Fortinet  FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam  Dumps and Practice Test Questions Set 7 Q 121- 140 

Visit here for our full Fortinet FCSS_EFW_AD-7.4 exam dumps and practice test questions.

Question 121

A FortiGate administrator wants to block internal users from uploading confidential files to unauthorized cloud storage services while allowing uploads to approved corporate cloud platforms. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles provide a mechanism to inspect all network traffic, including encrypted HTTPS connections, for sensitive data such as financial records, intellectual property, confidential documents, and personally identifiable information (PII). By defining allowed cloud platforms, uploads to approved corporate services are permitted, while unauthorized cloud storage services are blocked. SSL deep inspection ensures encrypted traffic is inspected so that sensitive data cannot bypass the policy. DLP policies may use content fingerprinting, keyword matching, and file type recognition to accurately detect sensitive data. Logs provide detailed information about blocked uploads, allowed transfers, and enforcement actions, which supports auditing, compliance, and regulatory requirements. Policies can be applied per VLAN, department, or user group to allow granular enforcement without affecting legitimate business workflows. This approach ensures sensitive data is protected, regulatory compliance is maintained, and operational continuity is preserved while minimizing the risk of accidental or malicious data leaks.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic or enforce DLP rules. NAT alone cannot prevent unauthorized uploads to cloud services.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not inspect content or enforce DLP policies. Adjusting TTL alone cannot prevent sensitive data exfiltration.

D) This describes configuring static routes to corporate cloud services. Routing ensures connectivity but does not inspect traffic or enforce DLP policies. Static routes alone cannot prevent uploads to unauthorized cloud platforms.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that effectively protects sensitive data while allowing legitimate cloud access. Therefore, A is correct.

Question 122

A FortiGate administrator wants to enforce controlled access to social media websites during working hours while allowing access outside of business hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking and schedule-based policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking and schedule-based policies. Web filter profiles categorize websites into social media, entertainment, business, and other categories. By applying schedule-based policies, administrators can restrict access to social media websites during defined work hours while allowing access after hours. SSL deep inspection ensures encrypted HTTPS traffic is inspected so that users cannot bypass policies using secure connections. Logs provide visibility into blocked and allowed traffic, user activity, and policy enforcement, supporting auditing, compliance, and monitoring employee productivity. Policies can be applied per VLAN, department, or user group for granular control without impacting legitimate business operations. Using category-based filtering reduces administrative overhead by eliminating the need to maintain large URL lists and ensures consistent enforcement across the organization. This approach balances security, productivity, and employee flexibility.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or enforce web filtering or schedule-based policies. NAT alone cannot restrict website access.

C) This describes increasing TTL for HTTP sessions. TTL affects session duration but does not control web access. Adjusting TTL cannot implement time-based restrictions on social media usage.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not inspect traffic or enforce category-based or schedule-based blocking. Static routes alone cannot prevent access during restricted hours.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that ensures controlled social media access based on business hours. Therefore, A is correct.

Question 123

A FortiGate administrator wants to prevent malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, minimizing the risk of malware propagation. Inter-VLAN firewall policies inspect all traffic passing between segments. Antivirus scanning examines files, attachments, and executables to detect and block malware and ransomware. IPS monitors network traffic for known attack signatures, anomalies, and exploit attempts, preventing malware from spreading across VLANs. Application control ensures only authorized applications can communicate, blocking unauthorized software that may carry malicious payloads. SSL deep inspection ensures encrypted traffic is analyzed. Logs provide detailed visibility into blocked traffic, policy enforcement, and inter-VLAN communications, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control creates a robust defense without disrupting legitimate business operations. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration enforces zero-trust principles, preventing malware propagation while maintaining operational traffic flow.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware or ransomware spread.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware propagation while allowing legitimate business traffic. Therefore, A is correct.

Question 124

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking uses FortiGuard threat intelligence to detect malicious domains, IP addresses, and URLs associated with botnet operations. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block C&C communications. SSL deep inspection ensures encrypted traffic is analyzed, preventing malware-infected hosts from bypassing security policies. Blocking C&C traffic stops malware from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates ensure real-time protection against evolving threats. By combining DNS and web filter protections, administrators maintain security without affecting legitimate traffic, enforce zero-trust principles, and mitigate risks of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic or block communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block C&C communications. Adjusting TTL cannot prevent botnet activity.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious communication. Static routes alone cannot prevent C&C activity.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that prevents internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 125

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows remote users to securely access internal resources over encrypted channels. Without SSL deep inspection, encrypted traffic could bypass security policies, allowing malware, phishing attempts, or unauthorized applications to infiltrate internal networks. SSL deep inspection decrypts traffic, enabling antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures only approved applications are allowed over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can minimize disruption while maintaining security. Applying SSL deep inspection ensures encrypted traffic does not circumvent security controls, enforces corporate policies, and maintains zero-trust principles for remote access. This configuration protects internal resources while enabling secure, monitored access for remote employees.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or block malware or unauthorized applications. Adjusting TTL cannot enforce security policies.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 126

A FortiGate administrator wants to prevent internal users from bypassing security controls by using unauthorized VPN clients or anonymizers. Which configuration should be applied?

A) Apply application control profiles with rules blocking VPN tunneling and anonymizer applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to trusted VPN servers

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking VPN tunneling and anonymizer applications. Internal users may attempt to bypass corporate security policies by using unauthorized VPN clients or anonymizers to circumvent firewall rules, web filtering, antivirus scanning, or DLP enforcement. Application control inspects network traffic to detect known application signatures, tunneling protocols, and behavioral patterns associated with unauthorized VPN or anonymizer use. SSL deep inspection ensures encrypted sessions are decrypted and inspected, preventing secure traffic from bypassing controls. Logs and reports provide detailed visibility into blocked attempts, user behavior, and policy enforcement, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group for granular enforcement without impacting legitimate business applications. Blocking unauthorized VPNs and anonymizers ensures that all traffic is monitored and subject to corporate security policies, maintaining network integrity, reducing malware and data exfiltration risks, and enforcing zero-trust principles.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block VPN clients or anonymizers. NAT alone cannot enforce security policies or prevent policy bypass.

C) This describes increasing TTL for outbound sessions. TTL affects packet lifespan but does not inspect applications or prevent bypass attempts. Adjusting TTL cannot enforce security controls.

D) This describes configuring static routes to trusted VPN servers. Routing ensures connectivity but does not prevent the use of unauthorized VPN clients or anonymizers. Static routes alone cannot enforce security policies.

Application control profiles with rules blocking VPN tunneling and anonymizer applications are the only configuration that ensures internal users cannot bypass corporate security controls. Therefore, A is correct.

Question 127

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP traffic shaping allows administrators to define maximum, guaranteed, and priority bandwidth for individual users or devices. This ensures fair distribution of network resources and prevents a single user from monopolizing bandwidth, which can degrade overall network performance. Traffic shaping profiles can prioritize critical business applications while limiting non-essential traffic. Applying these profiles to firewall policies ensures that all sessions are monitored and enforced according to defined bandwidth limits. Logs provide detailed visibility into per-user consumption, policy enforcement, and usage trends, supporting auditing, compliance, and operational monitoring. Policies can be applied per VLAN, department, or user group to provide granular control while maintaining operational flexibility. This configuration ensures equitable access to network resources, prevents congestion, maintains predictable network performance, and supports zero-trust principles by controlling individual usage. Traffic shaping, combined with monitoring, allows proactive bandwidth management, preventing excessive usage by individual users and maintaining network stability.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not enforce bandwidth limits or per-user controls. NAT alone cannot prevent excessive network usage.

C) This describes increasing TTL for outbound sessions. TTL affects session duration but does not manage bandwidth. Adjusting TTL cannot enforce per-user network consumption policies.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce per-user bandwidth limits. Static routes alone cannot manage network resource allocation.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth usage and prevents performance degradation caused by individual users. Therefore, A is correct.

Question 128

A FortiGate administrator wants to block malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, reducing the risk of malware propagation. Inter-VLAN firewall policies inspect all traffic moving between segments. Antivirus scanning detects malware and ransomware by examining files, attachments, and executables. IPS monitors traffic for known attack signatures, anomalies, and exploit attempts, preventing malware from spreading across VLANs. Application control ensures only authorized applications can communicate, blocking unauthorized programs that may carry malicious payloads. SSL deep inspection allows encrypted traffic to be analyzed. Logs provide detailed visibility into blocked traffic, policy enforcement, and inter-VLAN communications, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control creates a robust defense without affecting legitimate business operations. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration enforces zero-trust principles and prevents malware propagation while maintaining operational continuity.

B) This describes enabling NAT on VLAN interfaces. NAT changes IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware or ransomware spread.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware propagation while allowing legitimate business traffic. Therefore, A is correct.

Question 129

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to identify malicious domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block communications with C&C servers. SSL deep inspection ensures encrypted traffic is analyzed, preventing malware-infected hosts from bypassing policies. Blocking C&C traffic prevents malware from receiving commands, exfiltrating sensitive data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates provide real-time protection against evolving threats. By combining DNS and web filter protections, administrators maintain security without impacting legitimate traffic, enforce zero-trust principles, and mitigate risks of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block C&C communications. Adjusting TTL cannot prevent botnet activity.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious communication. Static routes alone cannot prevent C&C traffic.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that prevents internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 130

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows remote users to securely access internal resources over encrypted channels. Without SSL deep inspection, encrypted traffic may bypass security policies, allowing malware, phishing attempts, or unauthorized applications to infiltrate internal networks. SSL deep inspection decrypts traffic, enabling antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures only approved applications are permitted over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can minimize disruption while maintaining security. Applying SSL deep inspection ensures encrypted traffic does not circumvent security controls, enforces corporate policies, and maintains zero-trust principles for remote access. This configuration protects internal resources while enabling secure, monitored access for remote employees.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or block malware or unauthorized applications. Adjusting TTL cannot enforce security policies.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 131

A FortiGate administrator wants to prevent sensitive documents from being uploaded to unauthorized cloud storage services while allowing uploads to approved corporate cloud platforms. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles provide a mechanism for inspecting network traffic, including encrypted HTTPS connections, to detect sensitive data such as financial records, intellectual property, confidential documents, and personally identifiable information (PII). By defining allowed cloud platforms, uploads to approved corporate services are permitted, while connections to unauthorized cloud storage services are blocked. SSL deep inspection ensures encrypted traffic is decrypted and inspected, preventing sensitive data from bypassing security controls. DLP policies can use content fingerprinting, keyword matching, and file type recognition to accurately identify sensitive information. Logs provide detailed visibility into blocked uploads, allowed transfers, and enforcement actions, supporting auditing, compliance, and regulatory requirements. Policies can be applied per VLAN, department, or user group for granular control without affecting legitimate workflows. This approach ensures sensitive data is protected, regulatory compliance is maintained, and operational continuity is preserved while minimizing the risk of accidental or malicious data leaks.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect content or enforce DLP policies. NAT alone cannot prevent unauthorized uploads to cloud services.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects session lifespan but does not inspect content or enforce DLP rules. Adjusting TTL alone cannot prevent sensitive data exfiltration.

D) This describes configuring static routes to corporate cloud services. Routing ensures connectivity but does not inspect traffic or enforce DLP policies. Static routes alone cannot prevent uploads to unauthorized cloud platforms.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that effectively protects sensitive data while allowing legitimate cloud access. Therefore, A is correct.

Question 132

A FortiGate administrator wants to enforce controlled access to social media websites during working hours while allowing access outside of business hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking and schedule-based policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking and schedule-based policies. Web filter profiles categorize websites into groups such as social media, entertainment, and business-critical sites. By associating the web filter profile with a schedule, administrators can restrict access to social media websites during defined working hours and allow access outside business hours. SSL deep inspection ensures encrypted HTTPS traffic is also inspected so that users cannot bypass the policy with secure connections. Logs provide detailed visibility into blocked and allowed traffic, user activity, and enforcement actions, supporting auditing, compliance, and monitoring employee productivity. Policies can be applied per VLAN, department, or user group for granular control without affecting legitimate business applications. Using category-based filtering reduces administrative overhead by eliminating the need to maintain large lists of URLs and ensures consistent enforcement across the organization. This configuration balances security, productivity, and user flexibility.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or enforce web filtering or schedule-based policies. NAT alone cannot block website access.

C) This describes increasing TTL for HTTP sessions. TTL affects session duration but does not control web access. Adjusting TTL cannot implement time-based restrictions on social media usage.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not inspect traffic or enforce category-based or schedule-based blocking. Static routes alone cannot prevent access during restricted hours.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that ensures controlled access to social media based on working hours. Therefore, A is correct.

Question 133

A FortiGate administrator wants to prevent malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates sensitive systems from general user networks, minimizing the risk of malware propagation. Inter-VLAN firewall policies inspect all traffic moving between VLAN segments. Antivirus scanning analyzes files, attachments, and executables to detect malware and ransomware. IPS monitors network traffic for known attack signatures, anomalies, and exploit attempts, preventing malware from spreading between VLANs. Application control ensures only authorized applications are permitted to communicate, blocking unauthorized programs that could carry malicious payloads. SSL deep inspection ensures encrypted traffic is inspected. Logs provide detailed visibility into blocked traffic, enforcement actions, and inter-VLAN traffic patterns, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control creates a robust defense without disrupting legitimate business operations. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration enforces zero-trust principles and prevents malware propagation while maintaining operational traffic flow.

B) This describes enabling NAT on VLAN interfaces. NAT changes IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware or ransomware propagation.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware propagation while allowing legitimate business traffic. Therefore, A is correct.

Question 134

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking uses FortiGuard threat intelligence to identify malicious domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block communications with C&C servers. SSL deep inspection ensures encrypted traffic is analyzed, preventing malware-infected hosts from bypassing security policies. Blocking C&C traffic prevents malware from receiving commands, exfiltrating sensitive data, or participating in coordinated attacks. Logs provide detailed visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates ensure real-time protection against evolving threats. By combining DNS and web filter protections, administrators maintain security without impacting legitimate traffic, enforce zero-trust principles, and mitigate risks of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic or block communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block C&C communications. Adjusting TTL cannot prevent botnet activity.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious communication. Static routes alone cannot prevent C&C traffic.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that prevents internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 135

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted remote access to internal resources. Without SSL deep inspection, encrypted traffic could bypass security policies, allowing malware, phishing attempts, or unauthorized applications to reach internal networks. SSL deep inspection decrypts traffic so antivirus scanning can detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content categories. Application control ensures only authorized applications are permitted over SSL VPN connections. Logs provide detailed visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions minimize disruption while maintaining security. Applying SSL deep inspection ensures encrypted traffic does not circumvent security controls, enforces corporate policies, and maintains zero-trust principles for remote access. This configuration protects internal resources while enabling secure, monitored access for remote users.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or block malware or unauthorized applications. Adjusting TTL cannot enforce security policies.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 136

A FortiGate administrator wants to prevent internal users from bypassing security controls by using unauthorized VPN clients or anonymizers. Which configuration should be applied?

A) Apply application control profiles with rules blocking VPN tunneling and anonymizer applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to trusted VPN servers

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking VPN tunneling and anonymizer applications. Unauthorized VPN clients or anonymizers can be used by internal users to circumvent corporate security policies, firewall rules, web filtering, antivirus scanning, or DLP enforcement. Application control examines network traffic to identify application signatures, tunneling protocols, and behavioral patterns associated with unauthorized VPNs or anonymizer applications. SSL deep inspection ensures encrypted traffic is also analyzed, preventing users from bypassing policies through secure channels. Logs and reports provide detailed visibility into blocked attempts, policy enforcement, and user behavior, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group for granular enforcement without impacting legitimate applications. Blocking unauthorized VPNs and anonymizers ensures all network traffic is monitored and subject to corporate security policies, reducing the risk of malware propagation, data exfiltration, and policy violations. This approach aligns with zero-trust principles and maintains network integrity while allowing legitimate business operations.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block VPN clients or anonymizers. NAT alone cannot enforce security policies or prevent users from bypassing controls.

C) This describes increasing TTL for outbound sessions. TTL affects packet lifespan but does not inspect applications or prevent bypass attempts. Adjusting TTL cannot enforce security controls.

D) This describes configuring static routes to trusted VPN servers. Routing ensures connectivity but does not prevent the use of unauthorized VPN clients or anonymizers. Static routes alone cannot enforce security policies.

Application control profiles with rules blocking VPN tunneling and anonymizer applications are the only configuration that effectively prevents internal users from bypassing security controls. Therefore, A is correct.

Question 137

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP traffic shaping allows administrators to define maximum, guaranteed, and priority bandwidth for individual users or devices. This ensures fair distribution of network resources, preventing a single user from monopolizing bandwidth and degrading overall network performance. Traffic shaping can prioritize business-critical applications while limiting non-essential traffic. Applying these profiles to firewall policies ensures that all sessions are monitored and enforced according to defined limits. Logs provide detailed visibility into per-user consumption, enforcement actions, and traffic trends, supporting auditing, compliance, and operational monitoring. Policies can be applied per VLAN, department, or user group for granular control while maintaining operational flexibility. This configuration ensures equitable access to resources, prevents congestion, maintains predictable network performance, and supports zero-trust principles by controlling individual usage. Traffic shaping combined with monitoring allows proactive bandwidth management, preventing excessive consumption by single users and maintaining network stability.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not enforce bandwidth limits or per-user controls. NAT alone cannot prevent excessive usage.

C) This describes increasing TTL for outbound sessions. TTL affects session duration but does not manage bandwidth. Adjusting TTL cannot enforce per-user network consumption policies.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce per-user bandwidth limits. Static routes alone cannot manage network resource allocation.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth usage and prevents network performance degradation caused by individual users. Therefore, A is correct.

Question 138

A FortiGate administrator wants to block malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates sensitive systems from general user networks, reducing the risk of malware propagation. Inter-VLAN firewall policies inspect all traffic moving between VLANs. Antivirus scanning analyzes files, attachments, and executables to detect malware and ransomware. IPS monitors traffic for known attack signatures, anomalies, and exploit attempts, preventing malware from spreading between VLANs. Application control ensures only authorized applications are permitted to communicate, blocking unauthorized programs that may carry malicious payloads. SSL deep inspection allows encrypted traffic to be analyzed. Logs provide detailed visibility into blocked traffic, policy enforcement, and inter-VLAN communications, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control creates a robust defense without disrupting legitimate operations. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration enforces zero-trust principles and prevents malware propagation while maintaining operational traffic flow.

B) This describes enabling NAT on VLAN interfaces. NAT changes IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware or ransomware propagation.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware propagation while allowing legitimate business traffic. Therefore, A is correct.

Question 139

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to detect malicious domains, IP addresses, and URLs associated with botnet activity. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block C&C communications. SSL deep inspection ensures encrypted traffic is analyzed, preventing malware-infected hosts from bypassing policies. Blocking C&C traffic stops malware from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous updates from FortiGuard provide real-time protection against evolving threats. By combining DNS and web filter protections, administrators maintain network security without impacting legitimate traffic, enforce zero-trust principles, and mitigate risks of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block communications. NAT alone cannot prevent malware from contacting C&C servers.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block C&C communications. Adjusting TTL cannot prevent botnet activity.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious communication. Static routes alone cannot prevent C&C traffic.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that prevents internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 140

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows remote users to securely access internal resources over encrypted channels. Without SSL deep inspection, encrypted traffic could bypass security policies, allowing malware, phishing attempts, or unauthorized applications to infiltrate internal networks. SSL deep inspection decrypts traffic so antivirus scanning can detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures only approved applications are permitted over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can reduce disruption while maintaining security. Applying SSL deep inspection ensures encrypted traffic does not circumvent security controls, enforces corporate policies, and maintains zero-trust principles for remote access. This configuration protects internal resources while enabling secure, monitored access for remote employees.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or block malware or unauthorized applications. Adjusting TTL cannot enforce security policies.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.