Fortinet FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam Dumps and Practice Test Questions Set 6 Q 101- 120

Practice Exams:

View All

Fortinet FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam Dumps and Practice Test Questions Set 6 Q 101- 120

Visit here for our full Fortinet FCSS_EFW_AD-7.4 exam dumps and practice test questions.

Question 101

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides remote users with encrypted access to internal resources. Without SSL inspection, encrypted traffic can bypass security policies, potentially allowing malware, phishing attempts, or unauthorized applications to reach internal networks. SSL deep inspection decrypts the encrypted traffic, allowing antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content categories, while application control ensures that only approved applications are allowed over SSL VPN connections. Logs and reports provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Exceptions can be defined for trusted sites to reduce disruption while maintaining security. Applying SSL deep inspection ensures encrypted traffic does not circumvent security controls, enforces corporate security policies, and maintains zero-trust principles for remote access. This configuration protects internal resources while allowing secure, monitored access for remote employees.

B) This describes enabling NAT on SSL VPN interfaces. NAT changes IP addresses but does not inspect traffic, detect malware, or enforce security policies. NAT alone cannot ensure secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or block malware or unauthorized applications. Adjusting TTL alone cannot enforce security.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 102

A FortiGate administrator wants to block access to malicious websites in real-time while allowing access to business-critical websites. Which configuration should be applied?

A) Apply web filter profiles with FortiGuard categories and allow lists for business-critical websites
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes for business-critical websites

Answer: A

Explanation

A) This describes applying web filter profiles with FortiGuard categories along with allow lists for business-critical websites. FortiGuard continuously updates threat intelligence to identify malicious websites, phishing domains, and high-risk content. Web filter profiles block access to these threats in real-time, preventing malware, ransomware, or phishing attacks from reaching internal hosts. Allow lists ensure essential business services remain accessible even if miscategorized, maintaining operational continuity. SSL deep inspection allows encrypted HTTPS traffic to be inspected for threats, ensuring consistent enforcement. Logs provide detailed visibility into blocked traffic, allowed access, and policy enforcement, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group, allowing granular control without compromising security. This configuration reduces exposure to web-based attacks, prevents malware propagation, and maintains business continuity. Combining FortiGuard categories with allow lists ensures real-time protection while supporting operational efficiency and compliance standards.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect or block malicious content. NAT alone cannot prevent web-based threats.

C) This describes increasing TTL for HTTP sessions. TTL affects session lifespan but does not provide content inspection or policy enforcement. Adjusting TTL cannot block malicious websites.

D) This describes configuring static routes for business-critical websites. Routing ensures connectivity but does not inspect content or enforce security policies. Static routes alone cannot prevent access to malicious sites.

Web filter profiles with FortiGuard categories and allow lists for business-critical websites are the only configuration that ensures secure, real-time protection while maintaining access to essential services. Therefore, A is correct.

Question 103

A FortiGate administrator wants to prevent internal hosts from bypassing security policies by using unauthorized VPN clients or anonymizers. Which configuration should be applied?

A) Apply application control profiles with rules blocking VPN tunneling and anonymizer applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to trusted VPN servers

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking VPN tunneling and anonymizer applications. Internal users may attempt to bypass corporate security policies by using unauthorized VPN clients or anonymizers to circumvent firewall, web filtering, antivirus, or DLP rules. Application control inspects network traffic for known application signatures, behaviors, and tunneling protocols. Blocking unauthorized VPN and anonymizer applications ensures that all traffic passes through corporate security measures. SSL deep inspection provides visibility into encrypted traffic, preventing users from tunneling unauthorized data over HTTPS. Logs provide detailed visibility into blocked connections, attempted policy bypasses, and enforcement outcomes, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group, providing granular control without affecting legitimate business applications. Blocking these applications preserves network integrity, prevents data exfiltration, reduces exposure to malware, and enforces zero-trust principles.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic for unauthorized VPN clients or anonymizers. NAT alone cannot enforce security policies.

C) This describes increasing TTL for outbound sessions. TTL affects session duration but does not inspect or block applications. Adjusting TTL cannot prevent policy bypass attempts.

D) This describes configuring static routes to trusted VPN servers. Routing ensures connectivity but does not prevent unauthorized VPN clients or anonymizers. Static routes alone cannot enforce security policies.

Application control profiles with rules blocking VPN tunneling and anonymizer applications are the only configuration that prevents internal users from bypassing corporate security policies. Therefore, A is correct.

Question 104

A FortiGate administrator wants to block malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation separates critical systems from general user networks, limiting the risk of malware or ransomware propagation. Firewall policies between VLANs inspect all inter-segment traffic. Antivirus scanning examines files, attachments, and executables to block malware or ransomware. IPS monitors traffic for known attack signatures, exploits, and suspicious activity, preventing attacks across VLANs. Application control ensures that only authorized applications are allowed to communicate, blocking unauthorized applications that may carry malware. SSL deep inspection ensures encrypted traffic is also evaluated. Logs and reports provide detailed visibility into blocked threats, policy enforcement, and inter-VLAN traffic patterns, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control ensures multi-layered defense without interrupting legitimate operations. Policies can be applied per VLAN, department, or user group to provide granular control. This configuration aligns with zero-trust principles by enforcing inspection and access control across internal network segments, preventing malware propagation while allowing operational traffic.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware spread.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or block malware. Static routes alone cannot prevent malware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware propagation while allowing legitimate business traffic. Therefore, A is correct.

Question 105

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive network resources and affecting overall network performance. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP traffic shaping allows administrators to define maximum, guaranteed, and priority bandwidth for individual users or devices. This ensures equitable distribution of network resources and prevents a single user from monopolizing bandwidth. Traffic shaping profiles can prioritize critical business applications while limiting non-essential traffic. Applying these profiles to firewall policies ensures all sessions are monitored and enforced according to the defined bandwidth limits. Logs and reports provide visibility into per-user consumption, policy enforcement, and troubleshooting, supporting auditing, compliance, and operational monitoring. Policies can be applied per VLAN, department, or user group, allowing granular control while maintaining flexibility for business requirements. This configuration ensures fair access to network resources, prevents congestion, maintains predictable performance, and supports zero-trust enforcement by controlling individual usage. Traffic shaping combined with monitoring allows proactive management of bandwidth, preventing performance degradation due to excessive consumption by a single user and maintaining overall network stability.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not enforce per-user bandwidth limits. NAT alone cannot prevent excessive network usage.

C) This describes increasing TTL for outbound sessions. TTL affects session duration but does not enforce bandwidth limits. Adjusting TTL cannot manage per-user resource consumption.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce per-user bandwidth policies. Static routes alone cannot manage network resource allocation.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth usage and prevents network degradation caused by individual users. Therefore, A is correct.

Question 106

A FortiGate administrator wants to enforce controlled access to social media websites during work hours while allowing access after hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking and schedule-based policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking and schedule-based policies. Category-based web filtering organizes websites into categories such as social media, entertainment, business, and education. By associating the web filter profile with a schedule, administrators can block social media websites during defined work hours while allowing access outside of business hours. SSL deep inspection ensures encrypted HTTPS traffic is inspected so that secure connections cannot bypass the policy. Logs provide detailed visibility into blocked and allowed traffic, user activity, and policy enforcement, supporting auditing, compliance, and monitoring of employee productivity. Policies can be applied per VLAN, department, or user group to ensure granular enforcement without disrupting legitimate business applications. Using category-based filtering reduces administrative overhead, eliminates the need to maintain extensive URL lists, and ensures consistent policy enforcement. This configuration maintains employee productivity, reduces exposure to distractions, enforces organizational policy, and allows flexibility outside work hours.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect or block web traffic. NAT alone cannot enforce category-based web filtering or schedule-based policies.

C) This describes increasing TTL for HTTP sessions. TTL affects session lifespan but does not control or block website access. Adjusting TTL cannot enforce time-based web access policies.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not inspect traffic or enforce category-based or schedule-based blocking. Static routes alone cannot prevent access during restricted hours.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that ensures controlled access to social media based on work hours. Therefore, A is correct.

Question 107

A FortiGate administrator wants to prevent malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, reducing the risk of malware or ransomware propagation. Inter-VLAN firewall policies inspect all traffic moving between segments. Antivirus scanning inspects files, attachments, and executables to block malware or ransomware. IPS monitors network traffic for known attack signatures, exploits, and anomalies, preventing attacks from propagating between VLANs. Application control ensures only authorized applications can communicate, blocking unauthorized applications that could carry malware or ransomware. SSL deep inspection allows encrypted traffic to be inspected. Logs provide detailed visibility into blocked threats, policy enforcement, and inter-VLAN traffic patterns, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group for granular enforcement. Layering antivirus, IPS, and application control creates a multi-layered defense without disrupting legitimate business operations. This configuration aligns with zero-trust principles by enforcing inspection and access control across internal network segments, preventing malware propagation while allowing operational traffic.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats from spreading between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware or ransomware spread.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware propagation.

Question 108

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to detect domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving malicious domains used for C&C communications, while web filtering inspects HTTP and HTTPS traffic, using SSL deep inspection when necessary, to block communications. Blocking C&C communications prevents malware-infected hosts from receiving instructions, exfiltrating sensitive data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential internal infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates ensure real-time protection against evolving threats. Combining DNS and web filter C&C protections maintains network security without disrupting legitimate traffic, enforces zero-trust principles, and reduces the risk of internal hosts being compromised. This configuration prevents malware from communicating with external C&C servers and mitigates potential data loss or botnet participation.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect or block botnet communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not detect or block botnet communications. Adjusting TTL cannot prevent malware propagation or command-and-control activity.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious communications. Static routes alone cannot prevent C&C traffic.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively blocks internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 109

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP traffic shaping allows administrators to define maximum, guaranteed, and priority bandwidth for individual users or devices. This ensures equitable distribution of network resources and prevents a single user from monopolizing bandwidth. Traffic shaping profiles can prioritize critical applications while limiting non-essential traffic. Applying these profiles to firewall policies ensures all user sessions are monitored and enforced according to the defined limits. Logs and reports provide visibility into per-user consumption patterns, policy enforcement, and troubleshooting, supporting auditing, compliance, and operational monitoring. Policies can be applied per VLAN, department, or user group for granular control. This configuration ensures fair access to network resources, prevents congestion, maintains predictable network performance, and supports zero-trust principles by controlling individual usage. Traffic shaping combined with monitoring allows proactive management of bandwidth and prevents network degradation due to excessive consumption by individual users.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not enforce bandwidth limits or per-user controls. NAT alone cannot prevent excessive network usage.

C) This describes increasing TTL for outbound sessions. TTL affects session duration but does not control bandwidth. Adjusting TTL cannot manage per-user resource consumption.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth usage and prevents performance issues caused by individual users. Therefore, A is correct.

Question 110

A FortiGate administrator wants to block access to unauthorized cloud storage services while allowing uploads to approved corporate cloud platforms. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles inspect network traffic, including encrypted HTTPS connections, to detect sensitive information such as intellectual property, financial documents, and confidential data. Allowed cloud platforms enable legitimate uploads, while unauthorized cloud services are blocked. SSL deep inspection ensures encrypted traffic is inspected to prevent data exfiltration. Policies can include content fingerprinting, keyword matching, and file type recognition for accurate detection of sensitive data. Logs provide visibility into blocked uploads, allowed transfers, and enforcement actions, supporting auditing, compliance, and regulatory requirements. Policies can be applied per VLAN, department, or user group to achieve granular enforcement without affecting legitimate business workflows. This configuration prevents sensitive data leaks, maintains regulatory compliance, and ensures operational continuity while minimizing the risk of unauthorized cloud uploads.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect content or enforce DLP rules. NAT alone cannot prevent unauthorized cloud uploads.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not inspect content or enforce DLP policies. Adjusting TTL cannot prevent data exfiltration.

D) This describes configuring static routes to corporate cloud services. Routing ensures connectivity but does not inspect traffic or enforce DLP policies. Static routes alone cannot prevent unauthorized uploads.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that ensures sensitive data protection while allowing access to authorized cloud services. Therefore, A is correct.

Question 111

A FortiGate administrator wants to prevent internal users from bypassing security controls by using unauthorized VPN clients or anonymizers. Which configuration should be applied?

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking VPN tunneling and anonymizer applications. Internal users may attempt to bypass corporate security policies, firewall rules, web filtering, antivirus scanning, or DLP protections by using unauthorized VPN clients or anonymizers. Application control inspects traffic for application signatures, tunneling protocols, and behavioral patterns. By blocking VPN tunneling and anonymizer applications, administrators prevent users from circumventing security policies. SSL deep inspection enables the firewall to inspect encrypted sessions, ensuring that encrypted traffic does not bypass controls. Logs and reports provide detailed visibility into blocked attempts, enforcement actions, and user behavior, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group for granular enforcement without affecting legitimate business applications. This approach maintains network integrity, prevents data exfiltration, reduces malware risk, and enforces zero-trust principles. Blocking unauthorized VPN and anonymizer applications ensures all network traffic is subject to corporate security policies while enabling legitimate business operations.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block VPN clients or anonymizers. NAT alone cannot enforce security policies or prevent bypass attempts.

C) This describes increasing TTL for outbound sessions. TTL affects packet lifespan but does not inspect applications or prevent policy circumvention. Adjusting TTL cannot enforce security controls.

D) This describes configuring static routes to trusted VPN servers. Routing ensures connectivity but does not prevent unauthorized VPN clients or anonymizers from being used. Static routes alone cannot enforce security policies.

Application control profiles with rules blocking VPN tunneling and anonymizer applications are the only configuration that ensures internal users cannot bypass corporate security controls. Therefore, A is correct.

Question 112

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP traffic shaping allows administrators to define maximum, guaranteed, and priority bandwidth for individual users or devices. This ensures equitable distribution of network resources and prevents a single user from monopolizing bandwidth. Traffic shaping profiles can prioritize critical applications and limit non-essential traffic. Applying these profiles to firewall policies ensures all sessions are monitored and enforced according to defined limits. Logs and reports provide detailed visibility into per-user consumption, enforcement actions, and policy compliance, supporting auditing, operational monitoring, and troubleshooting. Policies can be applied per VLAN, department, or user group to allow granular control while maintaining operational flexibility. This configuration ensures fair access to network resources, prevents network congestion, maintains predictable performance, and supports zero-trust principles by controlling individual usage. Traffic shaping combined with monitoring allows proactive management of bandwidth and prevents network degradation caused by excessive consumption by a single user.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not enforce bandwidth limits or per-user controls. NAT alone cannot prevent excessive network usage.

C) This describes increasing TTL for outbound sessions. TTL affects session duration but does not manage bandwidth. Adjusting TTL cannot enforce per-user network consumption limits.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce per-user bandwidth limits. Static routes alone cannot manage network resource allocation.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth usage and prevents network performance issues caused by individual users. Therefore, A is correct.

Question 113

A FortiGate administrator wants to block malware and ransomware from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, reducing the risk of malware or ransomware propagation. Inter-VLAN firewall policies inspect all traffic moving between segments. Antivirus scanning examines files, attachments, and executables to detect and block malware and ransomware. IPS monitors traffic for known attack signatures, exploits, and anomalous behaviors, preventing attacks from propagating between VLANs. Application control ensures that only authorized applications can communicate, blocking unauthorized applications that could carry malware or ransomware. SSL deep inspection allows encrypted traffic to be evaluated. Logs and reports provide visibility into blocked threats, policy enforcement, and inter-VLAN traffic patterns, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control provides multi-layered defense without disrupting legitimate business operations. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration aligns with zero-trust principles by enforcing inspection and access control across internal network segments, preventing malware propagation while allowing operational traffic.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent malware from spreading between VLANs.

Question 114

A FortiGate administrator wants to prevent internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to detect domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic, using SSL deep inspection when necessary, to block communications with C&C servers. Blocking these communications prevents malware-infected hosts from receiving commands, exfiltrating sensitive data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential internal infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates provide real-time protection against evolving botnet threats. By combining DNS and web filter C&C protections, administrators maintain network security without affecting legitimate traffic. This configuration enforces zero-trust principles, mitigates the risk of internal hosts being compromised, and reduces malware propagation while maintaining operational continuity.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect or block botnet communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block communications. Adjusting TTL cannot prevent malware or command-and-control activity.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious communication. Static routes alone cannot prevent C&C activity.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively prevents internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 115

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows remote users to access internal resources over encrypted channels. Without SSL deep inspection, encrypted traffic could bypass corporate security policies, allowing malware, phishing attempts, or unauthorized applications to reach internal networks. SSL deep inspection decrypts traffic to allow antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content categories. Application control ensures that only approved applications are permitted over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can minimize user disruption while maintaining security. Applying SSL deep inspection ensures that encrypted traffic does not bypass security controls, enforces corporate policies, and maintains zero-trust principles for remote access. This configuration protects internal resources while enabling secure, monitored access for remote employees.

B) This describes enabling NAT on SSL VPN interfaces. NAT changes IP addresses but does not inspect traffic, detect malware, or enforce security policies. NAT alone cannot secure SSL VPN access.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 116

A FortiGate administrator wants to prevent sensitive documents from being uploaded to unauthorized cloud storage services while allowing access to approved corporate cloud platforms. Which configuration should be applied?

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles inspect network traffic, including encrypted HTTPS traffic, to detect sensitive data such as financial reports, intellectual property, confidential documents, and personally identifiable information (PII). By defining allowed cloud platforms, uploads to approved corporate services are permitted, while connections to unauthorized cloud storage services are blocked. SSL deep inspection ensures encrypted traffic is inspected to prevent data exfiltration. DLP policies may use content fingerprinting, keyword matching, and file type recognition for accurate detection. Logs and reports provide visibility into blocked uploads, allowed transfers, and enforcement actions, supporting auditing, compliance, and regulatory requirements. Policies can be applied per VLAN, department, or user group for granular enforcement without affecting legitimate business workflows. This approach protects sensitive data, maintains compliance, and ensures operational continuity while minimizing the risk of accidental or malicious data leaks.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic or enforce DLP rules. NAT alone cannot prevent unauthorized cloud uploads.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not inspect content or block unauthorized uploads. Adjusting TTL cannot prevent sensitive data exfiltration.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that ensures sensitive data protection while allowing legitimate cloud access. Therefore, A is correct.

Question 117

A FortiGate administrator wants to enforce controlled access to social media websites during work hours while allowing access after hours. Which configuration should be applied?

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking and schedule-based policies. Web filter profiles categorize websites into groups such as social media, entertainment, and business-critical sites. Associating the profile with a schedule allows administrators to block social media access during defined work hours while allowing access outside business hours. SSL deep inspection ensures encrypted HTTPS traffic is also inspected, preventing users from bypassing policies using secure connections. Logs and reports provide visibility into blocked and allowed traffic, user activity, and policy enforcement, supporting auditing, compliance, and monitoring of employee productivity. Policies can be applied per VLAN, department, or user group for granular control without affecting legitimate business applications. Category-based filtering reduces administrative overhead, eliminating the need to maintain large lists of URLs manually, while ensuring consistent enforcement across the organization. This configuration balances security, productivity, and flexibility for employees.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block website access. NAT alone cannot enforce web filtering or schedule-based policies.

C) This describes increasing TTL for HTTP sessions. TTL affects session duration but does not control web access. Adjusting TTL cannot enforce time-based access restrictions.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not inspect traffic or enforce category-based restrictions. Static routes alone cannot prevent access during restricted hours.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that ensures controlled access to social media based on work hours. Therefore, A is correct.

Question 118

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates sensitive systems from general user networks, reducing the risk of malware propagation. Inter-VLAN firewall policies inspect all traffic between segments. Antivirus scanning analyzes files, attachments, and executables to detect and block malware and ransomware. IPS monitors network traffic for known attack signatures, exploits, and anomalies, preventing attacks from spreading across VLANs. Application control ensures only authorized applications can communicate, blocking unauthorized programs that could carry malicious payloads. SSL deep inspection allows encrypted traffic to be inspected for threats. Logs provide visibility into blocked traffic, enforcement actions, and inter-VLAN traffic patterns, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control creates a robust, multi-layered defense without disrupting legitimate business operations. Policies can be applied per VLAN, department, or user group for granular control. This configuration enforces zero-trust principles by inspecting and controlling inter-VLAN traffic while maintaining operational continuity.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent malware propagation between VLANs.

Question 119

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking uses FortiGuard threat intelligence to identify malicious domains, IP addresses, and URLs used for botnet operations. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block C&C communications. SSL deep inspection ensures encrypted traffic is analyzed, preventing malware-infected hosts from bypassing policies. Blocking C&C traffic stops malware from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs and reports provide visibility into blocked traffic, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous updates from FortiGuard ensure real-time protection against evolving botnet threats. By combining DNS and web filter protections, administrators maintain network security without impacting legitimate traffic, enforce zero-trust principles, and mitigate risks of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block C&C communications. Adjusting TTL cannot prevent botnet activity.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that prevents internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 120

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted remote access to internal resources. Without SSL deep inspection, encrypted traffic may bypass security policies, allowing malware, phishing attempts, or unauthorized applications to infiltrate internal networks. SSL deep inspection decrypts the traffic, allowing antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures that only authorized applications are permitted over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can reduce disruption while maintaining security. Applying SSL deep inspection ensures encrypted traffic does not circumvent security controls, enforces corporate policies, and maintains zero-trust principles for remote access. This configuration protects internal resources while enabling secure, monitored access for remote employees.

B) This describes enabling NAT on SSL VPN interfaces. NAT changes IP addresses but does not inspect traffic, detect malware, or enforce security policies. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or block malware or unauthorized applications. Adjusting TTL cannot enforce security policies.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Related posts: