Fortinet  FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam  Dumps and Practice Test Questions Set 3 Q 41- 60

Visit here for our full Fortinet FCSS_EFW_AD-7.4 exam dumps and practice test questions.

Question 41

A FortiGate administrator wants to ensure that all internal devices accessing the internet use a single, secure DNS server while preventing DNS-based attacks. Which configuration should be applied?

A) Configure the FortiGate as the authoritative DNS resolver with DNS filtering and DNS security profiles
B) Enable NAT on the internal interfaces
C) Increase TTL for DNS queries
D) Configure static routes to external DNS servers

Answer: A

Explanation

A) This describes configuring the FortiGate firewall as the authoritative DNS resolver for internal devices while enabling DNS filtering and DNS security profiles. Acting as the authoritative resolver allows the firewall to centralize DNS requests and responses, ensuring that all queries are controlled, monitored, and inspected. DNS filtering profiles prevent access to malicious or suspicious domains, including phishing sites, botnet command-and-control servers, and domains hosting malware. The firewall inspects DNS queries and responses in real-time, applying FortiGuard threat intelligence to block known harmful destinations. DNS security profiles also provide protection against DNS-based attacks such as cache poisoning, DNS tunneling, and amplification attacks. Centralizing DNS resolution simplifies administration, ensures consistent security policies, and provides visibility into user and device activity. Logging and reporting features allow administrators to track DNS queries, blocked attempts, and policy enforcement, which is essential for compliance and incident response. The configuration reduces the risk of internal devices bypassing security controls, as all queries pass through the firewall. Additionally, this setup can integrate with SSL inspection and content filtering to provide layered protection. By consolidating DNS traffic through FortiGate, the organization ensures that internal hosts benefit from threat intelligence updates while preventing malicious DNS-based activity from compromising the network.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound connections but does not enforce DNS resolution policies or provide DNS security. NAT alone cannot prevent DNS-based attacks or centralize query management.

C) This describes increasing TTL for DNS queries. TTL affects how long DNS records are cached but does not provide security, centralization, or inspection of queries. Adjusting TTL alone cannot prevent malicious activity or enforce DNS policies.

D) This describes configuring static routes to external DNS servers. Routes ensure connectivity but do not inspect DNS traffic, block malicious domains, or enforce centralized security policies. Routing alone cannot prevent DNS-based attacks.

Configuring the FortiGate as the authoritative DNS resolver with DNS filtering and security profiles is the only configuration that ensures secure, centralized, and protected DNS resolution. Therefore, A is correct.

Question 42

A FortiGate administrator wants to restrict access to specific internal servers based on user identity and group membership while allowing network access for other traffic. Which configuration is required?

A) Enable LDAP or Active Directory integration with user-based firewall policies
B) Enable NAT on the internal interfaces
C) Increase TTL for internal sessions
D) Configure static routes to internal servers

Answer: A

Explanation

A) This describes integrating the FortiGate with LDAP or Active Directory (AD) and creating user-based firewall policies. LDAP/AD integration allows the firewall to authenticate users and retrieve group membership information. Using this information, the firewall can enforce policies based on identity rather than just IP addresses. For example, finance department users may be allowed access to accounting servers while other users are blocked. Policies can also include logging, monitoring, and alerts based on user identity, providing granular visibility and compliance reporting. This approach supports zero-trust principles, ensuring that access is granted only to authorized individuals and that any policy violations are detected. When a user leaves the organization or changes roles, LDAP/AD integration ensures automatic enforcement of updated access policies without manual intervention. User-based policies can also be applied to VPN, wireless, and wired traffic, providing consistent security across all access points. Logs generated from identity-based policies provide auditing, which is critical for regulatory compliance and internal governance. This configuration allows precise control over internal resources, mitigates insider threats, and ensures business continuity by maintaining access for legitimate users while restricting unauthorized access.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but cannot restrict access based on user identity or group membership. NAT alone does not provide granular access control.

C) This describes increasing TTL for internal sessions. TTL affects session duration but does not enforce identity-based restrictions. Adjusting TTL cannot control access to specific servers.

D) This describes configuring static routes to internal servers. Static routes ensure connectivity but cannot enforce user-based access policies. Routing alone cannot restrict access based on identity or group membership.

Integrating LDAP or AD with user-based firewall policies is the only configuration that ensures identity-based access control to internal servers. Therefore, A is correct.

Question 43

A FortiGate administrator wants to detect and block attempts by internal users to access proxy servers or anonymizers that may bypass security controls. Which configuration should be applied?

A) Enable application control profiles with blocking rules for proxy and anonymizer applications
B) Enable NAT on internal interfaces
C) Adjust TTL for outbound traffic
D) Configure static routes to proxy servers

Answer: A

Explanation

A) This describes enabling application control profiles with specific blocking rules for proxy servers, anonymizers, and circumvention tools. Application control inspects traffic to identify application signatures, protocols, and behaviors, enabling detection of both traditional and encrypted proxy services. By blocking such applications, the firewall prevents users from bypassing web filtering, DLP, malware inspection, or compliance policies. Application control works over HTTP and HTTPS traffic, with SSL inspection applied to encrypted sessions for visibility into secure connections. Blocking proxy and anonymizer tools ensures that traffic cannot circumvent corporate security controls, reduces the risk of data exfiltration, and maintains adherence to corporate policies. Logs and reports provide visibility into blocked attempts, enabling auditing, trend analysis, and investigation of potential policy violations. This configuration enhances network security by ensuring that all internet-bound traffic is subject to inspection and enforcement. Administrators can also define exceptions for authorized tools while maintaining strict enforcement for unauthorized circumvention methods.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block proxy applications. NAT alone cannot prevent policy circumvention.

C) This describes adjusting TTL for outbound traffic. TTL affects packet lifespan but does not detect or block proxy or anonymizer applications. TTL changes alone cannot enforce security policies.

D) This describes configuring static routes to proxy servers. Static routing ensures connectivity but does not prevent access to proxy services or detect attempts to bypass controls. Routing alone cannot enforce application-level restrictions.

Application control profiles with blocking rules for proxy and anonymizer applications are the only configuration that ensures enforcement of security policies and prevents circumvention. Therefore, A is correct.

Question 44

A FortiGate administrator wants to enforce time-based restrictions on web access, blocking social media websites during work hours but allowing access outside business hours. Which configuration should be applied?

A) Configure a web filter profile with category blocking and schedule-based policies
B) Enable NAT for outbound web traffic
C) Increase TTL for HTTP sessions
D) Configure static routes for social media websites

Answer: A

Explanation

A) This describes configuring a web filter profile with category blocking for social media and associating it with a schedule-based policy. Web filter profiles categorize websites into groups such as social media, entertainment, gambling, or business-related categories. Schedule-based policies allow the administrator to enforce restrictions only during specified times, such as blocking social media between 9 AM and 5 PM and permitting access outside business hours. The firewall can inspect both HTTP and HTTPS traffic, with SSL inspection applied to encrypted sessions, ensuring that blocked categories are enforced consistently. Logs and reports provide visibility into user attempts, policy enforcement, and compliance with corporate access policies. Schedule-based web filtering ensures productivity during business hours while allowing flexibility for non-business usage during off-hours. Administrators can assign different schedules for different user groups or departments, allowing granular control. This approach maintains network security, reduces distractions, and aligns with organizational governance and compliance requirements.

B) This describes enabling NAT for outbound web traffic. NAT modifies IP addresses but does not enforce web filtering or schedule-based restrictions. NAT alone cannot block or allow social media based on time.

C) This describes increasing TTL for HTTP sessions. TTL affects session lifespan but does not provide filtering, category blocking, or scheduling. Adjusting TTL cannot enforce time-based web access restrictions.

D) This describes configuring static routes for social media websites. Static routing ensures connectivity but cannot block websites or enforce policies based on categories or time. Routing alone cannot control web access.

Web filter profiles with category blocking and schedule-based policies are the only configuration that enforces time-based web access restrictions. Therefore, A is correct.

Question 45

A FortiGate administrator wants to enforce per-user quotas on internet usage, limiting the amount of bandwidth or data consumed by individual users. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles with quotas to firewall policies
B) Increase TTL for internet sessions
C) Enable NAT on internal interfaces
D) Configure static routes for internet traffic

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles with quotas to firewall policies. Per-IP traffic shaping allows the administrator to define maximum bandwidth and data consumption limits for each user or device. Quotas can include daily, weekly, or monthly limits, helping enforce fair usage and prevent abuse of network resources. By associating the profiles with firewall policies, administrators ensure that all traffic is monitored, controlled, and limited according to policy. Traffic shaping can also prioritize business-critical applications, ensuring that essential services receive adequate bandwidth even when users approach their limits. Logs and reports provide visibility into individual usage patterns, quota enforcement, and network trends. Enforcing per-user quotas is critical in environments with limited bandwidth, preventing a single user from consuming excessive resources and impacting overall network performance. The configuration aligns with corporate policies, supports network management, and ensures equitable access for all users.

B) This describes increasing TTL for internet sessions. TTL affects session duration but does not control bandwidth or data quotas. Adjusting TTL alone cannot enforce per-user limits.

C) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not enforce bandwidth or data limits. NAT alone cannot implement quotas.

D) This describes configuring static routes for internet traffic. Routing ensures connectivity but does not provide per-user bandwidth control or data quota enforcement. Routes alone cannot limit consumption.

Per-IP traffic shaping profiles with quotas are the only configuration that enforces per-user limits on bandwidth and data usage. Therefore, A is correct.

Question 46

A FortiGate administrator wants to ensure that internal users cannot bypass security policies by using VPN tunneling applications to access the internet directly. Which configuration should be applied?

A) Enable application control profiles with rules blocking VPN tunneling and anonymizer applications
B) Enable NAT on internal interfaces
C) Increase TTL for internal sessions
D) Configure static routes to trusted VPN servers

Answer: A

Explanation

A) This describes enabling application control profiles with explicit rules to detect and block VPN tunneling and anonymizer applications. Users may attempt to bypass corporate security policies by installing VPN clients or anonymizers that tunnel traffic directly to external destinations, circumventing web filtering, malware scanning, and DLP enforcement. Application control inspects traffic to identify the presence of these tunneling applications based on signatures, behavior, and protocol characteristics. When detected, the firewall can block connections, alert administrators, and log incidents for compliance and audit purposes. This approach ensures that all internet-bound traffic remains subject to the organization’s security policies and inspection mechanisms. By integrating SSL inspection, encrypted VPN tunnels can also be evaluated, preventing encrypted bypass attempts. Logs and reports provide administrators with visibility into policy enforcement and attempts to circumvent security controls. Granular rules can be applied to specific user groups or VLANs, providing flexibility while maintaining security. This configuration helps maintain corporate security integrity, reduces exposure to malware and data exfiltration, and enforces zero-trust principles by ensuring all traffic adheres to policy. Blocking unauthorized VPN tunneling prevents users from inadvertently or maliciously introducing threats and ensures that security monitoring remains effective for all network traffic.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses for routing purposes but does not inspect traffic for tunneling applications or enforce security policies. NAT alone cannot prevent bypass attempts.

C) This describes increasing TTL for internal sessions. TTL affects session duration but does not detect or block VPN tunneling applications. Adjusting TTL cannot enforce security policies.

D) This describes configuring static routes to trusted VPN servers. Static routes determine traffic paths but do not detect or block unauthorized VPN applications. Routing alone cannot prevent policy circumvention.

Application control profiles with rules blocking VPN tunneling and anonymizer applications are the only configuration that ensures internal users cannot bypass security policies. Therefore, A is correct.

Question 47

A FortiGate administrator wants to prevent sensitive data from leaving the organization via email while allowing regular email communication. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles to outbound SMTP policies
B) Enable NAT on email traffic
C) Increase TTL for SMTP sessions
D) Configure static routes to external mail servers

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles to outbound SMTP policies. DLP profiles inspect outgoing email messages, including attachments and content, for sensitive data such as personally identifiable information (PII), financial records, intellectual property, or regulatory-controlled data. When a message matches predefined policies, the firewall can block, quarantine, or alert administrators, preventing unintentional or malicious data exfiltration. By applying DLP at the SMTP policy level, all email traffic is subject to inspection, ensuring compliance with corporate security policies and regulatory requirements. DLP supports content-based rules, file type recognition, keyword matching, and fingerprinting of sensitive documents. This allows fine-grained control over the flow of information and reduces the risk of sensitive data leaving the organization. Logs and reports provide visibility into blocked or allowed messages, enabling auditing and incident response. When combined with antivirus and spam filtering, DLP provides comprehensive protection for outbound email, ensuring both security and regulatory compliance. This approach prevents accidental leaks and malicious attempts to send sensitive information via email while allowing legitimate communication to continue without disruption.

B) This describes enabling NAT on email traffic. NAT modifies IP addresses but does not inspect content, detect sensitive information, or prevent data exfiltration. NAT alone cannot enforce DLP policies.

C) This describes increasing TTL for SMTP sessions. TTL affects session duration but does not provide content inspection or policy enforcement. Adjusting TTL alone cannot prevent sensitive data from leaving via email.

D) This describes configuring static routes to external mail servers. Routing ensures connectivity but does not inspect content or enforce DLP policies. Static routes alone cannot prevent data leaks.

Applying DLP profiles to outbound SMTP policies is the only configuration that ensures sensitive data is prevented from leaving the organization via email. Therefore, A is correct.

Question 48

A FortiGate administrator wants to prevent malware and ransomware from spreading between internal VLANs while allowing legitimate traffic. Which configuration should be applied?

A) Create inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes creating firewall policies between VLANs with antivirus, intrusion prevention system (IPS), and application control profiles applied. VLANs segment internal networks logically, and traffic passing between them must traverse firewall policies to be inspected. Antivirus scanning detects and blocks malware and ransomware in file transfers or executable traffic. IPS inspects network traffic for suspicious patterns, exploits, and known attack signatures, providing protection against lateral movement of threats. Application control ensures that only authorized applications can communicate between VLANs, preventing the spread of malware through unauthorized channels. By combining these security profiles, the firewall ensures that malicious activity is blocked while legitimate business traffic flows without disruption. Logs and reports provide visibility into threats detected, blocked connections, and policy enforcement, supporting compliance and incident response. SSL inspection ensures that encrypted traffic between VLANs is also inspected. Applying security profiles at inter-VLAN firewall policies enforces zero-trust principles, preventing malware propagation and unauthorized access while maintaining operational efficiency. This configuration is essential in environments with sensitive data, segmented networks, and strict compliance requirements.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic for malware, ransomware, or unauthorized applications. NAT alone cannot prevent lateral movement of threats.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not enforce antivirus, IPS, or application control. Adjusting TTL alone cannot prevent malware propagation.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not provide inspection or enforcement. Static routes cannot block malware or ransomware.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware spread while allowing legitimate traffic. Therefore, A is correct.

Question 49

A FortiGate administrator wants to ensure that remote users can only access approved SaaS applications and block all other web applications. Which configuration should be applied?

A) Apply application control profiles with allow lists for approved SaaS applications
B) Enable NAT on remote user interfaces
C) Increase TTL for HTTPS sessions
D) Configure static routes to approved SaaS servers

Answer: A

Explanation

A) This describes applying application control profiles with allow lists specifically for approved SaaS applications. Application control inspects traffic for application signatures, protocols, and behavior, enabling granular identification beyond ports and IP addresses. By creating allow lists, only specified SaaS services such as Microsoft 365, Salesforce, or approved productivity tools are permitted, while all other applications are blocked. SSL inspection ensures visibility into encrypted HTTPS traffic, preventing users from bypassing restrictions with secure connections. Logs and reports provide insight into allowed and blocked applications, supporting auditing, compliance, and troubleshooting. Granular policies can be applied per user group, VLAN, or VDOM, ensuring precise control over cloud application access. This approach aligns with corporate security policies, enforces zero-trust access, and reduces risks from unapproved cloud applications, data leaks, and malware exposure. By restricting users to only approved SaaS applications, the administrator ensures productivity while maintaining security posture and regulatory compliance.

B) This describes enabling NAT on remote user interfaces. NAT modifies IP addresses but does not identify or block specific applications. NAT alone cannot enforce SaaS restrictions.

C) This describes increasing TTL for HTTPS sessions. TTL affects session lifespan but does not control application access or enforce allow lists. Adjusting TTL cannot achieve selective SaaS access.

D) This describes configuring static routes to approved SaaS servers. Routing ensures connectivity but cannot block unapproved applications or enforce policies. Static routes alone cannot implement application-level control.

Application control profiles with allow lists for approved SaaS applications are the only configuration that enforces selective cloud access while blocking unapproved services. Therefore, A is correct.

Question 50

A FortiGate administrator wants to block access to malicious websites in real-time while allowing access to business-critical web services. Which configuration should be applied?

A) Enable web filtering with FortiGuard categories and create an allow list for business-critical websites
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to business-critical websites

Answer: A

Explanation

A) This describes enabling web filtering with FortiGuard categories and creating an allow list for business-critical websites. FortiGuard continuously updates databases with categorized URLs for phishing, malware, fraud, and other malicious content. Web filtering profiles inspect HTTP and HTTPS traffic, blocking requests to high-risk categories. An allow list ensures that essential business applications or portals are accessible even if they fall into broad categories or are misclassified. SSL inspection allows the firewall to inspect encrypted traffic to detect threats hidden in HTTPS sessions. Logs and reports provide visibility into blocked and allowed access, policy enforcement, and user behavior, supporting compliance, auditing, and incident response. Granular policies can be applied to user groups, VLANs, or zones to ensure business-critical access is maintained while preventing exposure to malicious content. This configuration effectively mitigates risks from phishing attacks, malware downloads, and access to unsafe sites while maintaining operational continuity.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic or block malicious websites. NAT alone cannot enforce web filtering.

C) This describes increasing TTL for HTTP sessions. TTL affects session lifespan but does not provide content inspection or blocking. Adjusting TTL does not prevent access to malicious sites.

D) This describes configuring static routes to business-critical websites. Routing ensures connectivity but does not provide inspection, blocking, or threat intelligence. Routes alone cannot mitigate web-based threats.

Web filtering with FortiGuard categories and an allow list for business-critical websites is the only configuration that blocks malicious sites while permitting essential access. Therefore, A is correct.

Question 51

A FortiGate administrator wants to enforce secure email traffic by scanning outbound messages for malware, spam, and sensitive content. Which configuration should be applied?

A) Apply antivirus, spam filter, and DLP profiles to outbound SMTP policies
B) Enable NAT on SMTP traffic
C) Increase TTL for SMTP sessions
D) Configure static routes for external mail servers

Answer: A

Explanation

A) This describes applying antivirus, spam filter, and Data Loss Prevention (DLP) profiles to outbound SMTP firewall policies. Antivirus scanning inspects email attachments and content for malware, viruses, trojans, and other malicious payloads. Spam filtering evaluates headers, sender reputation, and message content to block unsolicited or harmful emails. DLP profiles inspect the email body and attachments for sensitive or regulated information, including intellectual property, financial data, or personal identifiers. By applying these profiles to outbound SMTP policies, the firewall ensures that all outgoing messages are scanned before leaving the organization, preventing accidental or malicious data leakage. SSL inspection allows encrypted email traffic to be analyzed, ensuring visibility even in secure channels. Logs and reports provide insight into blocked, quarantined, and allowed messages, enabling auditing, compliance, and incident response. This configuration ensures email security, protects sensitive data, and aligns with corporate governance and regulatory requirements. It prevents internal hosts from inadvertently or deliberately transmitting malware or sensitive information, thereby maintaining network integrity and regulatory compliance.

B) This describes enabling NAT on SMTP traffic. NAT modifies IP addresses but does not inspect content, detect malware, or enforce data loss prevention policies. NAT alone cannot secure email traffic.

C) This describes increasing TTL for SMTP sessions. TTL affects session duration but does not provide content inspection or enforce security policies. Adjusting TTL cannot block malware, spam, or sensitive data.

D) This describes configuring static routes for external mail servers. Routing ensures connectivity but does not inspect content or enforce policies. Static routes alone cannot enforce email security or compliance.

Applying antivirus, spam filter, and DLP profiles to outbound SMTP policies is the only configuration that ensures secure email traffic and protection against malware, spam, and sensitive data leakage. Therefore, A is correct.

Question 52

A FortiGate administrator wants to prevent internal users from uploading sensitive documents to unauthorized cloud storage platforms while allowing access to approved corporate cloud services. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles to outbound traffic with allowed and blocked application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound web sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles to outbound traffic along with allowed and blocked application lists. DLP inspects network traffic for sensitive content such as financial reports, confidential documents, personal information, or intellectual property. By defining which cloud services are approved, the firewall allows uploads to corporate cloud services while blocking unauthorized platforms like public file-sharing sites or personal cloud storage. SSL inspection ensures encrypted traffic is analyzed, preventing data exfiltration through HTTPS. The firewall can perform content inspection using keyword matching, file type recognition, and fingerprinting techniques to detect sensitive documents accurately. Logs and reports provide visibility into blocked attempts, successful transfers, and policy enforcement, supporting compliance and incident response. Applying DLP with allowed and blocked application lists ensures that security policies are enforced without affecting legitimate business operations. This approach reduces the risk of accidental or malicious data leakage, aligns with regulatory and corporate requirements, and maintains visibility over outbound network traffic. Administrators can apply policies per user group, department, or VLAN, providing granular control over document transfers and access to cloud platforms.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect content or control uploads to cloud platforms. NAT alone cannot prevent data leakage.

C) This describes increasing TTL for outbound web sessions. TTL adjustments affect session duration but do not enforce data loss prevention or application restrictions. TTL cannot block sensitive uploads.

D) This describes configuring static routes to corporate cloud services. Static routing ensures traffic reaches its destination but does not inspect content or prevent unauthorized uploads. Routing alone cannot enforce security policies.

Applying DLP profiles with allowed and blocked application lists is the only configuration that ensures secure cloud access and prevents data leakage. Therefore, A is correct.

Question 53

A FortiGate administrator wants to monitor and restrict bandwidth usage for individual users to ensure fair network resource distribution. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for sessions
D) Configure static routes for internal subnets

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP shaping allows administrators to allocate bandwidth for each user or device, ensuring fair distribution of network resources and preventing any single user from consuming excessive bandwidth. Traffic shaping profiles can define maximum, guaranteed, and priority bandwidth, allowing business-critical applications to receive sufficient resources while limiting non-essential traffic. By associating traffic shaping profiles with firewall policies, the FortiGate ensures that every session is evaluated and controlled according to policy. Logs and statistics provide visibility into per-user bandwidth consumption, helping administrators identify usage patterns, enforce corporate policies, and troubleshoot performance issues. This configuration supports operational efficiency, prevents network congestion, and aligns with organizational guidelines for bandwidth management. Administrators can also combine traffic shaping with application control to prioritize essential applications and maintain network performance under heavy usage. Per-IP shaping is particularly important in environments with multiple users or limited bandwidth, providing predictability and fairness while supporting zero-trust principles by ensuring controlled access to network resources.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not enforce bandwidth limits or ensure fair resource allocation. NAT alone cannot monitor or restrict usage.

C) This describes increasing TTL for sessions. TTL affects session duration but does not provide bandwidth control or monitoring. Adjusting TTL alone cannot enforce fair usage policies.

D) This describes configuring static routes for internal subnets. Routing ensures connectivity but does not enforce per-user bandwidth restrictions. Static routes alone cannot implement traffic shaping.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth allocation and per-user usage monitoring. Therefore, A is correct.

Question 54

A FortiGate administrator wants to enforce SSL inspection for remote user web traffic to detect malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles to firewall policies handling remote user traffic
B) Enable NAT on the remote user interface
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes for remote user traffic

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles to firewall policies handling remote user traffic. SSL deep inspection allows the firewall to decrypt encrypted HTTPS traffic, inspect it for malware, phishing, unauthorized applications, and DLP violations, and re-encrypt it before forwarding. Most modern web traffic is encrypted, making SSL inspection essential for threat detection. Deep inspection ensures that malicious content cannot bypass the firewall via secure channels. Administrators can configure certificate handling to prevent client certificate errors and selectively exempt trusted websites to reduce user disruption. Logs provide visibility into detected threats, blocked applications, and policy enforcement, supporting compliance and incident response. Applying SSL deep inspection to remote user traffic ensures that all outbound web traffic, including encrypted sessions, is monitored for malware, phishing, and unauthorized applications. This configuration protects remote users and the organization while maintaining secure web access. It also aligns with zero-trust principles by ensuring all traffic, even encrypted traffic, is inspected for compliance and security threats.

B) This describes enabling NAT on the remote user interface. NAT modifies IP addresses but does not decrypt or inspect SSL traffic. NAT alone cannot enforce security policies or detect malware or phishing.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not inspect traffic or enforce policies. Adjusting TTL cannot detect malware or unauthorized applications.

D) This describes configuring static routes for remote user traffic. Static routing ensures connectivity but does not decrypt or inspect traffic. Routing alone cannot enforce SSL inspection or detect threats.

Applying SSL deep inspection profiles to firewall policies handling remote user traffic is the only configuration that ensures secure, monitored web access. Therefore, A is correct.

Question 55

A FortiGate administrator wants to block botnet command-and-control communications from internal hosts to external servers. Which configuration should be applied?

A) Enable botnet C&C blocking in web filter and DNS filter profiles
B) Enable NAT on internal interfaces
C) Adjust TTL for outbound traffic
D) Configure static routes for external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in web filter and DNS filter profiles. Botnet C&C blocking relies on continuously updated threat intelligence to detect IPs, domains, or URLs used by botnet operators to control compromised hosts. The firewall inspects outbound web traffic and DNS queries, blocking communication attempts to malicious servers and generating alerts for administrators. DNS filtering prevents domain resolution for known malicious sites, while web filtering inspects HTTP/HTTPS traffic, including SSL traffic if deep inspection is enabled. This prevents malware-infected internal hosts from receiving commands, exfiltrating data, or spreading threats. Logs provide visibility into blocked attempts, policy enforcement, and potential infections, supporting compliance and incident response. FortiGuard threat intelligence ensures protection against emerging botnet infrastructure. The configuration allows legitimate network traffic while preventing malicious botnet activity, maintaining network security and protecting internal hosts from compromise.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not detect or block botnet C&C communications. NAT alone cannot prevent malware control traffic.

C) This describes adjusting TTL for outbound traffic. TTL affects packet lifespan but does not detect or block botnet communications. Changing TTL does not mitigate malware threats.

D) This describes configuring static routes for external servers. Routing ensures connectivity but does not prevent communication with botnet C&C servers. Routing alone cannot enforce threat intelligence-based blocking.

Enabling botnet C&C blocking in web filter and DNS filter profiles is the only configuration that effectively prevents internal hosts from communicating with malicious command-and-control servers. Therefore, A is correct.

Question 56

A FortiGate administrator wants to prevent internal users from accessing unapproved file-sharing and P2P applications while allowing business-critical applications. Which configuration should be applied?

A) Apply application control profiles with block rules for P2P and file-sharing applications and allow rules for business-critical applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for business-critical applications

Answer: A

Explanation

A) This describes applying application control profiles with explicit rules that block peer-to-peer (P2P) and file-sharing applications while allowing business-critical applications. Application control works by inspecting network traffic for application signatures, behaviors, and protocols, rather than relying solely on ports or IP addresses. P2P and file-sharing applications often use dynamic ports, encryption, or tunneling techniques that can bypass basic firewall rules, making application control essential for enforcement. By blocking these high-risk applications, the firewall prevents unauthorized file transfers, bandwidth abuse, malware propagation, and potential legal or compliance issues. Allow rules for business-critical applications ensure that productivity tools, cloud services, and enterprise applications continue to function without disruption. SSL inspection allows encrypted P2P traffic to be analyzed and blocked if necessary. Logs and reports provide visibility into blocked traffic, attempted bypasses, and policy enforcement, supporting compliance, auditing, and incident response. Administrators can apply different rules per VLAN, user group, or device type, providing granular control and ensuring zero-trust principles. Application control integrates with other security features like antivirus, IPS, and DLP to create a multi-layered defense, preventing both malicious and unauthorized traffic while maintaining operational continuity.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or enforce application-specific policies. NAT alone cannot prevent unauthorized file-sharing or P2P usage.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not inspect, allow, or block applications. Adjusting TTL cannot enforce application control policies.

D) This describes configuring static routes for business-critical applications. Static routing ensures connectivity but does not enforce application-level restrictions. Routing alone cannot block unapproved applications.

Application control profiles with block rules for P2P and file-sharing applications, combined with allow rules for business-critical applications, are the only configuration that ensures compliance, security, and productivity. Therefore, A is correct.

Question 57

A FortiGate administrator wants to monitor and enforce per-user bandwidth limits to prevent excessive usage by a single user on a shared internet connection. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP traffic shaping enforces bandwidth limits for individual users or devices, ensuring equitable distribution of network resources. Maximum, guaranteed, and priority bandwidth can be defined for each user, preventing a single user from consuming excessive bandwidth. Traffic shaping can also prioritize business-critical applications while limiting non-essential traffic. Applying the shaping profiles to firewall policies ensures that all sessions are controlled according to corporate policies. Logs and reports provide visibility into user bandwidth consumption, trends, and enforcement, supporting troubleshooting, auditing, and compliance. Administrators can apply shaping per user group, VLAN, or device type, providing granular management of bandwidth. This configuration is particularly useful in environments with limited WAN capacity or high-density user networks. By enforcing per-user limits, the organization ensures fair resource usage, maintains network performance, and prevents congestion that could impact business-critical services. Traffic shaping, combined with logging and monitoring, also allows proactive management of network behavior and supports zero-trust principles by controlling access and consumption.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not control bandwidth or monitor usage per user. NAT alone cannot enforce fairness.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not implement bandwidth control. Adjusting TTL cannot enforce per-user limits.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not provide per-user bandwidth restrictions. Static routes alone cannot implement traffic shaping policies.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures equitable bandwidth usage and prevents network congestion. Therefore, A is correct.

Question 58

A FortiGate administrator wants to prevent malware and ransomware from spreading between segmented internal networks (VLANs) while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. Internal network segmentation with VLANs is a common security practice to isolate sensitive systems from general user networks. Firewall policies between VLANs enforce inspection of traffic passing between segments. Antivirus scanning identifies and blocks malware or ransomware transmitted via files or executable content. IPS monitors for suspicious traffic patterns, exploits, and attack signatures, preventing lateral movement of threats. Application control ensures that only approved applications can communicate between VLANs, blocking unauthorized channels that could facilitate malware spread. SSL inspection allows encrypted traffic to be evaluated for malicious content. Logs and reports provide visibility into detected threats, blocked traffic, and policy enforcement, supporting compliance, auditing, and incident response. By combining antivirus, IPS, and application control at inter-VLAN firewall policies, the administrator can maintain security without disrupting legitimate business traffic. This layered defense approach mitigates malware propagation risks and ensures operational continuity in segmented environments.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or prevent malware propagation between VLANs. NAT alone cannot provide inter-VLAN security.

C) This describes increasing TTL for VLAN sessions. TTL affects session duration but does not enforce antivirus, IPS, or application control. Adjusting TTL cannot prevent malware spread.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or block malicious content. Static routes alone cannot prevent malware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware spread while allowing legitimate traffic. Therefore, A is correct.

Question 59

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows remote users to securely access internal resources over encrypted channels. SSL deep inspection decrypts HTTPS traffic, enabling the firewall to detect malware, phishing attempts, and unauthorized applications within the encrypted sessions. Antivirus scanning inspects files and attachments for malware or trojans. Web filtering blocks access to malicious websites, phishing pages, and unapproved content. Application control identifies and blocks unapproved applications, even if they attempt to tunnel over HTTPS. Logs and reports provide visibility into blocked traffic, detected threats, and policy enforcement, supporting compliance and incident response. Administrators can configure exceptions for trusted sites to minimize user disruption while maintaining security. Applying deep inspection to SSL VPN traffic ensures that encrypted connections do not bypass corporate security policies. This configuration protects both remote users and internal resources, aligns with zero-trust principles, and mitigates risks from malware, phishing, and unauthorized applications.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect encrypted traffic or enforce security policies. NAT alone cannot detect malware or block unauthorized applications.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or enforce policies. Adjusting TTL cannot secure SSL VPN access.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not provide inspection, malware protection, or policy enforcement. Static routes alone cannot secure SSL VPN traffic.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure and monitored remote access. Therefore, A is correct.

Question 60

A FortiGate administrator wants to block botnet command-and-control (C&C) traffic from internal hosts to external malicious servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking relies on continuously updated threat intelligence databases that identify IP addresses, domains, and URLs used by botnet operators to control compromised internal hosts. DNS filtering evaluates domain name resolutions and blocks queries to malicious or suspicious domains associated with botnet activity. Web filtering inspects HTTP and HTTPS traffic, applying SSL deep inspection if necessary, to detect and block communications with known C&C servers. Blocking these communications prevents malware-infected hosts from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs and reports provide detailed visibility into blocked attempts, policy enforcement, and potential internal infections, supporting auditing and incident response. FortiGuard threat intelligence ensures the firewall remains up to date against emerging botnet infrastructures. By combining DNS and web filtering for botnet C&C, administrators protect internal hosts, prevent data exfiltration, and maintain network security without impacting legitimate traffic.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not detect or block botnet C&C communications. NAT alone cannot prevent malicious activity.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not provide detection or blocking of botnet traffic. Adjusting TTL cannot mitigate malware threats.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not detect or block botnet communications. Static routes alone cannot prevent malicious command-and-control traffic.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively prevents internal hosts from communicating with malicious command-and-control servers. Therefore, A is correct.