Fortinet  FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam  Dumps and Practice Test Questions Set 2  Q 21- 40

Visit here for our full Fortinet FCSS_EFW_AD-7.4 exam dumps and practice test questions.

Question 21

A FortiGate administrator wants to ensure that only authorized users can access internal resources through an SSL VPN, and access should be revoked automatically when a user leaves the company. Which configuration is necessary?

A) Integrate the firewall with LDAP or Active Directory for user authentication and group-based policy enforcement
B) Configure NAT on the SSL VPN interface
C) Increase the MTU of the SSL VPN interface
D) Enable static routing to internal resources

Answer: A

Explanation

A) This describes integrating the FortiGate firewall with an external user directory such as LDAP or Active Directory (AD) to authenticate users and enforce access based on group membership. When LDAP or AD integration is configured, the firewall can verify whether a user attempting to access the SSL VPN is a valid, authorized employee. Group-based policies allow the administrator to define which internal resources each user group can access. If a user leaves the company and their account is disabled or removed from LDAP/AD, their SSL VPN access is automatically revoked. This provides real-time enforcement of access policies and reduces administrative overhead associated with manual deactivation. Using directory integration ensures that access control is centralized, consistent, and auditable. It allows administrators to enforce least-privilege access by mapping groups to policies and ensures that unauthorized users cannot access critical internal resources. This approach aligns directly with compliance requirements, internal security policies, and best practices for secure remote access. Moreover, integrating with LDAP/AD allows leveraging existing organizational identity management processes, such as password expiration, multi-factor authentication, and account lifecycle management. This ensures that SSL VPN access is both secure and dynamically updated according to the company’s HR or identity policies. It provides the automation required to revoke access immediately when an employee leaves, thereby preventing potential insider threats and unauthorized access.

B) This describes configuring NAT on the SSL VPN interface. NAT modifies source IP addresses as traffic leaves or enters a network, but it does not authenticate users or enforce policy based on group membership. NAT does not prevent unauthorized users from accessing internal resources if they have valid credentials or if the firewall is not checking identity. Therefore, NAT alone cannot meet the requirement of controlled, revocable access.

C) This describes increasing the MTU on the SSL VPN interface. MTU adjustments affect packet size but do not influence user authentication or access control. While proper MTU settings can improve performance, they provide no mechanism for validating user credentials, enforcing group-based policies, or automatically revoking access when users leave the organization.

D) This describes enabling static routing to internal resources. Static routes define the path traffic takes but do not perform authentication, access control, or revocation. Routing cannot enforce user identity or ensure that former employees are denied access. Static routing simply directs packets and has no effect on policy enforcement or directory integration.

Integrating the firewall with LDAP or AD for authentication and group-based policy enforcement is the only method that satisfies the requirement for secure, authorized, and automatically revocable SSL VPN access. Therefore, the correct answer is A.

Question 22

A FortiGate administrator wants to implement two-factor authentication for administrative access to the firewall. What configuration is required?

A) Enable two-factor authentication using FortiToken, RADIUS, or TOTP for administrative accounts
B) Enable NAT on the management interface
C) Increase the TTL for management sessions
D) Adjust static routes for administrative traffic

Answer: A

Explanation

A) This describes enabling two-factor authentication (2FA) using FortiToken, RADIUS, or TOTP for administrative accounts. Two-factor authentication requires administrators to provide both a password and a second factor, such as a one-time code or token, before they can access the firewall management interface. This significantly increases security by ensuring that stolen or guessed passwords alone cannot grant access. Using FortiToken, the firewall can generate time-based one-time passwords (TOTP) that rotate periodically. Integration with RADIUS or other authentication servers allows organizations to centralize authentication and leverage existing identity systems. This approach enforces strong administrative security policies, reduces the risk of credential compromise, and provides compliance with security standards that require multi-factor authentication for privileged accounts. Administrators are also protected against phishing and brute-force attacks since possession of the physical token or access to the authentication app is required. The configuration ensures that every administrative login is verified in real time, and policies can be applied consistently across all firewall management interfaces, including web, CLI, or API access.

B) This describes enabling NAT on the management interface. NAT modifies IP addresses for routing purposes but has no impact on authentication, access control, or two-factor verification. NAT cannot enforce 2FA and does not strengthen administrative security.

C) This describes increasing TTL for management sessions. TTL only determines how long sessions persist and does not enforce additional security layers such as two-factor authentication. Modifying session TTL does not prevent unauthorized access or credential misuse.

D) This describes adjusting static routes for administrative traffic. Static routes affect network path selection but do not perform authentication or enforce access control. Routing alone cannot implement two-factor authentication or protect administrative accounts.

Enabling two-factor authentication using FortiToken, RADIUS, or TOTP is the only configuration that fulfills the requirement for enhanced security for administrative access. Therefore, the correct answer is A.

Question 23

A FortiGate administrator wants to block all known phishing websites while allowing access to business-related web portals. Which configuration is required?

A) Apply a web filter profile with phishing URL blocking and exception lists for business portals
B) Apply NAT to all web traffic
C) Enable SSL passthrough for all outbound web sessions
D) Increase TTL for HTTP sessions

Answer: A

Explanation

A) This describes using a web filter profile that blocks URLs identified as phishing while allowing exceptions for business-related portals. FortiGuard web filtering provides continuously updated threat intelligence that categorizes domains and flags phishing sites, malware, and other harmful content. By enabling phishing URL blocking, the firewall automatically denies access to dangerous sites attempting to steal credentials, spread malware, or conduct fraudulent activities. Exception lists allow the administrator to whitelist trusted business portals that may be incorrectly flagged or essential for operations. Web filter profiles can inspect both HTTP and HTTPS traffic, with SSL deep inspection enabled, ensuring that encrypted traffic is also evaluated for phishing content. This provides granular control, protects users, and balances security with business productivity. The firewall logs all denied attempts, enabling auditing and reporting, which is critical for compliance and incident response. Configuring web filtering in this way allows organizations to maintain secure internet usage while minimizing disruptions to legitimate business activities. This approach prevents users from visiting malicious sites while preserving operational continuity.

B) This describes applying NAT to all web traffic. NAT modifies IP addresses for routing purposes but does not inspect traffic content or block phishing URLs. NAT alone cannot distinguish phishing sites from legitimate websites and therefore cannot achieve the requirement.

C) This describes enabling SSL passthrough for all outbound web sessions. SSL passthrough forwards encrypted traffic without inspection, which prevents web filtering, malware scanning, and phishing protection from working. Using passthrough would block the firewall from evaluating URLs or content, defeating the requirement entirely.

D) This describes increasing TTL for HTTP sessions. TTL settings control session persistence but do not inspect URLs or block phishing content. Adjusting TTL has no effect on web filtering or security enforcement.

Applying a web filter profile with phishing URL blocking and business exceptions is the only configuration that satisfies the requirement to block phishing while allowing access to essential portals. Therefore, A is correct.

Question 24

A FortiGate administrator wants to prevent lateral movement of malware between internal VLANs. What configuration is required to inspect traffic and enforce security policies between these VLANs?

A) Create inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Configure static routes for the VLANs
C) Disable NAT on internal interfaces
D) Adjust TTL values for VLAN traffic

Answer: A

Explanation

A) This describes creating firewall policies between VLAN interfaces and applying security profiles such as antivirus, intrusion prevention (IPS), and application control. VLAN interfaces operate as separate logical networks, and traffic passing between them must traverse firewall policies to be inspected. By applying security profiles, the firewall can detect malware, block suspicious activity, and enforce application-level restrictions, preventing the spread of threats laterally between VLANs. Antivirus scanning inspects file-based malware, IPS monitors network-based attacks, and application control identifies and regulates application behavior. Together, these profiles provide a comprehensive security layer. Inter-VLAN policies allow administrators to segment internal networks while maintaining visibility and control over all flows. Without such policies, traffic between VLANs could bypass inspection, allowing malware or unauthorized applications to move freely within the internal network. The approach aligns with zero-trust principles, ensuring that even trusted internal segments are protected. It also enables logging, auditing, and reporting of internal traffic for compliance and incident response.

B) This describes configuring static routes between VLANs. Static routing only determines how traffic is forwarded; it does not apply security profiles or inspect content. Routes alone cannot prevent lateral movement of malware or enforce security policies.

C) This describes disabling NAT on internal interfaces. NAT affects address translation but does not perform inspection or enforce security policies between VLANs. Disabling NAT does not prevent malware propagation or enforce antivirus or IPS scanning.

D) This describes adjusting TTL values. TTL only affects how long packets live in the network and has no effect on inspection, malware detection, or inter-VLAN security enforcement. TTL adjustments do not prevent lateral movement of threats.

Inter-VLAN firewall policies with applied security profiles are the only configuration that ensures inspection and enforcement between VLANs. Therefore, A is correct.

Question 25

A FortiGate administrator wants to ensure that remote users can access only approved cloud applications while all other traffic is blocked. What configuration is necessary?

A) Apply application control policies with allow lists for approved cloud applications
B) Use NAT for all remote user traffic
C) Enable SSL passthrough for VPN sessions
D) Increase session TTL for remote users

Answer: A

Explanation

A) This describes using application control policies to allow only specific cloud applications while blocking all others. Application control identifies traffic based on application signatures, protocol analysis, and behavior, rather than ports. By creating an allow list of approved cloud applications, the firewall ensures that remote users can only reach services necessary for business purposes. All other application traffic, including unauthorized web applications, peer-to-peer, streaming, or potential threats, is blocked. This approach enforces least-privilege access, reduces risk exposure, and provides visibility into user activity. It also supports SSL inspection, ensuring that encrypted sessions are analyzed for application behavior. Logging and reporting of blocked or allowed applications enhances compliance and auditing. The configuration aligns with corporate security policies and cloud usage guidelines, preventing misuse of resources while enabling productive access to approved services.

B) This describes using NAT for remote user traffic. NAT modifies IP addresses but does not identify or control applications. NAT alone cannot enforce allow lists or block unapproved cloud services.

C) This describes enabling SSL passthrough. Pass-through would prevent inspection of encrypted traffic, making it impossible to enforce application-level controls for cloud services. Without inspection, unauthorized applications could bypass restrictions.

D) This describes increasing session TTL. TTL affects session persistence but does not influence which applications are allowed. Adjusting TTL does not enforce policy, control cloud access, or block unauthorized applications.

Application control policies with allow lists for approved cloud applications are the only configuration that enforces selective access while blocking all other traffic. Therefore, A is correct.

Question 26

A FortiGate administrator wants to prevent employees from uploading confidential documents to unauthorized cloud storage platforms while allowing access to approved corporate cloud services. Which configuration should be implemented?

A) Apply a DLP profile to outbound traffic with allowed and blocked application lists
B) Enable NAT on the internal interface
C) Increase TTL for outbound web sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying a Data Loss Prevention (DLP) profile to outbound traffic, combined with an allowed and blocked application list. DLP inspects traffic at the application and content level, looking for sensitive information such as documents containing financial, personal, or proprietary data. By defining which cloud services are approved, the firewall can enforce policies to allow uploads only to authorized platforms while blocking unauthorized services. This configuration provides granular control over both the type of content and the destination of uploads. DLP profiles can examine web traffic (HTTP/HTTPS), email, FTP, and other protocols to ensure sensitive documents are not transmitted to inappropriate destinations. When SSL inspection is enabled, encrypted traffic is decrypted temporarily to allow inspection, ensuring that data leakage cannot occur over secure channels. Logs and alerts are generated for blocked attempts, enabling administrators to track policy enforcement, investigate incidents, and provide compliance evidence. This method aligns with security policies, regulatory requirements, and corporate governance mandates by preventing unauthorized exfiltration of confidential data. Implementing DLP ensures that even users with legitimate internet access cannot inadvertently or intentionally transmit sensitive information to unapproved cloud platforms. The DLP engine can also apply content fingerprinting, keyword matching, and file type recognition, allowing highly accurate detection of sensitive documents and reducing false positives.

B) This describes enabling NAT on the internal interface. NAT modifies IP addresses for routing purposes but does not inspect the contents of traffic, control uploads, or enforce policies on cloud services. NAT alone cannot prevent confidential data from leaving the network.

C) This describes increasing TTL for outbound web sessions. TTL adjustments affect how long packets remain active but do not control content, applications, or destinations. Changing TTL provides no mechanism for data loss prevention or policy enforcement on uploads.

D) This describes configuring static routes to corporate cloud services. While static routes define the path traffic takes, they do not restrict content or block access to unauthorized cloud platforms. Routing alone cannot inspect, identify, or block sensitive document uploads.

Applying a DLP profile with allowed and blocked application lists is the only configuration that satisfies the requirement to prevent data exfiltration while allowing approved corporate cloud services. Therefore, the correct answer is A.

Question 27

A FortiGate administrator wants to inspect all encrypted web traffic to detect malware, phishing, and blocked applications for internal users. The administrator also wants to minimize SSL inspection errors for trusted websites. What configuration should be applied?

A) Enable full SSL inspection with exemptions for trusted domains using an SSL inspection profile
B) Disable SSL inspection completely
C) Enable NAT on the internal interface
D) Increase the TTL of HTTPS sessions

Answer: A

Explanation

A) This describes enabling full SSL inspection using an SSL inspection profile and adding exemptions for trusted domains. Full SSL inspection allows the firewall to decrypt encrypted traffic, inspect it for malware, phishing, and application usage, and then re-encrypt it before sending it to the destination. This ensures complete visibility and threat detection within HTTPS traffic, which constitutes the majority of web traffic today. Exemption rules for trusted domains reduce SSL errors for internal or widely used trusted services, such as business portals, SaaS applications, or banking websites. Without exemptions, deep inspection may cause certificate warnings, broken functionality, or user frustration. This configuration balances strong security inspection with operational usability. The firewall evaluates certificates, validates the chain of trust, and performs content inspection only on traffic not exempted. By applying the SSL inspection profile to the relevant firewall policies, administrators ensure comprehensive coverage across all user traffic. Full inspection is critical to detect hidden malware, phishing URLs, and unauthorized applications that use encrypted channels to bypass detection. Logging is generated for both allowed and blocked traffic, providing an audit trail for compliance and forensic analysis. This method ensures that encrypted traffic is fully monitored without degrading access to essential or trusted services.

B) This describes disabling SSL inspection completely. Disabling SSL inspection prevents the firewall from inspecting encrypted content, making it impossible to detect malware, phishing, or unauthorized applications within HTTPS traffic. This violates the requirement for full inspection and exposes the network to hidden threats. Without SSL inspection, encrypted channels remain opaque, and malicious content can pass undetected.

C) This describes enabling NAT on the internal interface. NAT modifies IP addresses for routing but has no impact on inspecting or decrypting SSL traffic. NAT cannot detect malware, block phishing, or enforce application policies.

D) This describes increasing the TTL for HTTPS sessions. Adjusting TTL affects how long sessions persist but does not enable inspection or improve SSL visibility. TTL changes do not contribute to malware detection, phishing protection, or application control.

Full SSL inspection with exemptions for trusted domains is the only configuration that ensures comprehensive security monitoring while maintaining access to trusted sites. Therefore, A is correct.

Question 28

A FortiGate administrator wants to enforce web access policies that block social media websites during business hours while allowing access after hours. Which configuration achieves this requirement?

A) Configure a web filter profile with schedule-based rules for social media categories
B) Enable NAT for all outbound web traffic
C) Increase session TTL for HTTP traffic
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes using a web filter profile combined with schedule-based rules to control access to social media websites. Web filtering identifies website categories, such as social media, and allows the firewall to block or permit access based on the defined schedule. By associating the schedule with the web filter, administrators can enforce policy to block social media during business hours while allowing access during breaks or after hours. The firewall evaluates each request against the category, applying the rule to users or groups as configured. SSL inspection ensures that encrypted HTTPS traffic is analyzed and filtered appropriately. Logs are generated for blocked attempts, providing visibility and auditing capabilities. This configuration enables controlled productivity while maintaining security oversight. Schedule-based web filtering ensures that users cannot bypass restrictions during prohibited times and reduces distractions during critical work periods. By combining categorization, scheduling, and logging, the administrator achieves precise control over web access patterns.

B) This describes enabling NAT for all outbound web traffic. NAT modifies IP addresses but cannot enforce web filtering policies, block categories, or implement schedule-based rules. NAT alone cannot meet the requirement.

C) This describes increasing session TTL for HTTP traffic. TTL changes only affect session duration and do not influence web filtering, category blocking, or scheduled access. Adjusting TTL cannot enforce access policies based on time.

D) This describes configuring static routes to social media websites. Static routing determines packet paths but cannot block access or enforce time-based policies. Routes cannot categorize or restrict websites.

Web filter profiles with schedule-based rules for social media categories are the only configuration that fulfills the requirement. Therefore, A is correct.

Question 29

A FortiGate administrator wants to ensure that all outbound email traffic is scanned for malware, spam, and confidential content to comply with company security policies. Which configuration should be implemented?

A) Apply antivirus, spam filter, and DLP profiles to outbound SMTP policies
B) Enable NAT for outbound email traffic
C) Adjust session TTL for SMTP sessions
D) Configure static routes for email servers

Answer: A

Explanation

A) This describes applying antivirus, spam filter, and Data Loss Prevention (DLP) profiles to firewall policies handling outbound SMTP traffic. Antivirus scanning inspects email attachments for malware, trojans, or other malicious payloads. Spam filtering evaluates message headers and content to prevent delivery of unsolicited or harmful messages. DLP profiles inspect the content of emails for confidential information such as sensitive documents, keywords, or regulated data. Applying these profiles ensures that outbound email complies with security policies, prevents data leakage, and reduces the risk of distributing malware from the organization. SSL inspection allows the firewall to decrypt encrypted email sessions to apply inspection for malware and sensitive content. Logs are generated for blocked or flagged messages, providing auditing and compliance evidence. By applying the profiles to the SMTP policy, the firewall ensures that all outbound email undergoes inspection before leaving the network. This protects both internal resources and external recipients from security threats while enforcing corporate data governance policies.

B) This describes enabling NAT for outbound email traffic. NAT only modifies IP addresses and does not scan email for malware, spam, or sensitive content. NAT alone cannot meet the requirement.

C) This describes adjusting session TTL for SMTP sessions. TTL affects session duration but does not enforce scanning, inspection, or compliance policies. Adjusting TTL has no impact on email security.

D) This describes configuring static routes for email servers. Routing ensures traffic reaches the destination but does not scan for malware, spam, or confidential content. Static routes cannot enforce security policies.

Applying antivirus, spam filter, and DLP profiles to outbound SMTP traffic is the only configuration that satisfies the requirement. Therefore, A is correct.

Question 30

A FortiGate administrator wants to detect and prevent internal hosts from connecting to botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in web filter or DNS filter profiles
B) Enable NAT on the internal interface
C) Adjust session TTL for internal flows
D) Configure static routes to block external destinations

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking using web filter or DNS filter profiles. Botnet C&C blocking relies on FortiGuard threat intelligence feeds to identify known malicious IPs, domains, or URLs used by botnet operators to control compromised hosts. When enabled, the firewall examines outbound DNS queries, HTTP/S traffic, and other protocols to detect attempts to contact C&C servers. Connections matching known malicious indicators are blocked, preventing malware from receiving commands or exfiltrating data. Alerts are logged for further investigation, providing visibility into infected devices. This configuration ensures that compromised internal hosts are contained, reducing the impact of malware infections. It also supports compliance by demonstrating active protection against botnet activity. Regular updates from FortiGuard maintain the effectiveness of the blocking mechanism, as new threats are continuously added to the intelligence feeds. The configuration can be applied at the DNS level for proactive blocking of malicious domains or at the web filter level for traffic-based blocking. Enabling C&C blocking is critical for minimizing the risk of malware propagation and command execution within internal networks.

B) This describes enabling NAT on the internal interface. NAT changes IP addresses but does not inspect traffic for botnet communication or block connections to C&C servers. NAT alone cannot detect or prevent botnet activity.

C) This describes adjusting session TTL for internal flows. TTL settings do not influence botnet detection or C&C blocking. Modifying TTL does not prevent communication with malicious servers.

D) This describes configuring static routes to block external destinations. Routes define traffic paths but cannot dynamically detect or block botnet C&C servers. Static routes cannot enforce real-time threat prevention.

Enabling botnet C&C blocking through web filter or DNS filter profiles is the only configuration that effectively detects and prevents communication with malicious command-and-control servers. Therefore, A is correct.

Question 31

A FortiGate administrator wants to ensure that internal users can access Microsoft 365 services while all other cloud applications are blocked. Which configuration should be applied?

A) Apply application control profiles with allow lists for Microsoft 365 applications
B) Enable NAT on the internal interface
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to Microsoft 365 servers

Answer: A

Explanation

A) This describes applying application control profiles with allow lists specifically for Microsoft 365 applications. Application control inspects network traffic at a granular level to identify applications based on their signatures, protocols, and behavior rather than relying solely on ports. By defining an allow list, the firewall permits only authorized Microsoft 365 services such as Exchange Online, Teams, SharePoint, and OneDrive, while all other cloud applications are blocked. This ensures compliance with corporate usage policies, prevents data exfiltration to unapproved services, and controls bandwidth usage. Application control can operate over both HTTP and HTTPS traffic, and when combined with SSL inspection, it ensures visibility into encrypted traffic. Administrators can also log and monitor all blocked attempts, providing evidence for auditing and threat analysis. This approach supports zero-trust principles by enforcing least-privilege access to cloud services and prevents users from bypassing security policies. Allow lists can be granularly applied per user group, VLAN, or VDOM, enabling flexible management while ensuring that internal users have the necessary productivity tools without exposing the organization to unnecessary risks.

B) This describes enabling NAT on the internal interface. NAT modifies IP addresses but does not identify or restrict applications. NAT alone cannot enforce policies based on application behavior or block unapproved cloud services, so it does not meet the requirement.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not influence application visibility or enforcement. Adjusting TTL does not allow the firewall to permit Microsoft 365 while blocking other cloud services.

D) This describes configuring static routes to Microsoft 365 servers. Static routing ensures that traffic reaches the destination but does not control which applications are allowed or blocked. Routing alone cannot enforce application-level policies or control access to cloud applications.

Application control profiles with allow lists for Microsoft 365 are the only configuration that enforces selective cloud access while blocking unapproved applications. Therefore, A is correct.

Question 32

A FortiGate administrator wants to log all VPN sessions, including source, destination, user identity, and policy information, for compliance and auditing purposes. Which configuration is required?

A) Enable logging of all allowed sessions in the VPN policies
B) Increase the TTL for VPN sessions
C) Enable NAT on the VPN interface
D) Configure static routes to VPN endpoints

Answer: A

Explanation

A) This describes enabling logging for all allowed sessions within the VPN policies. When logging is enabled, the firewall records detailed information for each session, including source and destination IP addresses, ports, associated users, and which security or VPN policy allowed the session. This level of detail supports compliance with regulatory requirements, internal audit policies, and incident response procedures. Logging provides visibility into user activity, policy enforcement, and traffic patterns, which is essential for forensic analysis in case of security incidents. FortiGate allows forwarding logs to FortiAnalyzer, syslog servers, or cloud-based logging platforms for long-term retention and analysis. Administrators can filter, search, and generate reports based on user identity, time, source, or destination, helping demonstrate adherence to security policies. Enabling logging at the VPN policy level ensures that all traffic through SSL VPN, IPsec VPN, or site-to-site tunnels is captured accurately. This prevents gaps in visibility and ensures that even encrypted sessions are accounted for. Logs also provide context for troubleshooting connectivity issues, user behavior monitoring, and tracking policy effectiveness over time.

B) This describes increasing TTL for VPN sessions. TTL affects session persistence but does not generate logs or capture detailed session information. Modifying TTL does not meet the requirement for compliance and auditing.

C) This describes enabling NAT on the VPN interface. NAT modifies IP addresses but does not generate session logs or provide visibility into user identity or policy enforcement. NAT alone cannot satisfy compliance requirements.

D) This describes configuring static routes to VPN endpoints. Routing ensures connectivity but does not capture detailed session information, user identity, or security policy application. Static routes do not provide logging capabilities.

Enabling logging for all allowed VPN sessions is the only configuration that ensures compliance, visibility, and auditing for VPN traffic. Therefore, A is correct.

Question 33

A FortiGate administrator wants to prevent internal hosts from accessing known malware-hosting websites, phishing domains, and suspicious IP addresses in real-time. Which configuration should be applied?

A) Enable web filtering and DNS filtering with FortiGuard threat intelligence services
B) Enable NAT on the internal interface
C) Adjust TTL values for outbound traffic
D) Configure static routes for external destinations

Answer: A

Explanation

A) This describes enabling web filtering and DNS filtering with FortiGuard threat intelligence services. FortiGuard continuously updates databases with information about malicious websites, phishing domains, and suspicious IP addresses. Web filtering inspects HTTP and HTTPS traffic, applying SSL inspection when necessary to detect threats inside encrypted sessions. DNS filtering evaluates domain resolution requests and blocks queries for known malicious domains, preventing users from reaching dangerous sites before a connection is even established. Combining web and DNS filtering provides multi-layer protection, ensuring that users cannot bypass security controls through different protocols or encrypted traffic. FortiGuard threat intelligence ensures that the firewall has real-time information about emerging threats, including newly identified malware servers, botnet command-and-control endpoints, and phishing campaigns. Alerts and logs are generated for blocked traffic, providing visibility for auditing, compliance, and incident response. This approach mitigates risks from malware infections, credential theft, and data exfiltration while maintaining a secure network environment.

B) This describes enabling NAT on the internal interface. NAT modifies IP addresses but does not inspect traffic or block malicious websites or domains. NAT alone cannot provide real-time protection against malware or phishing.

C) This describes adjusting TTL values for outbound traffic. TTL settings only control how long packets persist and do not enforce blocking, inspection, or threat intelligence. Modifying TTL does not prevent access to malicious sites.

D) This describes configuring static routes for external destinations. Static routes control traffic paths but cannot dynamically block malware-hosting domains, phishing URLs, or suspicious IPs. Routing alone does not provide real-time threat prevention.

Web filtering and DNS filtering with FortiGuard threat intelligence services are the only configuration that provides real-time blocking of known threats and malicious domains. Therefore, A is correct.

Question 34

A FortiGate administrator wants to apply per-user bandwidth limits to ensure that no single employee consumes excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Increase the TTL of internal sessions
C) Enable NAT on the internal interface
D) Configure static routes for internal subnets

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Traffic shaping controls the bandwidth allocated to each IP address or user, ensuring equitable distribution of network resources. Per-IP shaping monitors individual sessions and imposes maximum and guaranteed bandwidth limits, preventing a single user from consuming excessive capacity. This is particularly important in environments with limited bandwidth or when hosting critical applications that require predictable performance. Traffic shaping profiles can be applied at the firewall policy level, allowing administrators to define rules per VLAN, user group, or subnet. Logs and statistics provide insight into bandwidth usage, helping administrators identify misuse or congestion. This configuration supports fairness, enforces corporate bandwidth policies, and ensures that all users receive sufficient network resources. Traffic shaping can also include priority settings for specific applications, ensuring that business-critical traffic is not affected by heavy consumption from non-critical activities.

B) This describes increasing TTL for internal sessions. TTL affects session lifespan but does not limit bandwidth usage or enforce fairness. TTL adjustments cannot achieve per-user bandwidth control.

C) This describes enabling NAT on the internal interface. NAT modifies IP addresses but does not enforce bandwidth restrictions per user. NAT alone cannot prevent excessive usage by individual employees.

D) This describes configuring static routes for internal subnets. Routing ensures traffic reaches its destination but does not control bandwidth allocation. Static routes do not enforce per-user limits or fairness.

Per-IP traffic shaping profiles applied to firewall policies are the only configuration that ensures per-user bandwidth control. Therefore, A is correct.

Question 35

A FortiGate administrator wants to enforce secure web access policies for remote users while ensuring encrypted traffic can be inspected for malware and sensitive data. Which configuration is required?

A) Apply SSL deep inspection profiles to firewall policies handling remote user traffic
B) Enable NAT on the remote user interface
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to remote users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles to firewall policies handling remote user traffic. SSL deep inspection allows the firewall to decrypt encrypted HTTPS traffic, inspect it for malware, phishing attempts, application control, and Data Loss Prevention (DLP) policies, and then re-encrypt it before forwarding. This ensures that threats hidden inside encrypted traffic are detected and blocked while allowing legitimate traffic to flow securely. Deep inspection is essential because most web traffic today is encrypted, and traditional inspection methods cannot analyze content within SSL/TLS tunnels. Administrators can configure certificate handling to avoid client certificate errors and selectively exempt trusted websites to reduce user impact. Logging provides visibility into detected threats, blocked content, and policy enforcement, supporting compliance and auditing. By applying SSL deep inspection to policies for remote users, the firewall ensures that remote connections are as secure as internal traffic. This protects against malware, credential theft, and data exfiltration while maintaining compliance with corporate security standards and regulatory requirements.

B) This describes enabling NAT on the remote user interface. NAT modifies IP addresses but does not inspect encrypted traffic or enforce security policies. NAT alone cannot detect malware or sensitive data in SSL sessions.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not decrypt or inspect traffic. Adjusting TTL does not enforce malware scanning, DLP, or policy enforcement.

D) This describes configuring static routes to remote users. Static routing ensures connectivity but cannot inspect encrypted traffic, detect malware, or enforce DLP policies. Routes alone do not provide security inspection.

Applying SSL deep inspection profiles to firewall policies handling remote user traffic is the only configuration that ensures secure, inspected web access. Therefore, A is correct.

Question 36

A FortiGate administrator wants to block access to high-risk applications such as peer-to-peer file sharing, online gambling, and torrent services while allowing business-critical applications. Which configuration should be applied?

A) Enable application control profiles with block rules for high-risk applications and allow rules for business-critical applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for business-critical applications

Answer: A

Explanation

A) This describes enabling application control profiles with specific block rules for high-risk applications and allow rules for business-critical applications. Application control identifies applications based on their signatures, behavior, and protocols rather than relying on ports, making it effective against modern applications that use dynamic ports, encryption, or tunneling. By explicitly blocking peer-to-peer, torrent, and gambling applications, the firewall prevents unauthorized or risky activities that may compromise bandwidth, network security, or compliance. Allowing only business-critical applications ensures productivity and operational continuity while enforcing corporate policies. Application control can inspect both HTTP and HTTPS traffic, leveraging SSL deep inspection when needed to maintain visibility into encrypted sessions. Logs and reports generated by the firewall provide insight into blocked applications, attempted bypasses, and usage trends, which help in auditing, compliance, and threat analysis. Administrators can apply different rules based on user groups, VLANs, or network segments, providing flexibility and granular enforcement. This approach aligns with zero-trust principles by limiting user access strictly to allowed applications while preventing potentially dangerous or non-business-related applications from executing. Application control also integrates with other security features, such as antivirus and IPS, to create layered defenses that reduce risk exposure and maintain secure network operations.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for routing purposes but does not identify or block specific applications. NAT alone cannot enforce security policies or control access to high-risk applications.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not inspect, block, or allow specific applications. Adjusting TTL cannot enforce application control policies.

D) This describes configuring static routes for business-critical applications. Static routes control traffic paths but cannot detect or block high-risk applications. Routing alone does not enforce application-level policies.

Application control profiles with block rules for high-risk applications and allow rules for business-critical applications are the only configuration that ensures secure and compliant application usage. Therefore, A is correct.

Question 37

A FortiGate administrator wants to prevent internal hosts from communicating with known malicious IP addresses and domains that are part of botnets. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL values for outbound traffic
D) Configure static routes to known safe IP addresses

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking using DNS filter and web filter profiles. Botnet C&C blocking relies on continuously updated threat intelligence feeds to identify malicious IP addresses, domains, and URLs associated with botnets. The firewall inspects both DNS queries and web traffic to detect attempts by internal hosts to communicate with these known malicious endpoints. When a connection matches a botnet indicator, the firewall blocks it and generates an alert for administrator review. DNS filtering proactively prevents the host from resolving malicious domains, while web filtering ensures that HTTP/HTTPS connections are intercepted. This multi-layered approach ensures that infected or compromised devices cannot communicate with external C&C servers, mitigating malware propagation, data exfiltration, and coordinated attacks. Botnet protection also includes logging for compliance and incident response, providing visibility into potential threats and security events. FortiGuard threat intelligence updates ensure that the firewall remains effective against newly identified botnet infrastructure. This configuration directly prevents internal hosts from participating in botnet activity while maintaining normal network operations for legitimate traffic.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic for botnet activity or block malicious destinations. NAT alone cannot detect or prevent communication with C&C servers.

C) This describes increasing TTL values for outbound traffic. TTL adjustments only affect the lifespan of packets and have no impact on botnet detection or blocking. Adjusting TTL does not prevent hosts from contacting malicious servers.

D) This describes configuring static routes to known safe IP addresses. Static routing defines paths for traffic but does not dynamically detect or block malicious domains or IPs. Routing alone cannot enforce threat intelligence or botnet protection.

Botnet C&C blocking using DNS filter and web filter profiles is the only configuration that effectively prevents internal hosts from communicating with malicious botnet infrastructure. Therefore, A is correct.

 

Question 38

A FortiGate administrator wants to implement secure remote access for employees while ensuring that malware, phishing, and unauthorized applications are blocked. Which configuration should be applied?

A) Apply SSL VPN policies with antivirus, web filter, application control, and DLP profiles
B) Enable NAT on the SSL VPN interface
C) Adjust TTL for VPN sessions
D) Configure static routes for VPN traffic

Answer: A

Explanation

A) This describes applying SSL VPN policies with antivirus, web filter, application control, and DLP profiles. SSL VPN provides encrypted remote access for employees, allowing them to securely connect to internal resources. Antivirus scanning inspects files for malware, viruses, and trojans. Web filtering evaluates URL categories, blocks phishing attempts, and prevents access to malicious sites. Application control ensures that unauthorized applications are not executed over the VPN connection. DLP inspects traffic for sensitive information, preventing data exfiltration over remote connections. Applying these profiles to SSL VPN policies ensures comprehensive protection, visibility, and enforcement, even for encrypted traffic, because the firewall can perform SSL deep inspection on remote sessions. Logs and reports provide auditing and compliance evidence, helping administrators track user activity and security events. This configuration supports secure remote work while maintaining the organization’s security posture and compliance with corporate policies. By integrating multiple security profiles into SSL VPN policies, the firewall enforces layered security that mitigates risks associated with malware, phishing, and unauthorized applications.

B) This describes enabling NAT on the SSL VPN interface. NAT modifies IP addresses but does not provide antivirus scanning, application control, web filtering, or DLP capabilities. NAT alone cannot ensure secure and compliant remote access.

C) This describes adjusting TTL for VPN sessions. TTL only determines session persistence but does not perform inspection, enforcement, or security checks. Adjusting TTL does not block malware, phishing, or unauthorized applications.

D) This describes configuring static routes for VPN traffic. Static routes ensure connectivity but do not provide security inspection, content filtering, or policy enforcement. Routing alone cannot secure remote access.

Applying SSL VPN policies with antivirus, web filter, application control, and DLP profiles is the only configuration that ensures secure remote access while blocking threats and unauthorized applications. Therefore, A is correct.

Question 39

A FortiGate administrator wants to optimize DNS resolution for internal users to reduce latency and minimize unnecessary external queries. Which configuration should be applied?

A) Enable DNS caching on the FortiGate
B) Enable NAT for DNS queries
C) Increase TTL for DNS responses
D) Configure static routes for DNS servers

Answer: A

Explanation

A) This describes enabling DNS caching on the FortiGate firewall. DNS caching allows the firewall to store responses from previously resolved domains locally. When a subsequent request for the same domain occurs, the firewall responds from the cache rather than querying external DNS servers. This reduces latency, improves user experience, and minimizes unnecessary external traffic. DNS caching is particularly effective in environments with high-volume repetitive lookups, such as corporate networks where employees frequently access the same web services. Enabling caching also improves resilience by providing responses even if upstream DNS servers are temporarily unavailable. The cache can respect TTL values from authoritative DNS responses while allowing local administrators to configure refresh intervals. Logging and statistics can provide insight into cached queries, hits, and misses, allowing performance monitoring and optimization. DNS caching enhances overall network efficiency while reducing exposure to external DNS delays and congestion. This configuration directly addresses the requirement to optimize DNS resolution and reduce unnecessary external queries.

B) This describes enabling NAT for DNS queries. NAT modifies IP addresses but does not store or accelerate DNS responses. NAT alone cannot reduce query latency or minimize external requests.

C) This describes increasing TTL for DNS responses. TTL affects how long DNS entries are considered valid but does not create a local cache or improve resolution speed for repeated queries.

D) This describes configuring static routes for DNS servers. Routes ensure queries reach the server but do not store previous responses or improve latency for repeated requests. Static routes alone cannot optimize DNS resolution.

Enabling DNS caching on the FortiGate is the only configuration that reduces latency and minimizes unnecessary external queries. Therefore, A is correct.

Question 40

A FortiGate administrator wants to enforce per-user SSL VPN bandwidth limits to prevent any single remote user from consuming excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to SSL VPN firewall policies
B) Increase TTL for VPN sessions
C) Enable NAT on the SSL VPN interface
D) Configure static routes for remote user traffic

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to SSL VPN firewall policies. Per-IP traffic shaping ensures that each remote user is allocated a specific amount of bandwidth, preventing a single user from consuming all available resources. Traffic shaping profiles can define maximum and guaranteed bandwidth, prioritize business-critical applications, and enforce fairness among users. Applying the shaping profile at the firewall policy level ensures that every SSL VPN session is evaluated and limited appropriately. Logs and statistics provide visibility into bandwidth usage, allowing administrators to identify trends, potential abuse, and performance issues. Per-IP shaping is particularly effective in environments with limited WAN bandwidth or when supporting multiple remote users simultaneously. By enforcing per-user limits, the administrator ensures that network performance remains predictable, business-critical services remain accessible, and abuse or congestion is prevented. This aligns with corporate policies for network resource allocation and ensures equitable access for all remote users.

B) This describes increasing TTL for VPN sessions. TTL affects session lifespan but does not control bandwidth allocation. Adjusting TTL cannot enforce per-user bandwidth limits.

C) This describes enabling NAT on the SSL VPN interface. NAT modifies IP addresses but does not limit bandwidth per user or enforce traffic shaping policies.

D) This describes configuring static routes for remote user traffic. Routing ensures connectivity but does not enforce bandwidth limits or control user consumption.

Applying per-IP traffic shaping profiles to SSL VPN firewall policies is the only configuration that ensures per-user bandwidth control. Therefore, A is correct.