reporting provide visibility and auditing. Periodic review ensures that portal assignments match current organizational roles.

In conclusion, configuring SSL VPN portals with user groups and restricted resources ensures secure, role-based remote access while minimizing security risks and maintaining operational efficiency.

Question 126:

A FortiGate 7.6 administrator wants to enforce Multi-Factor Authentication (MFA) for all external VPN users while allowing seamless access for corporate-managed internal devices. Which configuration should be used?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply to external users only
D) Azure AD B2B Collaboration → Manage guest accounts

Answer: A) – Conditional Access → Require MFA for external access → Apply per user group

Explanation

Securing VPN access is critical, especially for remote or external users. FortiGate 7.6 integrates with identity providers such as Azure AD to enforce Conditional Access policies, which can require MFA based on conditions like device compliance, user group, or network location. This ensures that high-risk connections are protected without introducing unnecessary friction for trusted internal users.

Conditional Access policies allow the administrator to target specific user groups, such as remote employees, contractors, or third-party vendors. MFA enforcement ensures that even if credentials are compromised, unauthorized access is blocked because an additional authentication factor is required. This reduces the risk of unauthorized access, data breaches, and account compromise. For example, a finance employee connecting from home would be prompted for MFA, while a corporate laptop in the office would allow seamless login. Detailed logging provides auditing and compliance reporting, capturing both successful and failed MFA attempts. Administrators can refine policies over time, combining Conditional Access with device compliance checks to ensure only trusted endpoints gain access.

Security Defaults enforce MFA globally but do not allow selective enforcement based on location, device, or user risk. This approach may introduce friction for internal users who are already operating in a secure environment.

Pass-through Authentication validates credentials against an identity provider but cannot enforce conditional MFA based on risk or location. It only ensures username/password validation without additional protection layers.

Azure AD B2B Collaboration manages guest accounts for partner or external users, but does not enforce conditional MFA for internal employees. It is intended for collaboration scenarios rather than adaptive authentication policies.

Implementation: Administrators should create Conditional Access policies targeting specific user groups and define network locations as trusted or untrusted. MFA requirements are applied to external connections while internal corporate network access is exempt. Regular monitoring of logs ensures that MFA is working as expected and allows identification of unusual login attempts. MFA methods can include OTP, mobile app notifications, or hardware tokens, depending on organizational security policy.

By implementing Conditional Access for MFA, FortiGate ensures that high-risk external logins are challenged, internal users experience minimal friction, and the organization maintains compliance with security standards such as ISO 27001 or NIST guidelines.

Question 127:

A FortiGate 7.6 administrator wants to inspect SSL traffic for malware without breaking Office 365 or Salesforce. Which configuration should be used?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Traffic Shaping → Limit HTTPS traffic
D) IPS Sensor → Enable SSL

Answer: A) – SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS.

Explanation

SSL traffic inspection is crucial for detecting threats hidden in encrypted connections. SSL Deep Inspection decrypts HTTPS traffic, allowing antivirus, IPS, and application control profiles to scan content. However, some SaaS applications like Office 365 or Salesforce use certificate pinning, which can fail under deep inspection. Bypass rules ensure these trusted SaaS apps continue to operate normally.

This configuration balances security and usability. SSL Deep Inspection protects the network against encrypted threats while bypass rules prevent disruption of critical business workflows. FortiGuard signatures provide up-to-date threat intelligence, ensuring protection against new malware variants. Detailed logging allows administrators to monitor decrypted traffic, detect anomalies, and investigate incidents. Policies can be applied selectively to internal or external traffic, user groups, or specific interfaces, allowing granular control.

SSL Certificate Inspection validates certificates to ensure they are legitimate, but does not scan for malware. Threats hidden in HTTPS traffic could bypass inspection.

Traffic Shaping only controls bandwidth allocation. While useful for optimizing performance, it does not provide malware detection or threat prevention.

 IPS can detect known exploits but cannot inspect SSL traffic unless decrypted, so enabling IPS alone is insufficient for encrypted threats.

Implementation: Administrators create an SSL/SSH inspection profile, enable deep inspection, apply relevant security profiles, and configure bypass rules for trusted SaaS applications. FortiView dashboards and logs track decrypted sessions, blocked threats, and bypassed traffic. Regular review ensures newly adopted SaaS applications are included in bypass rules, maintaining operational continuity. This approach secures the network without negatively affecting business-critical services.

Question 128:

A FortiGate 7.6 administrator wants to prevent internal devices from participating in botnets. Which configuration should be used?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Web Filtering → Block all external URLs
C) Traffic Shaping → Limit bandwidth for unknown applications
D) Application Control → Block email clients

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

Botnet prevention is a critical network security measure. Botnets often communicate with external Command & Control (C&C) servers to receive instructions or exfiltrate data. Enabling IPS sensors with botnet signatures ensures that any attempt by compromised internal devices to contact known botnet servers is blocked at the firewall.

 FortiGate maintains a continuously updated list of known botnet IPs and domains via FortiGuard services. IPS sensors monitor traffic and block these connections. Logs and alerts allow administrators to investigate potentially infected endpoints. Combining IPS with SSL Deep Inspection ensures detection even in encrypted traffic. For example, if a workstation tries to communicate with a botnet server, the IPS sensor blocks the session and generates an alert. Periodic review of logs allows proactive threat mitigation and compliance reporting.

Web Filtering can block known malicious URLs, but cannot detect botnet traffic that may use standard protocols like HTTP/S, DNS, or custom ports. Relying solely on Web Filtering leaves devices vulnerable to sophisticated botnets.

Traffic Shaping controls bandwidth but does not prevent malware communication or C&C activity. While shaping can manage performance, it does not mitigate security risks.

Application Control can block applications, but botnets often use standard network protocols and evade app-level detection. It cannot reliably prevent botnet activity.

Implementation: Enable IPS sensors with botnet C&C signatures, apply to relevant firewall policies, integrate with SSL inspection for encrypted traffic, and monitor logs for alerts. Administrators can combine endpoint compliance and antivirus scanning to further reduce risk. This ensures internal devices do not participate in botnets, reducing the risk of spam campaigns, DDoS involvement, or data exfiltration.

Question 129:

A FortiGate 7.6 administrator wants to automatically update all antivirus, IPS, and application control signatures across the network. Which configuration should be used?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

Keeping security signatures up-to-date is critical for protection against emerging threats. FortiGuard Security Services provides automatic signature updates for antivirus, IPS, and application control profiles.

 Automatic updates ensure that all FortiGate devices receive new threat intelligence without manual intervention, maintaining consistent protection across the network. Administrators can configure update frequency, monitor update logs, and ensure policies are applied uniformly. For example, daily FortiGuard updates push the latest malware and IPS signatures automatically. Combining this with SSL inspection ensures encrypted traffic is also protected. Automatic updates reduce administrative workload and help maintain compliance with internal security policies or external regulatory requirements.

SSL Inspection decrypts traffic for scanning, but does not manage updates or signatures. It is complementary but insufficient for proactive protection.

 Traffic Shaping optimizes bandwidth but does not update security signatures or threat intelligence.

Manually updating application control signatures is error-prone, time-consuming, and risks leaving devices unprotected during periods when new threats emerge.

Implementation: Administrators subscribe to FortiGuard Security Services, enable automatic updates, and apply them to all antivirus, IPS, and application control profiles. Logs and FortiView dashboards confirm successful updates and policy compliance. This approach ensures continuous protection, reduces administrative overhead, and strengthens the organization’s security posture against evolving threats.

Question 130:

A FortiGate 7.6 administrator wants to monitor bandwidth usage by application and user to optimize network performance. Which configuration should be used?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Application Control → Block unknown applications
C) SSL Inspection → Apply globally
D) Web Filtering → Block non-business sites

Answer: A) – FortiView → Traffic Log Analysis → Application and User Reports

Explanation

Network visibility is essential for performance optimization. FortiView provides detailed real-time and historical analytics for applications, users, and IPs, enabling administrators to identify top bandwidth consumers, detect anomalies, and plan traffic shaping policies.

By analyzing FortiView reports, administrators can prioritize critical applications like ERP, VoIP, and email, while limiting bandwidth for non-essential traffic such as streaming or peer-to-peer applications. Historical reports allow for capacity planning, proactive traffic management, and QoS adjustments. Alerts can be configured for excessive bandwidth consumption or unusual patterns, aiding in proactive network management. For example, FortiView may reveal that file-sharing apps are consuming significant bandwidth during peak hours, prompting traffic shaping adjustments to ensure business-critical application performance. Integration with SSL inspection ensures encrypted traffic is analyzed.

Application Control blocks or allows applications, but does not provide detailed usage analytics. It cannot measure bandwidth consumption by application or user.

SSL Inspection decrypts traffic but does not generate analytics on bandwidth usage or help in prioritization.

 Web Filtering restricts web content but does not provide per-user or per-application bandwidth reports.

Implementation: Enable logging on firewall policies, configure FortiView dashboards for application and user traffic, and generate historical reports. Use insights to create traffic shaping or prioritization policies. Continuous monitoring ensures optimal network performance, supports capacity planning, and maintains QoS for business-critical traffic.

Question 131:

A FortiGate 7.6 administrator wants to enforce secure access to internal web applications only from managed corporate devices. Which configuration should be used?

A) Web Application Firewall (WAF) → Enable device-based access → Apply per user group
B) Traffic Shaping → Limit access to internal servers
C) SSL Inspection → Enable globally
D) IPS Sensor → Apply to web servers

Answer: A) – Web Application Firewall (WAF) → Enable device-based access → Apply per user group.p

Explanation

Securing internal web applications requires controlling access based on device trust. FortiGate 7.6’s WAF can enforce access restrictions using device-based authentication, ensuring only managed, compliant devices can connect. This prevents unauthorized or personal devices from reaching sensitive applications, reducing the risk of data breaches and insider threats.

By enabling device-based access and associating users with groups, administrators can define granular policies. For example, finance personnel can access the finance portal, while HR staff cannot, unless explicitly permitted. Device certificates, compliance checks, and endpoint posture verification are used to enforce trust. Logs track all access attempts, including denied connections, aiding audits and compliance reporting. WAF policies can also inspect incoming requests for common web vulnerabilities such as SQL injection, cross-site scripting, or malicious payloads, ensuring both authentication and content security.

Traffic Shaping can control bandwidth to the web server, but does not enforce device-based access or authentication, leaving resources exposed to unauthorized devices.

SSL Inspection decrypts encrypted traffic for inspection but does not manage access control or enforce device compliance. While essential for threat detection, it does not restrict access based on device trust.

 IPS Sensors protect against known exploits on web servers but do not enforce user or device-specific access. IPS mitigates attacks but cannot prevent unauthorized connections based on endpoint compliance.

Implementation: Administrators enable WAF device-based access, define user groups, issue device certificates, and configure firewall rules to restrict access to allowed devices. FortiView logs provide visibility into both allowed and denied requests, ensuring auditability. Policies are periodically reviewed to reflect changes in user roles or newly onboarded applications. Combining device-based WAF access with SSL inspection and IPS provides comprehensive protection against both unauthorized access and attacks targeting vulnerabilities.

In conclusion, enforcing secure access via WAF with device-based access control ensures internal web applications are accessible only to trusted devices, balancing security with operational efficiency.

Question 132:

A FortiGate 7.6 administrator wants to prevent malware in email attachments from reaching internal users. Which configuration should be used?

A) Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policies
B) IPS Sensor → Apply to email servers
C) Web Filtering → Block suspicious domains
D) Application Control → Block email clients

Answer: A) – Antivirus Profile → Enable SMTP scanning → Apply to inbound firewall policy.s

Explanation

Email is a primary vector for malware, including ransomware and malicious macros. FortiGate 7.6 provides antivirus capabilities that can inspect SMTP traffic and attachments before delivery to internal users.

Enabling SMTP scanning ensures all inbound email traffic is scanned for malware. Antivirus profiles, combined with FortiGuard signatures, detect and block infected attachments in real time. Logs and alerts provide visibility into blocked attempts, supporting incident response and compliance reporting. Advanced configurations can integrate sandboxing for suspicious files, allowing preemptive analysis of potentially malicious attachments. For example, a Word document containing a macro virus sent externally is scanned and blocked before reaching the user’s mailbox. Administrators can fine-tune the policy to balance security and operational efficiency, ensuring legitimate emails are delivered without delay.

IPS sensors detect network exploits but do not inspect email attachments. While useful for blocking malicious network behavior, IPS cannot prevent malware embedded in SMTP attachments from reaching users.

Web Filtering can block access to malicious domains, reducing risk of phishing and drive-by downloads, but does not scan email attachments directly.

Blocking email clients would prevent malware access, but also disrupt normal business operations. It does not provide a practical solution for content-level inspection.

Implementation: Administrators create an antivirus profile with SMTP scanning enabled, apply it to all inbound policies, and ensure FortiGuard signatures are up to date. Logging and alerting mechanisms track detected threats. Periodic review of blocked attachments allows refinement of policies to reduce false positives while maintaining strong protection. By implementing this configuration, malware is stopped at the network edge, reducing the likelihood of compromise and ensuring compliance with corporate security policies.

Question 133:

A FortiGate 7.6 administrator wants to block unauthorized applications while allowing critical business apps to function normally. Which configuration should be used?

A) Application Control → Block unknown or risky applications → Allow whitelisted apps
B) Web Filtering → Block non-business websites
C) SSL Deep Inspection → Enable globally
D) IPS Sensor → Enable for traffic inspection

Answer: A) – Application Control → Block unknown or risky applications → Allow whitelisted apps

Explanation

Application Control enables administrators to manage application traffic granularly, ensuring business-critical apps function while preventing access to unauthorized or risky software.

Administrators can define risky application categories, such as peer-to-peer sharing, gaming, or unapproved collaboration tools, and explicitly whitelist critical applications like ERP, Teams, or email clients. FortiView dashboards allow monitoring of attempted access to blocked apps and detection of policy violations. FortiGuard updates ensure new applications are classified accurately. For example, blocking a file-sharing app while allowing Teams ensures business continuity without exposing the network to potential malware or data exfiltration. Logs track both blocked and allowed traffic, providing audit capability. Policies are reviewed periodically to account for new application versions or changing business requirements.

Web Filtering restricts website access but does not control application usage or enforce security policies at the application layer.

SSL Deep Inspection decrypts encrypted traffic for security scanning, but does not control application usage. It complements Application Control but cannot enforce access restrictions.

IPS sensors detect known exploits but do not block application usage. They mitigate attacks but do not control legitimate application access.

Implementation: Create an application control profile, select risky categories to block, whitelist approved applications, and apply the profile to relevant firewall policies. Combine with SSL inspection to analyze encrypted traffic. Regularly monitor FortiView for attempted usage of blocked apps and adjust policies as needed. This configuration ensures operational flexibility, network security, and compliance.

Question 134:

A FortiGate 7.6 administrator wants to prioritize critical business applications over non-essential traffic to optimize network performance. Which configuration should be used?

A) Traffic Shaping → Limit bandwidth for non-critical apps → Guarantee bandwidth for critical apps
B) SD-WAN → Load balance traffic
C) SSL Inspection → Enable globally
D) IPS Sensor → Enable for large file transfers

Answer: A) – Traffic Shaping → Limit bandwidth for non-critical apps → Guarantee bandwidth for critical apps

Explanation

Traffic Shaping allows administrators to define QoS policies, prioritizing important applications while throttling non-essential traffic. This ensures business-critical applications remain performant even during peak usage periods.

Administrators classify applications by priority and define bandwidth limits and guarantees. Critical apps such as ERP, VoIP, and email receive guaranteed bandwidth, while streaming or non-business apps are limited. FortiView reporting allows monitoring of traffic utilization and the effectiveness of policies. Policies can include per-user enforcement, burst control, and priority queues. For example, during peak hours, VoIP traffic receives priority to maintain call quality, while video streaming is throttled to avoid congestion.

SD-WAN balances traffic across multiple WAN links but does not provide per-application prioritization. It ensures link utilization but not application-specific QoS.

 SSL Inspection decrypts traffic but does not manage bandwidth or enforce prioritization. While important for security, it does not address performance optimization.

 IPS sensors detect network attacks but cannot prioritize traffic or allocate bandwidth. Enabling IPS on large file transfers does not improve QoS for critical applications.

Implementation: Create shaping policies for critical and non-critical applications, apply per firewall policy or interface, monitor FortiView dashboards, and adjust as needed. Periodic review ensures policies reflect evolving business priorities. Combining traffic shaping with monitoring ensures predictable network performance, optimized bandwidth utilization, and better end-user experience for essential applications.

Question 135:

A FortiGate 7.6 administrator wants to restrict SSL VPN users to specific internal servers based on group membership, preventing access to all other resources. Which configuration should be used?

A) SSL VPN → Configure user groups → Assign per portal → Define restricted resources
B) IPsec VPN → Configure Phase 1 and Phase 2
C) Web Filtering → Block all internal sites
D) Traffic Shaping → Apply per SSL VPN user

Answer: A) – SSL VPN → Configure user groups → Assign per portal → Define restricted resources

Explanation

SSL VPN portals allow granular, role-based access control. By defining user groups and associating them with specific portals, administrators can control which internal servers are accessible while preventing lateral movement within the network.

Configure user groups, assign portal access, and define restricted resources (IP addresses, ports, applications). Users attempting to access resources outside their assigned scope are blocked. Logs and FortiView dashboards provide visibility into allowed and denied access, aiding auditing and compliance. Endpoint compliance checks ensure only trusted devices connect. For example, HR staff can access the HR server, but not finance or development servers. Policies follow the principle of least privilege.

IPsec VPN provides encrypted connectivity but cannot enforce per-user resource restrictions. While secure, IPsec does not allow granular access to internal servers.

Web Filtering restricts web access only and does not control access to internal servers via VPN. It is insufficient for server-level restrictions.

Traffic Shaping manages bandwidth but does not restrict access to resources. Users could still reach unauthorized servers if not controlled at the portal or firewall policy level.

Implementation: Configure SSL VPN portals, assign user groups, define restricted resources, and enforce endpoint compliance. Regular monitoring ensures policies reflect current organizational roles. Combining this with logging and FortiView dashboards ensures secure, auditable, role-based remote access.

Question 136:

A FortiGate 7.6 administrator wants to inspect encrypted web traffic for malware while preventing disruption to trusted SaaS applications. Which configuration should be used?

A) SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS
B) SSL Certificate Inspection → Apply globally
C) Traffic Shaping → Limit HTTPS traffic
D) IPS Sensor → Enable SSL

Answer: A) – SSL Deep Inspection → Enable scanning → Configure bypass rules for trusted SaaS.

Explanation

Encrypted HTTPS traffic often hides malware, making SSL inspection essential. SSL Deep Inspection decrypts traffic, allowing antivirus, IPS, and application control to scan for threats. However, some trusted SaaS applications like Office 365 or Salesforce use certificate pinning, which fails if traffic is intercepted incorrectly. Configuring bypass rules for these applications ensures functionality is preserved while other traffic is inspected for malware.

Deep inspection provides comprehensive protection. FortiGuard signatures keep malware detection up-to-date, and FortiView dashboards allow monitoring of both scanned and bypassed traffic. Policies can be applied selectively based on users, interfaces, or zones, allowing granular control.

SSL Certificate Inspection validates certificates but does not scan for malware within the traffic. Threats in encrypted streams may pass undetected.

Traffic Shaping manages bandwidth but does not provide security inspection, leaving encrypted malware unmitigated.

IPS sensors cannot detect threats in SSL traffic unless it is decrypted. While IPS is important, enabling it without SSL decryption leaves encrypted threats unchecked.

Implementation: Administrators create an SSL/SSH inspection profile, enable deep inspection for malware scanning, and configure bypass rules for trusted SaaS. Logging provides visibility into decrypted traffic, threats, and bypassed sessions. Regular policy review ensures newly adopted SaaS apps are included in bypass lists. This approach protects the network without impacting critical business applications.

Question 137:

A FortiGate 7.6 administrator wants to enforce Multi-Factor Authentication (MFA) for users accessing Microsoft 365 from outside the corporate network while allowing seamless access for internal devices. Which configuration should be used?

A) Conditional Access → Require MFA for external access → Apply per user group
B) Security Defaults → Enable globally
C) Pass-through Authentication → Apply to external users only
D) Azure AD B2B Collaboration → Manage guest accounts

Answer: A) – Conditional Access → Require MFA for external access → Apply per user group

Explanation

Conditional Access policies provide adaptive authentication based on user risk, location, and device compliance. Requiring MFA only for external users reduces security risk while minimizing friction for internal trusted devices.

Administrators define user groups, trusted locations, and MFA requirements. Logs capture authentication events for auditing. For example, an employee connecting from a home network is prompted for MFA, while the same employee on a corporate laptop in the office gains seamless access. This approach strengthens security without impacting productivity.

Security Defaults enforce MFA globally but cannot selectively apply location-based MFA, causing unnecessary friction for internal users.

Pass-through Authentication validates credentials but cannot enforce conditional MFA. It does not consider risk, location, or device compliance.

Azure AD B2B Collaboration manages guest accounts but does not enforce MFA for internal employees based on location.

Implementation: Administrators create Conditional Access policies targeting external sign-ins, enforce MFA, and monitor compliance. This ensures sensitive corporate resources are protected while internal users enjoy frictionless access.

Question 138:

A FortiGate 7.6 administrator wants to block internal devices from participating in botnets. Which configuration should be used?

A) IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies
B) Web Filtering → Block all external URLs
C) Traffic Shaping → Limit bandwidth for unknown applications
D) Application Control → Block email clients

Answer: A) – IPS Sensor → Enable Botnet C&C Signatures → Apply to firewall policies

Explanation

Botnet infections often rely on communication with external Command & Control (C&C) servers. IPS sensors with botnet signatures block such connections, preventing compromised devices from participating in attacks or data exfiltration.

FortiGuard updates provide current C&C IPs and domains. Logs alert administrators of potential infections, enabling proactive response. SSL inspection ensures detection even in encrypted traffic.

Web Filtering can block known malicious URLs, but does not detect botnet traffic over standard protocols or ports.

Traffic Shaping manages bandwidth but does not block botnet communications.

Application Control blocks applications but cannot reliably prevent botnet activity using standard protocols like HTTP/S or DNS.

Implementation: Enable IPS sensors with botnet signatures, apply to relevant firewall policies, and combine with SSL inspection. Monitor logs for infected endpoints and remediate accordingly. This protects the network from botnet participation and reduces risk exposure.

Question 139:

A FortiGate 7.6 administrator wants to ensure all security signatures are updated automatically across antivirus, IPS, and application control profiles. Which configuration should be used?

A) FortiGuard Security Services → Enable automatic updates → Apply to all security profiles
B) SSL Inspection → Apply globally
C) Traffic Shaping → Apply per security profile
D) Application Control → Update signatures manually

Answer: A) – FortiGuard Security Services → Enable automatic updates → Apply to all security profiles

Explanation

Automatic updates ensure that security profiles remain current against emerging threats. FortiGuard provides up-to-date signatures for antivirus, IPS, and application control.

Enables automated updates, reducing administrative overhead and maintaining consistent protection. Administrators can monitor update logs to ensure deployment across all devices. This proactive approach prevents gaps in network defense and ensures compliance with security standards. For example, newly discovered malware signatures are applied automatically, reducing the risk of compromise.

 SSL Inspection decrypts traffic but does not manage signature updates.

 Traffic Shaping manages bandwidth but does not affect security signatures.

 Manual updates are error-prone and slow, risking exposure during critical periods.

Implementation: Enable FortiGuard automatic updates for all security profiles, configure logs and alerts, and monitor dashboard reports. This ensures continuous, up-to-date protection against malware, exploits, and unauthorized applications.

Question 140

A FortiGate 7.6 administrator wants to monitor bandwidth usage per application and user to optimize network performance. Which configuration should be used?

A) FortiView → Traffic Log Analysis → Application and User Reports
B) Application Control → Block unknown applications
C) SSL Inspection → Apply globally
D) Web Filtering → Block non-business sites

Answer: A) – FortiView → Traffic Log Analysis → Application and User Reports

Explanation

Network monitoring provides insight into traffic patterns, allowing administrators to prioritize critical applications and optimize bandwidth allocation. FortiView provides real-time and historical analytics for applications, users, and IP addresses.

 Enables administrators to generate reports identifying top bandwidth consumers, detect anomalies, and plan traffic shaping policies. Historical reporting allows capacity planning, while real-time dashboards enable immediate response to network congestion. For example, identifying heavy file-sharing traffic during peak hours allows throttling non-essential traffic while maintaining performance for business-critical applications. Integration with SSL inspection ensures that encrypted traffic is analyzed.

 Application Control blocks or allows apps, but does not provide analytics on bandwidth usage.

 SSL Inspection decrypts traffic but does not report per-user or per-application bandwidth consumption.

 Web Filtering restricts web content but does not provide detailed usage or bandwidth insights.

Implementation: Enable logging on firewall policies, configure FortiView dashboards, and generate historical reports. Use insights to define traffic shaping, QoS policies, and prioritization. Continuous monitoring ensures optimal network performance and resource allocation, supporting business-critical applications while controlling non-essential traffic.