Fortinet  FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam  Dumps and Practice Test Questions Set 10 Q181-200

Visit here for our full Fortinet FCSS_EFW_AD-7.4 exam dumps and practice test questions.

Question 181

A FortiGate administrator wants to prevent internal hosts from sending sensitive data to unauthorized cloud storage services while allowing access to approved corporate cloud platforms. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles examine network traffic to detect sensitive content such as intellectual property, personally identifiable information (PII), financial records, and confidential corporate data. By defining allowed and blocked cloud applications, administrators can enforce uploads only to approved corporate cloud services while preventing transfers to unauthorized platforms. SSL deep inspection decrypts encrypted HTTPS traffic to ensure content is visible for inspection, which would otherwise bypass DLP enforcement. Techniques such as file fingerprinting, keyword matching, and file type analysis enhance accuracy in detecting sensitive content. Logs provide visibility into blocked and allowed uploads, user activity, and enforcement actions, supporting auditing, regulatory compliance, and incident response. Policies can be applied per VLAN, department, or user group, allowing granular enforcement without affecting legitimate cloud usage. This configuration reduces the risk of insider threats, accidental leaks, and regulatory violations while maintaining operational continuity.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound traffic but does not inspect file content or enforce DLP policies. NAT alone cannot prevent sensitive information from leaving the network.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects packet lifespan but does not provide content inspection or policy enforcement. Adjusting TTL cannot prevent data exfiltration.

D) This describes configuring static routes to corporate cloud services. Routing ensures connectivity but does not inspect content or block unauthorized cloud uploads. Static routes alone cannot enforce DLP policies.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that ensures sensitive data protection while allowing legitimate cloud uploads. Therefore, A is correct.

Question 182

A FortiGate administrator wants to restrict internal users from accessing social media websites during business hours while allowing unrestricted access after hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking and schedule-based policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking and schedule-based policies. Web filter profiles categorize websites into types such as social media, entertainment, business, and education. By combining category-based filtering with schedule-based enforcement, administrators can block access to social media during business hours while allowing unrestricted access outside of business hours. SSL deep inspection ensures that encrypted HTTPS traffic is analyzed, preventing users from bypassing restrictions using secure connections. Logs provide visibility into blocked and allowed traffic, enforcement actions, and user activity, supporting auditing, productivity monitoring, and regulatory compliance. Policies can be applied per VLAN, department, or user group for granular enforcement without disrupting legitimate business operations. Category-based filtering reduces administrative effort compared to manually maintaining URL lists, ensuring consistent policy enforcement. This configuration maintains productivity during working hours while allowing flexibility outside business hours.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound traffic but does not provide web content filtering. NAT alone cannot block social media access.

C) This describes increasing TTL for HTTP sessions. TTL affects packet lifespan but does not enforce web access policies. Adjusting TTL cannot restrict access to social media.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not enforce content filtering or schedules. Static routes alone cannot control access to social media.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that enforces time-based restrictions on social media access. Therefore, A is correct.

Question 183

A FortiGate administrator wants to prevent malware and ransomware from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, limiting the propagation of malware. Inter-VLAN firewall policies inspect traffic moving between VLANs. Antivirus scanning detects malware, ransomware, and other malicious software in files, attachments, and executables. IPS monitors traffic for known attack signatures, anomalies, and exploit attempts, preventing threats from spreading across VLANs. Application control enforces restrictions on unauthorized applications, allowing only approved software to communicate between VLANs. SSL deep inspection ensures encrypted traffic is inspected, preventing bypass through HTTPS connections. Logs provide visibility into blocked traffic, enforcement actions, and inter-VLAN communications, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group for granular enforcement. Layering antivirus, IPS, and application control ensures robust security without disrupting legitimate operations. This approach adheres to zero-trust principles and maintains operational continuity while preventing malware propagation.

B) This describes enabling NAT on VLAN interfaces. NAT translates IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects packet lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware propagation.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware spread.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that effectively prevents malware propagation while allowing legitimate business traffic. Therefore, A is correct.

Question 184

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to detect malicious domains, IP addresses, and URLs used by botnet infrastructure. DNS filtering prevents internal hosts from resolving these domains, while web filtering inspects HTTP and HTTPS traffic to block communication with C&C servers. SSL deep inspection ensures encrypted traffic is analyzed, preventing malware-infected hosts from bypassing security policies. Blocking C&C traffic stops malware from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates ensure protection against evolving threats. Combining DNS and web filter protections maintains security without impacting legitimate traffic, enforces zero-trust principles, and reduces the risk of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block malicious communications. NAT alone cannot prevent botnet activity.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block C&C communications. Adjusting TTL cannot prevent malware or botnet communications.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious activity. Static routes alone cannot prevent botnet communications.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively prevents internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 185

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted remote access to internal resources, which, if uninspected, could allow malware, phishing attacks, or unauthorized applications to infiltrate the network. SSL deep inspection decrypts traffic, allowing antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures only approved applications are allowed over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can be configured to reduce disruption while maintaining security. SSL deep inspection ensures encrypted traffic cannot bypass corporate security policies, enforces organizational policies, and aligns with zero-trust principles for remote access. This configuration secures internal resources while enabling monitored and controlled remote access.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or enforce security policies. Adjusting TTL cannot prevent malware or unauthorized applications.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 186

A FortiGate administrator wants to prevent internal users from accessing unauthorized peer-to-peer (P2P) file-sharing applications while allowing legitimate business applications. Which configuration should be applied?

A) Apply application control profiles with rules blocking P2P applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to business servers

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking peer-to-peer (P2P) applications. P2P applications are frequently used for unauthorized file sharing, which can introduce malware, consume excessive bandwidth, or violate company policies. Application control profiles allow the FortiGate firewall to inspect Layer 7 traffic, identify specific applications, and enforce granular policies. By blocking P2P applications, administrators prevent unauthorized usage while allowing legitimate business applications such as email, file servers, and collaboration tools to operate without disruption. SSL deep inspection ensures that encrypted P2P traffic is also inspected, preventing bypass attempts via HTTPS or other encrypted protocols. Logs provide detailed visibility into blocked connections, user attempts, and enforcement actions, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group for granular control. Blocking P2P traffic reduces security risks, ensures bandwidth availability for business-critical applications, and enforces corporate compliance standards.

B) This describes enabling NAT on internal interfaces. NAT translates IP addresses for outbound traffic but does not inspect traffic or block P2P applications. NAT alone cannot enforce application restrictions.

C) This describes increasing TTL for outbound sessions. TTL affects packet lifespan but does not provide application control or content inspection. Adjusting TTL cannot block P2P applications.

D) This describes configuring static routes to business servers. Routing ensures connectivity but does not inspect traffic or enforce application policies. Static routes alone cannot prevent P2P usage.

Application control profiles with rules blocking P2P applications are the only configuration that effectively prevents unauthorized P2P usage while maintaining legitimate business traffic. Therefore, A is correct.

Question 187

A FortiGate administrator wants to enforce controlled access to social media websites based on user groups during business hours while allowing unrestricted access after hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking, schedules, and user group assignments
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking, schedules, and user group assignments. Web filter profiles categorize websites into types such as social media, entertainment, and business. By combining category-based filtering with schedule-based enforcement, administrators can restrict access during business hours while allowing free access after hours. Assigning policies to user groups enables granular enforcement based on department, role, or function. SSL deep inspection ensures encrypted HTTPS traffic is inspected, preventing users from bypassing restrictions via secure channels. Logs provide visibility into blocked and allowed traffic, enforcement actions, and user behavior, supporting auditing, compliance, and productivity monitoring. Policies applied per VLAN or department ensure that legitimate business access is not disrupted. Category-based filtering with schedules and user group enforcement maintains productivity while providing flexibility outside of business hours.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not provide content filtering or schedule-based enforcement. NAT alone cannot control social media access.

C) This describes increasing TTL for HTTP sessions. TTL affects packet lifespan but does not inspect content or enforce web access policies. Adjusting TTL cannot restrict access based on schedules or user groups.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not enforce web filtering policies or schedules. Static routes alone cannot manage access by user group or business hours.

Web filter profiles with category-based blocking, schedules, and user group assignments are the only configuration that effectively enforces controlled social media access during business hours. Therefore, A is correct.

Question 188

A FortiGate administrator wants to prevent malware from entering the network via web downloads while allowing legitimate traffic. Which configuration should be applied?

A) Apply antivirus scanning and file inspection profiles on web traffic policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP and HTTPS sessions
D) Configure static routes for web servers

Answer: A

Explanation

A) This describes applying antivirus scanning and file inspection profiles on web traffic policies. Web downloads are a common vector for malware, ransomware, and trojans. Antivirus scanning inspects downloaded files for known malware signatures, heuristic anomalies, and suspicious behaviors. File inspection ensures that dangerous file types or executable content is detected and blocked. SSL deep inspection allows encrypted HTTPS traffic to be inspected, preventing malware from bypassing detection. Logs provide detailed visibility into blocked downloads, enforcement actions, and user activity, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, user group, or department for granular enforcement without disrupting legitimate business operations. This configuration prevents malware propagation while allowing approved web traffic, reducing security risks, ensuring compliance, and protecting network resources. Layered inspection ensures comprehensive protection against malicious downloads without hindering productivity.

B) This describes enabling NAT on internal interfaces. NAT translates IP addresses but does not inspect downloaded files or block malware. NAT alone cannot secure web downloads.

C) This describes increasing TTL for HTTP and HTTPS sessions. TTL affects packet lifespan but does not provide antivirus or file inspection. Adjusting TTL cannot prevent malware downloads.

D) This describes configuring static routes for web servers. Routing ensures connectivity but does not inspect web traffic or enforce security policies. Static routes alone cannot prevent malware from web downloads.

Antivirus scanning and file inspection on web traffic policies are the only configuration that effectively prevents malware from entering the network via web downloads while allowing legitimate traffic. Therefore, A is correct.

Question 189

A FortiGate administrator wants to block internal hosts from communicating with malicious domains used for phishing attacks. Which configuration should be applied?

A) Enable DNS filtering with phishing domain blocking
B) Enable NAT on internal interfaces
C) Increase TTL for DNS queries
D) Configure static routes to trusted DNS servers

Answer: A

Explanation

A) This describes enabling DNS filtering with phishing domain blocking. Phishing attacks often rely on malicious domains to trick users into revealing credentials or downloading malware. DNS filtering inspects DNS queries from internal hosts and blocks requests to known phishing domains. FortiGuard threat intelligence continuously updates the database of malicious domains to provide real-time protection. SSL inspection is not typically required for DNS traffic, but combined with web filtering, encrypted URLs can also be analyzed. Logs provide visibility into blocked queries, user attempts, and enforcement actions, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group for granular enforcement. By blocking access to phishing domains at the DNS level, administrators prevent users from reaching harmful sites, reducing the risk of credential theft, malware infection, and compliance violations. DNS filtering provides proactive protection without affecting legitimate DNS queries, maintaining normal network operations.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect DNS queries or block phishing domains. NAT alone cannot prevent phishing attacks.

C) This describes increasing TTL for DNS queries. TTL affects cache expiration but does not inspect queries or block malicious domains. Adjusting TTL cannot prevent phishing.

D) This describes configuring static routes to trusted DNS servers. Routing ensures DNS resolution but does not inspect queries for malicious domains. Static routes alone cannot block phishing attacks.

DNS filtering with phishing domain blocking is the only configuration that effectively prevents internal hosts from accessing malicious domains. Therefore, A is correct.

Question 190

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while inspecting all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows encrypted remote access to internal resources, which, if uninspected, could allow malware, phishing, or unauthorized applications to infiltrate the network. SSL deep inspection decrypts traffic to allow antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures that only approved applications can operate over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can be configured to minimize user disruption while maintaining security. SSL deep inspection ensures that encrypted traffic cannot bypass corporate policies, enforcing organizational standards and zero-trust principles. This configuration secures internal resources while enabling monitored and controlled remote access, providing comprehensive protection against threats delivered via encrypted channels.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects packet lifespan but does not inspect traffic or enforce policies. Adjusting TTL cannot prevent malware or unauthorized applications.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 191

A FortiGate administrator wants to prevent internal users from bypassing security policies by using unauthorized remote desktop applications. Which configuration should be applied?

A) Apply application control profiles to block unauthorized remote desktop applications
B) Enable NAT on internal interfaces
C) Increase TTL for RDP sessions
D) Configure static routes to trusted RDP servers

Answer: A

Explanation

A) This describes applying application control profiles to block unauthorized remote desktop applications. Unauthorized remote desktop clients allow users to bypass corporate security policies, access sensitive resources without monitoring, and potentially exfiltrate data. Application control profiles inspect Layer 7 traffic to detect and enforce policies based on specific application signatures, traffic patterns, and behavior. SSL deep inspection ensures that encrypted remote desktop sessions, such as RDP over TLS, are analyzed to prevent bypass attempts. Logs provide visibility into blocked connections, user attempts, and enforcement actions, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group to allow authorized remote desktop traffic while blocking unauthorized clients. By enforcing application control, administrators maintain network security, protect sensitive resources, and ensure compliance with organizational policies. Blocking unauthorized remote desktop applications prevents shadow IT practices, insider threats, and unmonitored access that could lead to data leaks or malware introduction.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block specific applications. NAT alone cannot prevent unauthorized remote desktop usage.

C) This describes increasing TTL for RDP sessions. TTL affects packet lifespan but does not provide application inspection or policy enforcement. Adjusting TTL cannot block unauthorized remote desktop access.

D) This describes configuring static routes to trusted RDP servers. Routing ensures connectivity but does not inspect traffic or enforce application control policies. Static routes alone cannot prevent unauthorized usage.

Application control profiles to block unauthorized remote desktop applications are the only configuration that effectively enforces secure remote access and prevents policy bypass. Therefore, A is correct.

Question 192

A FortiGate administrator wants to prevent internal hosts from uploading confidential files to unauthorized cloud storage services while allowing approved corporate cloud platforms. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles inspect network traffic for sensitive content such as intellectual property, financial records, and personally identifiable information (PII). By defining allowed and blocked cloud applications, administrators can enforce uploads only to approved corporate cloud platforms while preventing transfers to unauthorized services. SSL deep inspection decrypts HTTPS traffic, ensuring sensitive content is analyzed and not bypassed. Techniques like keyword matching, file type detection, and content fingerprinting enhance the accuracy of detection. Logs provide visibility into blocked and allowed uploads, user activity, and enforcement actions, supporting auditing, regulatory compliance, and incident response. Policies can be applied per VLAN, department, or user group, enabling granular enforcement without disrupting legitimate operations. This configuration reduces the risk of insider threats, accidental leaks, and regulatory violations while maintaining productivity and operational continuity.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound traffic but does not inspect content or enforce DLP policies. NAT alone cannot prevent sensitive data from leaving the network.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects packet lifespan but does not provide content inspection or policy enforcement. Adjusting TTL cannot prevent data exfiltration.

D) This describes configuring static routes to corporate cloud services. Routing ensures connectivity but does not inspect content or block unauthorized cloud uploads. Static routes alone cannot enforce DLP policies.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that ensures sensitive data protection while allowing legitimate cloud uploads. Therefore, A is correct.

Question 193

A FortiGate administrator wants to enforce controlled access to video streaming applications based on business hours while ensuring critical business traffic remains prioritized. Which configuration should be applied?

A) Apply traffic shaping profiles with per-application limits and schedules
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP and HTTPS sessions
D) Configure static routes to video streaming servers

Answer: A

Explanation

A) This describes applying traffic shaping profiles with per-application limits and schedules. Traffic shaping allows administrators to define maximum bandwidth for specific applications, such as video streaming, while ensuring critical business applications maintain priority. By combining per-application shaping with schedule-based policies, bandwidth for video streaming can be limited during business hours and unrestricted outside of working hours. Application control identifies and classifies video streaming applications, while traffic shaping enforces limits based on policies. SSL deep inspection ensures that encrypted video traffic is analyzed, preventing users from bypassing restrictions. Logs provide detailed visibility into bandwidth usage, enforcement actions, and compliance with corporate policies. Policies can be applied per VLAN, department, or user group to maintain granular control. This configuration prevents network congestion, ensures predictable performance for critical business applications, and balances productivity with controlled media access.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound traffic but does not enforce bandwidth restrictions or per-application limits. NAT alone cannot manage video streaming usage.

C) This describes increasing TTL for HTTP and HTTPS sessions. TTL affects packet lifespan but does not provide application identification or bandwidth management. Adjusting TTL cannot control streaming traffic.

D) This describes configuring static routes to video streaming servers. Routing ensures connectivity but does not inspect traffic or enforce bandwidth limits. Static routes alone cannot manage per-application usage.

Traffic shaping profiles with per-application limits and schedules are the only configuration that effectively enforces controlled access to video streaming applications while prioritizing critical business traffic. Therefore, A is correct.

Question 194

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to identify malicious domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving these domains, while web filtering inspects HTTP and HTTPS traffic to block communication with C&C servers. SSL deep inspection ensures encrypted traffic is analyzed, preventing malware-infected hosts from bypassing security policies. Blocking C&C traffic prevents malware from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous updates from FortiGuard ensure protection against evolving threats. By combining DNS and web filter protections, administrators maintain network security without impacting legitimate traffic, enforce zero-trust principles, and reduce the risk of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block malicious communications. NAT alone cannot prevent botnet activity.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block C&C communications. Adjusting TTL cannot prevent malware or botnet communications.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious activity. Static routes alone cannot prevent botnet communications.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively prevents internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 195

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted remote access to internal resources, which, if uninspected, could allow malware, phishing attacks, or unauthorized applications to infiltrate the network. SSL deep inspection decrypts traffic, allowing antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures that only approved applications can operate over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can be configured to minimize user disruption while maintaining security. SSL deep inspection ensures encrypted traffic cannot bypass corporate policies, enforcing organizational standards and zero-trust principles. This configuration secures internal resources while enabling monitored and controlled remote access, providing comprehensive protection against threats delivered via encrypted channels.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects packet lifespan but does not inspect traffic or enforce security policies. Adjusting TTL cannot prevent malware or unauthorized applications.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 196

A FortiGate administrator wants to block internal users from accessing unauthorized instant messaging applications while allowing approved collaboration tools. Which configuration should be applied?

A) Apply application control profiles with rules blocking unauthorized instant messaging applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to collaboration servers

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking unauthorized instant messaging (IM) applications. IM applications can be used to bypass corporate security policies, share sensitive information, and introduce malware or ransomware into the network. Application control profiles allow the FortiGate firewall to inspect Layer 7 traffic, identify specific IM applications, and enforce granular policies. SSL deep inspection ensures encrypted IM sessions are inspected, preventing users from bypassing policies using secure protocols. Logs provide detailed visibility into blocked connections, user attempts, and enforcement actions, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group to allow approved collaboration tools while blocking unauthorized applications. By enforcing application control, administrators maintain network security, protect sensitive resources, and reduce the risk of data exfiltration and malware introduction. Blocking unauthorized IM applications ensures compliance with corporate policies and regulatory requirements while allowing legitimate communication channels.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound traffic but does not inspect traffic or block specific applications. NAT alone cannot prevent unauthorized IM usage.

C) This describes increasing TTL for outbound sessions. TTL affects packet lifespan but does not provide application control or content inspection. Adjusting TTL cannot block unauthorized IM access.

D) This describes configuring static routes to collaboration servers. Routing ensures connectivity but does not inspect traffic or enforce application control policies. Static routes alone cannot prevent unauthorized usage.

Application control profiles with rules blocking unauthorized instant messaging applications are the only configuration that effectively enforces secure and compliant communication while allowing legitimate collaboration tools. Therefore, A is correct.

Question 197

A FortiGate administrator wants to prevent sensitive data from leaving the corporate network through unauthorized file sharing applications while allowing approved business tools. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to approved servers

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked application lists. DLP profiles inspect network traffic for sensitive information such as intellectual property, financial records, and personally identifiable information (PII). By defining allowed and blocked applications, administrators can prevent sensitive data from being uploaded to unauthorized file sharing services while permitting approved business tools. SSL deep inspection ensures encrypted traffic is decrypted and inspected for sensitive content, preventing bypass attempts. Techniques such as keyword matching, content fingerprinting, and file type detection enhance the accuracy of DLP enforcement. Logs provide visibility into blocked uploads, allowed transfers, and user activity, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group to enforce granular controls without disrupting legitimate operations. By enforcing DLP policies, administrators reduce the risk of insider threats, accidental data leaks, and regulatory violations while maintaining productivity and operational continuity.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or enforce DLP policies. NAT alone cannot prevent sensitive data from leaving the network.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not provide content inspection or policy enforcement. Adjusting TTL cannot prevent data exfiltration.

D) This describes configuring static routes to approved servers. Routing ensures connectivity but does not inspect traffic or block unauthorized file sharing. Static routes alone cannot enforce DLP policies.

Applying DLP profiles with allowed and blocked application lists is the only configuration that ensures sensitive data protection while allowing legitimate business tools. Therefore, A is correct.

Question 198

A FortiGate administrator wants to limit video streaming bandwidth during working hours while allowing unrestricted access after hours. Which configuration should be applied?

A) Apply traffic shaping profiles with per-application limits and schedules
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP and HTTPS sessions
D) Configure static routes to video streaming servers

Answer: A

Explanation

A) This describes applying traffic shaping profiles with per-application limits and schedules. Traffic shaping allows administrators to define maximum bandwidth for specific applications, such as video streaming, while prioritizing critical business applications. By combining per-application shaping with schedule-based policies, video streaming bandwidth can be limited during working hours and unrestricted outside of business hours. Application control identifies and classifies video streaming applications, while traffic shaping enforces bandwidth limits according to policies. SSL deep inspection ensures encrypted video traffic is analyzed, preventing users from bypassing restrictions. Logs provide detailed visibility into bandwidth usage, enforcement actions, and compliance with organizational policies. Policies can be applied per VLAN, department, or user group to maintain granular control. This configuration prevents network congestion, ensures predictable performance for business-critical applications, and balances productivity with controlled media access. By proactively managing bandwidth, administrators maintain network performance and reduce the risk of service degradation.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not enforce bandwidth restrictions or per-application limits. NAT alone cannot manage video streaming usage.

C) This describes increasing TTL for HTTP and HTTPS sessions. TTL affects packet lifespan but does not provide application identification or bandwidth management. Adjusting TTL cannot control streaming traffic.

D) This describes configuring static routes to video streaming servers. Routing ensures connectivity but does not inspect traffic or enforce bandwidth limits. Static routes alone cannot manage per-application usage.

Traffic shaping profiles with per-application limits and schedules are the only configuration that effectively enforces controlled video streaming bandwidth during working hours. Therefore, A is correct.

Question 199

A FortiGate administrator wants to prevent internal hosts from communicating with malicious domains used for phishing attacks. Which configuration should be applied?

A) Enable DNS filtering with phishing domain blocking
B) Enable NAT on internal interfaces
C) Increase TTL for DNS queries
D) Configure static routes to trusted DNS servers

Answer: A

Explanation

A) This describes enabling DNS filtering with phishing domain blocking. Phishing attacks often rely on malicious domains to trick users into revealing credentials or downloading malware. DNS filtering inspects DNS queries from internal hosts and blocks requests to known phishing domains. FortiGuard threat intelligence continuously updates the database of malicious domains, ensuring real-time protection against evolving threats. Logs provide visibility into blocked queries, user attempts, and enforcement actions, supporting auditing, compliance, and security monitoring. Policies can be applied per VLAN, department, or user group for granular enforcement. By blocking access to phishing domains at the DNS level, administrators prevent users from reaching harmful sites, reducing the risk of credential theft, malware infection, and regulatory violations. DNS filtering provides proactive protection without impacting legitimate DNS queries, maintaining normal network operations and productivity.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect DNS queries or block phishing domains. NAT alone cannot prevent phishing attacks.

C) This describes increasing TTL for DNS queries. TTL affects cache expiration but does not inspect queries or block malicious domains. Adjusting TTL cannot prevent phishing.

D) This describes configuring static routes to trusted DNS servers. Routing ensures DNS resolution but does not inspect queries for malicious domains. Static routes alone cannot block phishing attacks.

DNS filtering with phishing domain blocking is the only configuration that effectively prevents internal hosts from accessing malicious domains. Therefore, A is correct.

Question 200

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows encrypted remote access to internal resources, which, if uninspected, could permit malware, phishing, or unauthorized applications to infiltrate the network. SSL deep inspection decrypts traffic, enabling antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures that only approved applications operate over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can be configured to minimize disruption while maintaining security. SSL deep inspection ensures encrypted traffic cannot bypass corporate policies, enforces organizational standards, and aligns with zero-trust principles. This configuration secures internal resources while enabling monitored and controlled remote access, providing comprehensive protection against threats delivered via encrypted channels.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or enforce security policies. Adjusting TTL cannot prevent malware or unauthorized applications.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.