Fortinet FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam Dumps and Practice Test Questions Set 8 Q 141- 160

Practice Exams:

View All

Fortinet

Fortinet FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam Dumps and Practice Test Questions Set 8 Q 141- 160

Visit here for our full Fortinet FCSS_EFW_AD-7.4 exam dumps and practice test questions.

Question 141

A FortiGate administrator wants to prevent sensitive documents from being uploaded to unauthorized cloud storage services while allowing uploads to approved corporate cloud platforms. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles provide granular control over sensitive data, ensuring that confidential files, financial records, intellectual property, and personally identifiable information (PII) are not uploaded to unauthorized cloud storage platforms. By allowing only corporate-approved cloud services, uploads to legitimate services continue uninterrupted, while any attempts to use unauthorized platforms are blocked. SSL deep inspection decrypts encrypted traffic, enabling accurate inspection of files transferred over HTTPS connections. DLP policies leverage content fingerprinting, keyword scanning, and file type recognition to identify sensitive information reliably. Logs and reporting provide visibility into blocked and allowed uploads, helping administrators monitor compliance and enforce corporate policies. Applying DLP per VLAN, department, or user group ensures that rules are enforced appropriately based on the business context, maintaining operational continuity without restricting legitimate business processes. This approach also supports regulatory compliance by enforcing data privacy and protection standards.

B) This describes enabling NAT on internal interfaces. NAT translates private IP addresses to public addresses for outbound connectivity but does not inspect content or enforce policies to prevent sensitive data leaks. NAT alone cannot prevent users from uploading confidential files to unauthorized platforms.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects the lifespan of network packets but does not inspect data or enforce DLP policies. Adjusting TTL has no effect on preventing data exfiltration.

D) This describes configuring static routes to corporate cloud services. Static routes control network paths but do not inspect content or block unauthorized uploads. Routing alone cannot enforce DLP policies.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that ensures sensitive data is protected while allowing legitimate cloud uploads. Therefore, A is correct.

Question 142

A FortiGate administrator wants to enforce controlled access to social media websites during working hours while allowing access outside of business hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking and schedule-based policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking and schedule-based policies. Web filter profiles categorize websites into groups such as social media, entertainment, business, and education. By applying these filters alongside a schedule, administrators can enforce access control policies during working hours while allowing non-restricted access after hours. SSL deep inspection ensures encrypted HTTPS traffic is inspected, preventing users from bypassing the filter with secure connections. Logs provide visibility into blocked attempts, allowed connections, and policy enforcement, supporting auditing, compliance, and monitoring productivity. Policies can be applied per VLAN, department, or user group, providing granular control while avoiding disruption of legitimate workflows. Category-based filtering eliminates the need to manually maintain extensive URL lists and ensures consistent enforcement across the organization. This approach effectively balances security, productivity, and employee flexibility, maintaining an appropriate work environment without overly restricting internet access.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic or enforce access policies. NAT alone cannot control web access.

C) This describes increasing TTL for HTTP sessions. TTL affects session lifespan but does not restrict access to websites or categories. Adjusting TTL cannot enforce schedule-based web filtering.

D) This describes configuring static routes to social media websites. Routing ensures network connectivity but does not inspect traffic or enforce policies. Static routes alone cannot block social media access.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that enforces time-based controlled access to social media websites. Therefore, A is correct.

Question 143

A FortiGate administrator wants to prevent malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, reducing the risk of malware propagation. Inter-VLAN firewall policies inspect all traffic moving between VLANs. Antivirus scanning examines files, attachments, and executables to detect malware and ransomware. IPS monitors traffic for known attack signatures, anomalies, and exploit attempts, preventing malware from spreading across VLANs. Application control enforces restrictions on unauthorized software, ensuring that only approved applications can communicate across VLANs. SSL deep inspection ensures encrypted traffic is inspected. Logs provide detailed visibility into blocked traffic, policy enforcement, and inter-VLAN communications, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control provides a robust defense while maintaining operational continuity. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration enforces zero-trust principles and prevents malware propagation while allowing legitimate business operations.

B) This describes enabling NAT on VLAN interfaces. NAT translates IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects packet lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware or ransomware propagation.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware propagation.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that effectively prevents malware propagation while allowing legitimate traffic. Therefore, A is correct.

Question 144

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to detect malicious domains, IP addresses, and URLs associated with botnet activity. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block communications with C&C servers. SSL deep inspection ensures that encrypted traffic is analyzed, preventing malware-infected hosts from bypassing policies. Blocking C&C traffic prevents malware from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide detailed visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates provide real-time protection against emerging threats. By combining DNS and web filter protections, administrators maintain security without impacting legitimate traffic, enforce zero-trust principles, and reduce the risk of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block malicious communication. NAT alone cannot prevent botnet activity.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block C&C communications. Adjusting TTL cannot prevent malware or botnet communication.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious communications. Static routes alone cannot prevent botnet activity.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively prevents internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 145

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted remote access to internal resources, which if left unchecked could allow malware, phishing attempts, or unauthorized applications to infiltrate internal networks. SSL deep inspection decrypts traffic, allowing antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content, while application control enforces policies to allow only approved applications. Logs provide detailed visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can be configured to reduce disruption while maintaining security. Applying SSL deep inspection ensures encrypted traffic does not bypass security controls, enforces corporate policies, and supports zero-trust principles for remote access. This configuration secures internal resources while allowing monitored access for remote employees.

B) This describes enabling NAT on SSL VPN interfaces. NAT changes IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session duration but does not inspect traffic or enforce security policies. Adjusting TTL cannot prevent malware or unauthorized applications.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 146

A FortiGate administrator wants to prevent internal users from bypassing security controls by using unauthorized VPN clients or anonymizers. Which configuration should be applied?

A) Apply application control profiles with rules blocking VPN tunneling and anonymizer applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to trusted VPN servers

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking VPN tunneling and anonymizer applications. Internal users may attempt to bypass corporate security policies, firewall rules, web filtering, antivirus scanning, or DLP enforcement by using unauthorized VPN clients or anonymizers. Application control examines network traffic to detect application signatures, tunneling protocols, and behavior patterns associated with unauthorized VPNs or anonymizers. SSL deep inspection ensures that encrypted traffic is also analyzed so users cannot bypass controls using HTTPS or other secure channels. Logs and reports provide visibility into blocked attempts, policy enforcement, and user behavior, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group for granular enforcement without impacting legitimate applications. Blocking unauthorized VPNs and anonymizers ensures all network traffic is subject to corporate security policies, reducing the risk of malware propagation, data exfiltration, and policy violations. This approach aligns with zero-trust principles and maintains network integrity while allowing legitimate business operations.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block VPN clients or anonymizers. NAT alone cannot enforce security policies or prevent users from bypassing controls.

C) This describes increasing TTL for outbound sessions. TTL affects packet lifespan but does not inspect applications or prevent bypass attempts. Adjusting TTL cannot enforce security controls.

D) This describes configuring static routes to trusted VPN servers. Routing ensures connectivity but does not prevent the use of unauthorized VPN clients or anonymizers. Static routes alone cannot enforce security policies.

Application control profiles with rules blocking VPN tunneling and anonymizer applications are the only configuration that effectively prevents internal users from bypassing security controls. Therefore, A is correct.

Question 147

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Per-IP traffic shaping enables administrators to define maximum, guaranteed, and priority bandwidth for individual users or devices. This prevents a single user from consuming excessive network resources, which could degrade overall performance for other users. Traffic shaping allows prioritization of critical business applications while limiting non-essential traffic. Applying traffic shaping profiles to firewall policies ensures that all sessions are monitored and enforced according to defined bandwidth limits. Logs provide visibility into per-user usage, policy enforcement, and traffic trends, supporting auditing, compliance, and operational monitoring. Policies can be applied per VLAN, department, or user group for granular control while maintaining operational flexibility. This configuration ensures equitable access to network resources, prevents congestion, maintains predictable network performance, and supports zero-trust principles by controlling individual usage. Traffic shaping combined with monitoring enables proactive bandwidth management, preventing excessive consumption by individual users and maintaining network stability.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not enforce per-user bandwidth limits. NAT alone cannot prevent excessive network consumption.

C) This describes increasing TTL for outbound sessions. TTL affects session lifespan but does not manage bandwidth. Adjusting TTL cannot enforce per-user network usage policies.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce per-user bandwidth limits. Static routes alone cannot manage network resources.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth usage and prevents network performance degradation caused by individual users. Therefore, A is correct.

Question 148

A FortiGate administrator wants to block malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, minimizing the risk of malware propagation. Inter-VLAN firewall policies inspect all traffic moving between VLANs. Antivirus scanning examines files, attachments, and executables to detect malware and ransomware. IPS monitors traffic for known attack signatures, anomalies, and exploit attempts, preventing malware from spreading across VLANs. Application control enforces restrictions on unauthorized software, ensuring only approved applications can communicate across VLANs. SSL deep inspection ensures encrypted traffic is inspected. Logs provide detailed visibility into blocked traffic, enforcement actions, and inter-VLAN communications, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control provides a robust defense while maintaining operational continuity. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration enforces zero-trust principles and prevents malware propagation while allowing legitimate business operations.

B) This describes enabling NAT on VLAN interfaces. NAT translates IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

Question 149

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking uses FortiGuard threat intelligence to identify malicious domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block C&C communications. SSL deep inspection ensures encrypted traffic is analyzed, preventing malware-infected hosts from bypassing policies. Blocking C&C traffic stops malware from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates provide real-time protection against evolving threats. Combining DNS and web filter protections maintains network security without impacting legitimate traffic, enforces zero-trust principles, and reduces the risk of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block malicious communications. NAT alone cannot prevent botnet activity.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block C&C communications. Adjusting TTL cannot prevent malware or botnet activity.

Question 150

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted remote access to internal resources, which, if left uninspected, could allow malware, phishing attempts, or unauthorized applications to infiltrate internal networks. SSL deep inspection decrypts traffic, allowing antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content, while application control ensures only approved applications are allowed over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can minimize disruption while maintaining security. Applying SSL deep inspection ensures encrypted traffic cannot bypass security controls, enforces corporate policies, and maintains zero-trust principles for remote access. This configuration secures internal resources while enabling monitored access for remote employees.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or enforce security policies. Adjusting TTL cannot prevent malware or unauthorized applications.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 151

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles provide granular control over sensitive data by inspecting traffic for confidential files, intellectual property, financial data, and personally identifiable information (PII). Administrators can specify which cloud platforms are approved for uploads, allowing legitimate business operations to continue while blocking attempts to transfer sensitive data to unauthorized services. SSL deep inspection ensures encrypted traffic is examined so that secure HTTPS uploads cannot bypass the DLP rules. The profiles can leverage content fingerprinting, keyword matching, and file type recognition to detect sensitive data with high accuracy. Logs provide detailed visibility into blocked and allowed uploads, enforcement actions, and user behavior, which supports auditing, regulatory compliance, and data protection initiatives. Policies can be applied per VLAN, department, or user group for granular control without disrupting legitimate workflows. This approach protects organizational data, enforces corporate policies, and reduces the risk of accidental or intentional data leaks while maintaining operational efficiency.

B) This describes enabling NAT on internal interfaces. NAT translates IP addresses for outbound traffic but does not inspect the contents of files or enforce DLP policies. NAT alone cannot prevent sensitive data uploads to unauthorized cloud services.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects packet lifespan but does not inspect content or enforce DLP policies. Adjusting TTL does not prevent data exfiltration.

D) This describes configuring static routes to corporate cloud services. Routing controls traffic paths but does not inspect the content of uploads or block unauthorized cloud services. Static routes alone cannot enforce DLP policies.

Question 152

A FortiGate administrator wants to enforce controlled access to social media websites during working hours while allowing access outside of business hours. Which configuration should be applied?

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking and schedule-based policies. Web filter profiles classify websites into categories such as social media, entertainment, business, and education. By combining category-based filtering with schedule-based enforcement, administrators can restrict access to social media sites during working hours while allowing unrestricted access after hours. SSL deep inspection ensures that encrypted HTTPS traffic is inspected, preventing users from bypassing policies using secure connections. Logs provide visibility into blocked and allowed traffic, user activity, and policy enforcement, supporting auditing, compliance, and productivity monitoring. Policies can be applied per VLAN, department, or user group for granular enforcement without impacting legitimate business activities. Category-based filtering reduces administrative overhead compared to manually maintaining URL lists and ensures consistent enforcement across the organization. This approach effectively balances network security, productivity, and user flexibility, allowing controlled access to social media without affecting business-critical operations.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses but does not inspect traffic or enforce web filtering or scheduling policies. NAT alone cannot control access to websites.

C) This describes increasing TTL for HTTP sessions. TTL affects packet lifespan but does not restrict access to websites or categories. Adjusting TTL cannot enforce schedule-based access control.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not inspect traffic or block access to websites. Static routes alone cannot enforce policy-based web access control.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that enforces controlled access to social media websites based on business hours. Therefore, A is correct.

Question 153

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation separates critical systems from general user networks, reducing the risk of malware propagation. Inter-VLAN firewall policies inspect traffic moving between VLANs. Antivirus scanning analyzes files, attachments, and executables to detect malware, ransomware, and other malicious software. IPS monitors network traffic for known attack signatures, anomalies, and exploit attempts, preventing malware from spreading across VLANs. Application control enforces restrictions on unauthorized software, ensuring only approved applications can communicate between VLANs. SSL deep inspection ensures encrypted traffic is inspected. Logs provide detailed visibility into blocked traffic, enforcement actions, and inter-VLAN communications, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control ensures robust defense while maintaining operational continuity. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration aligns with zero-trust principles and prevents malware propagation while allowing legitimate business traffic.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or prevent malware. NAT alone cannot secure VLAN communications.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that prevents malware propagation while allowing legitimate traffic. Therefore, A is correct.

Question 154

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to identify malicious domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block communications with C&C servers. SSL deep inspection ensures encrypted traffic is analyzed, preventing malware-infected hosts from bypassing policies. Blocking C&C traffic prevents malware from receiving instructions, exfiltrating sensitive data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous FortiGuard updates provide real-time protection against evolving threats. By combining DNS and web filter protections, administrators maintain network security without impacting legitimate traffic, enforce zero-trust principles, and reduce the risk of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block malicious communication. NAT alone cannot prevent botnet activity.

Question 155

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted remote access to internal resources, which, if left uninspected, could allow malware, phishing attempts, or unauthorized applications to infiltrate internal networks. SSL deep inspection decrypts traffic so antivirus scanning can detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content, while application control ensures only approved applications are permitted over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can reduce disruption while maintaining security. Applying SSL deep inspection ensures encrypted traffic does not bypass security controls, enforces corporate policies, and maintains zero-trust principles for remote access. This configuration secures internal resources while enabling monitored access for remote employees.

B) This describes enabling NAT on SSL VPN interfaces. NAT changes IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 156

A FortiGate administrator wants to prevent internal users from bypassing security controls by using unauthorized VPN clients or anonymizers. Which configuration should be applied?

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking VPN tunneling and anonymizer applications. Unauthorized VPN clients and anonymizers are commonly used by employees to bypass security controls, firewall policies, web filtering, or DLP enforcement. Application control analyzes network traffic to detect application signatures, tunneling protocols, and behavioral patterns associated with these unauthorized tools. By inspecting traffic at Layer 7, the FortiGate firewall can identify prohibited applications and block them effectively. SSL deep inspection ensures encrypted traffic is also examined, preventing users from circumventing the policy through secure HTTPS connections or other encrypted channels. Logs provide detailed visibility into policy enforcement, blocked attempts, and user activity, supporting auditing, compliance, and incident response initiatives. Policies can be applied per VLAN, department, or user group, enabling granular control while avoiding disruption to legitimate applications. Blocking unauthorized VPNs and anonymizers ensures all network traffic is visible and enforceable under corporate security policies, reduces the risk of malware propagation and data exfiltration, and supports zero-trust principles.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound traffic but does not inspect content or detect application usage. NAT alone cannot prevent unauthorized VPN clients or anonymizers from bypassing security controls.

C) This describes increasing TTL for outbound sessions. TTL affects the lifespan of network packets but does not provide application inspection or policy enforcement. Adjusting TTL does not prevent users from bypassing security controls.

D) This describes configuring static routes to trusted VPN servers. Routing ensures connectivity to authorized services but does not inspect traffic or block unauthorized applications. Static routes alone cannot enforce security policies or prevent bypass attempts.

Question 157

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Traffic shaping allows administrators to control the maximum, guaranteed, and priority bandwidth for individual users or devices. By limiting per-user bandwidth, a single user cannot monopolize network resources, ensuring fair distribution of bandwidth among all users. Traffic shaping can prioritize critical business applications, limit non-essential traffic, and prevent network congestion. When applied to firewall policies, traffic shaping is enforced for all sessions, including HTTP, HTTPS, and application traffic. Logs provide detailed insights into per-user consumption, policy enforcement, and traffic trends, supporting auditing, compliance, and performance monitoring. Policies can be applied per VLAN, department, or user group, offering granular control while preserving network performance for legitimate business operations. This configuration ensures equitable access to network resources, prevents service degradation, and supports zero-trust principles by controlling individual usage. By proactively managing bandwidth, administrators can maintain predictable performance and prevent excessive consumption that could affect critical services.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound traffic but does not enforce bandwidth limits. NAT alone cannot prevent excessive usage by individual users.

C) This describes increasing TTL for outbound sessions. TTL affects packet lifespan but does not provide bandwidth management or per-user controls. Adjusting TTL cannot prevent network congestion or enforce fair usage policies.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not enforce bandwidth limits. Static routes alone cannot manage network resource allocation.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures fair bandwidth distribution and prevents individual users from consuming excessive network resources. Therefore, A is correct.

Question 158

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates sensitive systems from general user networks, minimizing the risk of malware propagation. Inter-VLAN firewall policies inspect all traffic moving between VLANs. Antivirus scanning analyzes files, attachments, and executables to detect malware and ransomware. IPS monitors network traffic for known attack signatures, anomalies, and exploit attempts, preventing malware from spreading across VLANs. Application control enforces restrictions on unauthorized software, allowing only approved applications to communicate. SSL deep inspection ensures that encrypted traffic is also inspected. Logs provide visibility into blocked traffic, enforcement actions, and inter-VLAN communications, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control provides robust defense without affecting legitimate business traffic. Policies can be applied per VLAN, department, or user group for granular enforcement. This configuration adheres to zero-trust principles and prevents malware propagation while maintaining operational continuity.

B) This describes enabling NAT on VLAN interfaces. NAT translates IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects session lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware or ransomware propagation.

Question 159

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking uses FortiGuard threat intelligence to identify malicious domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block communications with C&C servers. SSL deep inspection ensures encrypted traffic is also analyzed, preventing malware-infected hosts from bypassing policies. Blocking C&C traffic stops malware from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. Continuous updates from FortiGuard ensure real-time protection against evolving threats. By combining DNS and web filter protections, administrators maintain network security without affecting legitimate traffic, enforce zero-trust principles, and mitigate the risk of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block malicious communication. NAT alone cannot prevent botnet activity.

Question 160

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows encrypted remote access to internal resources, which, if left uninspected, could allow malware, phishing attacks, or unauthorized applications to infiltrate the network. SSL deep inspection decrypts traffic, enabling antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures only approved applications are allowed over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can reduce disruption while maintaining security. SSL deep inspection ensures encrypted traffic cannot bypass security policies, enforces corporate policies, and supports zero-trust principles for remote access. This configuration secures internal resources while allowing monitored remote access.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Related posts: