Fortinet FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam Dumps and Practice Test Questions Set 9 Q 161- 180

Practice Exams:

View All

Fortinet

Fortinet FCSS_EFW_AD-7.4 FCSS – Enterprise Firewall 7.4 Administrator Exam Dumps and Practice Test Questions Set 9 Q 161- 180

Visit here for our full Fortinet FCSS_EFW_AD-7.4 exam dumps and practice test questions.

Question 161

A FortiGate administrator wants to prevent sensitive documents from being uploaded to unauthorized cloud storage services while allowing uploads to approved corporate cloud platforms. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound HTTPS sessions
D) Configure static routes to corporate cloud services

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles inspect traffic to identify sensitive data, such as confidential documents, financial data, personally identifiable information (PII), and intellectual property, before it leaves the corporate network. By creating allowed and blocked cloud application lists, administrators can enforce corporate-approved cloud services while preventing uploads to unauthorized platforms. SSL deep inspection decrypts encrypted HTTPS traffic, allowing DLP to scan content that would otherwise bypass policy enforcement. Fingerprinting, keyword matching, and file type analysis increase accuracy in identifying sensitive content. Logs provide visibility into blocked uploads, user behavior, and enforcement actions, supporting auditing, compliance, and regulatory requirements. Policies can be applied to specific VLANs, user groups, or departments for granular control without disrupting legitimate workflows. This approach protects sensitive corporate data, mitigates insider threats, ensures regulatory compliance, and maintains operational efficiency.

B) This describes enabling NAT on internal interfaces. NAT translates IP addresses for outbound traffic but does not inspect file content or enforce DLP policies. NAT alone cannot prevent sensitive data uploads to unauthorized cloud services.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects the lifespan of network packets but does not inspect content or enforce data protection policies. Adjusting TTL does not prevent sensitive data exfiltration.

D) This describes configuring static routes to corporate cloud services. Routing controls traffic paths but does not inspect file content or block unauthorized cloud uploads. Static routes alone cannot enforce DLP policies.

Applying DLP profiles with allowed and blocked cloud application lists is the only configuration that ensures sensitive data protection while allowing legitimate cloud uploads. Therefore, A is correct.

Question 162

A FortiGate administrator wants to enforce controlled access to social media websites during working hours while allowing access outside of business hours. Which configuration should be applied?

A) Apply a web filter profile with category-based blocking and schedule-based policies
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to social media websites

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking and schedule-based policies. Web filter profiles classify websites into categories, such as social media, entertainment, education, and business. By combining category-based filtering with scheduled enforcement, administrators can restrict access to social media during working hours while allowing unrestricted access outside business hours. SSL deep inspection ensures encrypted HTTPS traffic is inspected, preventing users from bypassing filters with secure connections. Logs provide detailed insights into blocked traffic, allowed traffic, and policy enforcement, supporting auditing, productivity monitoring, and compliance. Policies can be applied per VLAN, department, or user group for granular enforcement without affecting legitimate business activities. Category-based filtering reduces the administrative burden compared to manually maintaining URL lists and ensures consistent enforcement across the organization. This configuration balances security, employee productivity, and operational flexibility while maintaining controlled access to non-business-related sites during business hours.

B) This describes enabling NAT on internal interfaces. NAT changes IP addresses for outbound traffic but does not inspect traffic or enforce category-based filtering. NAT alone cannot control access to websites.

C) This describes increasing TTL for HTTP sessions. TTL affects the lifespan of packets but does not inspect traffic or enforce access control policies. Adjusting TTL cannot restrict social media access.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not provide filtering or scheduling functionality. Static routes alone cannot block access to social media websites.

Web filter profiles with category-based blocking and schedule-based policies are the only configuration that enforces controlled access to social media based on business hours. Therefore, A is correct.

Question 163

A FortiGate administrator wants to prevent malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation separates sensitive or critical systems from general user networks, limiting the propagation of malware. Inter-VLAN firewall policies inspect all traffic traversing between VLANs. Antivirus scanning analyzes files, attachments, and executables to detect malware, ransomware, or other malicious software. IPS identifies known attack signatures, anomalies, and exploit attempts, preventing malware from spreading across VLANs. Application control ensures that only approved software can communicate, blocking unauthorized applications. SSL deep inspection allows encrypted traffic to be scanned for threats. Logs provide visibility into blocked traffic, enforcement actions, and inter-VLAN communications, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control ensures a comprehensive defense without disrupting legitimate business traffic. Policies can be applied per VLAN, department, or user group for granular control. This configuration aligns with zero-trust principles and prevents malware propagation while maintaining operational continuity.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects packet lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL does not prevent malware propagation.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware spread.

Inter-VLAN firewall policies with antivirus, IPS, and application control profiles are the only configuration that effectively prevents malware propagation while allowing legitimate business traffic. Therefore, A is correct.

Question 164

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to detect malicious domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block connections to C&C servers. SSL deep inspection ensures encrypted traffic is also analyzed, preventing malware-infected hosts from bypassing policies. Blocking C&C traffic stops malware from receiving instructions, exfiltrating sensitive data, or participating in coordinated attacks. Logs provide detailed visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. FortiGuard updates provide real-time protection against evolving threats. Combining DNS and web filter protections maintains network security without impacting legitimate traffic, enforces zero-trust principles, and mitigates the risk of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block malicious communication. NAT alone cannot prevent botnet activity.

C) This describes increasing TTL for outbound traffic. TTL affects packet lifespan but does not inspect traffic or block C&C communications. Adjusting TTL cannot prevent malware or botnet communications.

D) This describes configuring static routes to external servers. Routing ensures connectivity but does not inspect traffic or block malicious communications. Static routes alone cannot prevent botnet activity.

Enabling botnet C&C blocking in DNS filter and web filter profiles is the only configuration that effectively prevents internal hosts from communicating with malicious servers. Therefore, A is correct.

Question 165

A FortiGate administrator wants to enforce secure SSL VPN access for remote users while scanning all traffic for malware, phishing, and unauthorized applications. Which configuration should be applied?

A) Apply SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies
B) Enable NAT on SSL VPN interfaces
C) Increase TTL for SSL VPN sessions
D) Configure static routes for SSL VPN users

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN allows remote users to securely access internal resources over encrypted channels, which, if uninspected, could allow malware, phishing attacks, or unauthorized applications to enter the network. SSL deep inspection decrypts traffic so antivirus scanning can detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures that only approved applications are allowed over SSL VPN connections. Logs provide detailed visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can be configured to minimize disruption while maintaining security. SSL deep inspection ensures that encrypted traffic cannot bypass security controls, enforces corporate policies, and supports zero-trust principles for remote access. This configuration secures internal resources while enabling monitored remote access.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

C) This describes increasing TTL for SSL VPN sessions. TTL affects session lifespan but does not inspect traffic or enforce security policies. Adjusting TTL cannot prevent malware or unauthorized applications.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 166

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked cloud application lists. DLP profiles inspect network traffic to identify sensitive information such as intellectual property, confidential business data, financial records, and personally identifiable information (PII). By creating allowed and blocked cloud application lists, administrators ensure that users can only upload sensitive files to authorized corporate cloud platforms while preventing uploads to unauthorized cloud services. SSL deep inspection decrypts encrypted traffic, enabling DLP to inspect HTTPS uploads, which would otherwise bypass policy enforcement. Fingerprinting, keyword matching, and file type analysis enhance the accuracy of sensitive content detection. Logs provide visibility into blocked and allowed uploads, user activity, and enforcement actions, supporting auditing, regulatory compliance, and data protection requirements. Policies can be applied to VLANs, departments, or specific user groups to ensure granular enforcement without disrupting legitimate business operations. This configuration reduces the risk of insider threats, accidental leaks, and regulatory violations, while maintaining operational continuity and business productivity.

B) This describes enabling NAT on internal interfaces. NAT translates IP addresses for outbound traffic but does not inspect content or enforce DLP policies. NAT alone cannot prevent sensitive data from being uploaded to unauthorized services.

C) This describes increasing TTL for outbound HTTPS sessions. TTL affects packet lifespan but does not inspect data or enforce security policies. Adjusting TTL does not prevent data exfiltration.

D) This describes configuring static routes to corporate cloud services. Routing controls the path traffic takes but does not inspect file content or block unauthorized uploads. Static routes alone cannot enforce DLP policies.

Question 167

A FortiGate administrator wants to enforce controlled access to social media websites during working hours while allowing access outside of business hours. Which configuration should be applied?

Answer: A

Explanation

A) This describes applying a web filter profile with category-based blocking and schedule-based policies. Web filter profiles classify websites into categories, such as social media, entertainment, education, and business. By combining category-based filtering with time-based schedules, administrators can restrict access to social media during working hours while allowing unrestricted access outside business hours. SSL deep inspection ensures encrypted HTTPS traffic is inspected, preventing users from bypassing policies using secure connections. Logs provide detailed visibility into blocked and allowed traffic, enforcement actions, and user activity, supporting auditing, compliance, and productivity monitoring. Policies can be applied per VLAN, department, or user group to provide granular control without disrupting legitimate business operations. Category-based filtering reduces administrative overhead compared to manually maintaining lists of URLs, ensuring consistent enforcement and compliance across the organization. This approach balances productivity, employee flexibility, and network security.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound traffic but does not inspect traffic or enforce category-based web access policies. NAT alone cannot block access to social media websites.

C) This describes increasing TTL for HTTP sessions. TTL affects packet lifespan but does not enforce access control policies or restrict website access. Adjusting TTL cannot achieve controlled web access.

D) This describes configuring static routes to social media websites. Routing ensures connectivity but does not inspect traffic or enforce web filtering policies. Static routes alone cannot block social media access.

Question 168

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, reducing the risk of malware propagation. Inter-VLAN firewall policies inspect all traffic moving between VLANs. Antivirus scanning examines files, attachments, and executables to detect malware, ransomware, and other malicious software. IPS monitors traffic for known attack signatures, anomalies, and exploit attempts, preventing malware from spreading. Application control ensures that only approved applications communicate across VLANs, blocking unauthorized software. SSL deep inspection allows encrypted traffic to be inspected for threats. Logs provide visibility into blocked traffic, enforcement actions, and inter-VLAN communications, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control ensures robust security without affecting legitimate business operations. Policies can be applied per VLAN, department, or user group for granular enforcement. This approach aligns with zero-trust principles and prevents malware propagation while maintaining operational continuity.

B) This describes enabling NAT on VLAN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects packet lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware propagation.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware propagation.

Question 169

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking leverages FortiGuard threat intelligence to identify malicious domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving malicious domains, while web filtering inspects HTTP and HTTPS traffic to block communication with C&C servers. SSL deep inspection ensures encrypted traffic is analyzed, preventing malware-infected hosts from bypassing policies. Blocking C&C traffic prevents malware from receiving commands, exfiltrating data, or participating in coordinated attacks. Logs provide detailed visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. FortiGuard updates provide continuous real-time protection against evolving threats. By combining DNS and web filter protections, administrators maintain network security without affecting legitimate traffic, enforce zero-trust principles, and reduce the risk of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block malicious communications. NAT alone cannot prevent botnet activity.

Question 170

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted remote access to internal resources, which, if uninspected, could allow malware, phishing attempts, or unauthorized applications to infiltrate the network. SSL deep inspection decrypts traffic, enabling antivirus scanning to detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures that only approved applications are allowed over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can be configured to reduce disruption while maintaining security. SSL deep inspection ensures encrypted traffic cannot bypass corporate security policies, enforces organizational policies, and aligns with zero-trust principles for remote access. This configuration secures internal resources while enabling monitored and controlled remote access.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 171

A FortiGate administrator wants to prevent internal users from bypassing security controls by using unauthorized VPN clients or anonymizers. Which configuration should be applied?

A) Apply application control profiles with rules blocking VPN tunneling and anonymizer applications
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes to trusted VPN servers

Answer: A

Explanation

A) This describes applying application control profiles with rules blocking VPN tunneling and anonymizer applications. Unauthorized VPN clients and anonymizers are frequently used to circumvent corporate security policies, firewall rules, antivirus scanning, web filtering, or data loss prevention mechanisms. Application control enables the FortiGate firewall to analyze traffic patterns, protocol signatures, and application behavior, ensuring that unauthorized tunneling or anonymization software is detected and blocked. SSL deep inspection ensures that encrypted traffic is also inspected, preventing users from bypassing controls via HTTPS or other encrypted protocols. Logs provide administrators with detailed visibility into enforcement actions, blocked attempts, and user behavior, which is essential for auditing, compliance, and incident response. Policies can be applied on a per-VLAN, per-department, or per-user basis, allowing granular enforcement without affecting legitimate applications. Blocking unauthorized VPNs and anonymizers ensures all traffic passes through corporate security policies, reducing the risk of malware propagation, data exfiltration, and compliance violations. This aligns with zero-trust principles and maintains the integrity of the internal network while allowing authorized business operations.

B) This describes enabling NAT on internal interfaces. NAT translates IP addresses but does not inspect traffic or detect application usage. NAT alone cannot prevent users from bypassing security controls using VPN clients or anonymizers.

C) This describes increasing TTL for outbound sessions. TTL affects packet lifespan but provides no mechanism to detect or block unauthorized applications. Adjusting TTL cannot prevent security bypass attempts.

D) This describes configuring static routes to trusted VPN servers. While routing ensures connectivity to authorized VPN servers, it does not inspect traffic or enforce application control policies. Static routes alone cannot prevent bypass attempts or unauthorized traffic.

Application control profiles with rules blocking VPN tunneling and anonymizer applications are the only configuration that effectively prevents internal users from bypassing security controls. Therefore, A is correct.

Question 172

A FortiGate administrator wants to enforce per-user bandwidth limits to prevent a single user from consuming excessive network resources. Which configuration should be applied?

A) Apply per-IP traffic shaping profiles to firewall policies
B) Enable NAT on internal interfaces
C) Increase TTL for outbound sessions
D) Configure static routes for internal users

Answer: A

Explanation

A) This describes applying per-IP traffic shaping profiles to firewall policies. Traffic shaping allows administrators to define maximum, guaranteed, and priority bandwidth for individual users or IP addresses. This prevents any single user from monopolizing network resources, ensuring equitable access for all users. Traffic shaping can prioritize critical business applications while limiting bandwidth for non-essential traffic, maintaining optimal performance across the network. When applied to firewall policies, traffic shaping is enforced for all sessions, including HTTP, HTTPS, and application-specific traffic. Logs provide insights into per-user bandwidth consumption, enforcement actions, and traffic trends, supporting auditing, performance monitoring, and compliance. Policies can be applied per VLAN, department, or user group for granular control. This ensures fair bandwidth allocation, prevents network congestion, and maintains predictable performance for business-critical applications. By actively managing bandwidth, administrators reduce the risk of service degradation caused by individual users consuming excessive resources.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound traffic but does not enforce per-user bandwidth limits. NAT alone cannot prevent excessive usage by individual users.

C) This describes increasing TTL for outbound sessions. TTL affects packet lifespan but does not provide bandwidth management. Adjusting TTL cannot enforce fair bandwidth allocation.

D) This describes configuring static routes for internal users. Routing ensures connectivity but does not provide bandwidth control. Static routes alone cannot manage per-user resource usage.

Applying per-IP traffic shaping profiles to firewall policies is the only configuration that ensures equitable bandwidth distribution and prevents network performance degradation caused by individual users. Therefore, A is correct.

Question 173

A FortiGate administrator wants to block malware, ransomware, and unauthorized applications from spreading between internal VLANs while allowing legitimate business traffic. Which configuration should be applied?

A) Apply inter-VLAN firewall policies with antivirus, IPS, and application control profiles
B) Enable NAT on VLAN interfaces
C) Increase TTL for VLAN sessions
D) Configure static routes between VLANs

Answer: A

Explanation

A) This describes applying inter-VLAN firewall policies with antivirus, intrusion prevention system (IPS), and application control profiles. VLAN segmentation isolates critical systems from general user networks, limiting the potential spread of malware. Inter-VLAN firewall policies inspect traffic moving between VLANs. Antivirus scanning analyzes files, attachments, and executables to detect malware, ransomware, and other threats. IPS monitors traffic for known attack signatures, anomalies, and exploit attempts, preventing malware from spreading across VLANs. Application control enforces restrictions on unauthorized software, allowing only approved applications to communicate between VLANs. SSL deep inspection ensures encrypted traffic is inspected, preventing malware from bypassing policies via HTTPS. Logs provide visibility into blocked traffic, enforcement actions, and inter-VLAN communications, supporting auditing, compliance, and incident response. Layering antivirus, IPS, and application control ensures robust protection without impacting legitimate business traffic. Policies can be applied per VLAN, department, or user group for granular control. This approach supports zero-trust principles and prevents malware propagation while maintaining operational continuity.

B) This describes enabling NAT on VLAN interfaces. NAT translates IP addresses but does not inspect traffic or block malware. NAT alone cannot prevent threats between VLANs.

C) This describes increasing TTL for VLAN sessions. TTL affects packet lifespan but does not provide antivirus, IPS, or application control. Adjusting TTL cannot prevent malware propagation.

D) This describes configuring static routes between VLANs. Routing ensures connectivity but does not inspect traffic or enforce security policies. Static routes alone cannot prevent malware spread.

Question 174

A FortiGate administrator wants to block internal hosts from communicating with known botnet command-and-control servers. Which configuration should be applied?

A) Enable botnet C&C blocking in DNS filter and web filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for outbound traffic
D) Configure static routes to external servers

Answer: A

Explanation

A) This describes enabling botnet command-and-control (C&C) blocking in DNS filter and web filter profiles. Botnet C&C blocking uses FortiGuard threat intelligence to identify malicious domains, IP addresses, and URLs associated with botnet infrastructure. DNS filtering prevents internal hosts from resolving these domains, while web filtering inspects HTTP and HTTPS traffic to block communication with C&C servers. SSL deep inspection ensures encrypted traffic is inspected, preventing malware-infected hosts from bypassing controls. Blocking C&C traffic prevents malware from receiving commands, exfiltrating sensitive data, or participating in coordinated attacks. Logs provide detailed visibility into blocked connections, enforcement actions, and potential infections, supporting auditing, compliance, and incident response. FortiGuard updates provide real-time protection against evolving threats. By combining DNS and web filter protections, administrators maintain network security without impacting legitimate traffic, enforce zero-trust principles, and mitigate the risk of internal hosts being compromised.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect traffic or block malicious communication. NAT alone cannot prevent botnet activity.

Question 175

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted remote access to internal resources, which, if uninspected, could allow malware, phishing attempts, or unauthorized applications to infiltrate the network. SSL deep inspection decrypts traffic so antivirus scanning can detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures only approved applications are allowed over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can be configured to minimize disruption while maintaining security. SSL deep inspection ensures encrypted traffic cannot bypass corporate security policies, enforces organizational policies, and supports zero-trust principles for remote access. This configuration secures internal resources while enabling monitored and controlled remote access.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Question 176

A FortiGate administrator wants to prevent sensitive information from leaving the corporate network through unauthorized email services while allowing access to corporate-approved email servers. Which configuration should be applied?

A) Apply Data Loss Prevention (DLP) profiles with allowed and blocked email server lists
B) Enable NAT on internal interfaces
C) Increase TTL for outbound SMTP sessions
D) Configure static routes to corporate email servers

Answer: A

Explanation

A) This describes applying Data Loss Prevention (DLP) profiles with allowed and blocked email server lists. DLP profiles inspect network traffic for sensitive content, such as financial data, intellectual property, personally identifiable information (PII), or confidential corporate documents. By defining allowed and blocked email server lists, administrators can enforce access to corporate-approved email services while preventing outbound transmission of sensitive information to unauthorized email servers. SSL deep inspection ensures that encrypted SMTP and HTTPS traffic is inspected, preventing bypass via encrypted channels. Techniques such as keyword matching, file type detection, and content fingerprinting improve accuracy in detecting sensitive content. Logs provide visibility into blocked and allowed messages, user activity, and enforcement actions, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, user group, or department for granular enforcement without disrupting legitimate email usage. This approach mitigates the risk of data exfiltration, accidental leaks, and regulatory violations, while maintaining operational continuity and productivity.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses for outbound traffic but does not inspect email content or enforce DLP policies. NAT alone cannot prevent sensitive information from being transmitted via unauthorized email services.

C) This describes increasing TTL for outbound SMTP sessions. TTL affects packet lifespan but does not inspect traffic or enforce DLP policies. Adjusting TTL cannot prevent data leaks through email.

D) This describes configuring static routes to corporate email servers. Routing ensures connectivity but does not inspect content or block unauthorized email access. Static routes alone cannot enforce DLP policies.

Applying DLP profiles with allowed and blocked email server lists is the only configuration that ensures sensitive data protection while allowing legitimate email communications. Therefore, A is correct.

Question 177

A FortiGate administrator wants to prevent internal users from using anonymizing proxies to bypass web filtering policies. Which configuration should be applied?

A) Apply application control profiles blocking anonymizing proxy applications
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP sessions
D) Configure static routes to trusted proxy servers

Answer: A

Explanation

A) This describes applying application control profiles blocking anonymizing proxy applications. Anonymizing proxies allow users to circumvent web filtering policies by masking the true destination or content of web traffic. Application control inspects network traffic at Layer 7 to identify tunneling protocols and proxy software signatures. SSL deep inspection ensures that encrypted HTTPS traffic is also inspected, preventing users from bypassing policies with secure connections. Logs provide visibility into attempted connections, blocked activity, and user behavior, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group for granular enforcement without affecting legitimate traffic. Blocking anonymizing proxies ensures that web filtering and security policies are fully enforced, maintaining network visibility and reducing the risk of malware, data exfiltration, or access to inappropriate content. By proactively controlling application usage, administrators can preserve productivity and enforce corporate compliance requirements.

B) This describes enabling NAT on internal interfaces. NAT translates IP addresses for outbound traffic but does not inspect traffic or block applications. NAT alone cannot prevent users from bypassing web filtering with anonymizing proxies.

C) This describes increasing TTL for HTTP sessions. TTL affects packet lifespan but does not provide application inspection or policy enforcement. Adjusting TTL cannot block anonymizing proxies.

D) This describes configuring static routes to trusted proxy servers. Routing ensures connectivity but does not inspect traffic or enforce application control policies. Static routes alone cannot prevent bypass attempts.

Application control profiles blocking anonymizing proxy applications are the only configuration that effectively enforces web filtering policies by preventing bypass through proxies. Therefore, A is correct.

Question 178

A FortiGate administrator wants to enforce bandwidth limits for video streaming during business hours while allowing unrestricted access after hours. Which configuration should be applied?

A) Apply traffic shaping profiles with per-application limits and schedules
B) Enable NAT on internal interfaces
C) Increase TTL for HTTP and HTTPS sessions
D) Configure static routes for video streaming servers

Answer: A

Explanation

A) This describes applying traffic shaping profiles with per-application limits and schedules. Traffic shaping allows administrators to define maximum bandwidth for specific applications, such as video streaming, and schedule enforcement during defined periods. By combining per-application shaping with time-based policies, administrators can limit video streaming bandwidth during business hours while allowing unrestricted access outside of business hours. Application control identifies and classifies video streaming applications, while traffic shaping enforces bandwidth limits. Logs provide visibility into bandwidth usage, enforcement actions, and policy compliance. Policies can be applied per VLAN, department, or user group for granular control. This configuration ensures critical business applications maintain priority, prevents network congestion, and balances employee productivity with leisure access. By proactively managing bandwidth, administrators maintain predictable network performance and avoid service degradation caused by high-consumption applications.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not enforce per-application or time-based bandwidth limits. NAT alone cannot manage video streaming usage.

C) This describes increasing TTL for HTTP and HTTPS sessions. TTL affects packet lifespan but does not provide application identification or bandwidth control. Adjusting TTL cannot limit streaming traffic.

D) This describes configuring static routes for video streaming servers. Routing ensures connectivity but does not inspect traffic or enforce bandwidth limits. Static routes alone cannot manage streaming bandwidth.

Traffic shaping profiles with per-application limits and schedules are the only configuration that effectively enforces controlled video streaming bandwidth during business hours. Therefore, A is correct.

Question 179

A FortiGate administrator wants to block malware and ransomware from entering the network through email attachments. Which configuration should be applied?

A) Apply antivirus scanning and attachment inspection in email filter profiles
B) Enable NAT on internal interfaces
C) Increase TTL for SMTP sessions
D) Configure static routes for email servers

Answer: A

Explanation

A) This describes applying antivirus scanning and attachment inspection in email filter profiles. Email is a primary vector for malware and ransomware attacks. Antivirus scanning inspects attachments for known malware signatures, behavioral anomalies, and heuristic threats. Attachment inspection ensures that dangerous file types, executables, or suspicious macros are analyzed before delivery. SSL deep inspection allows encrypted email traffic to be scanned, preventing threats hidden in secure channels. Logs provide visibility into blocked emails, quarantined attachments, and user activity, supporting auditing, compliance, and incident response. Policies can be applied per VLAN, department, or user group for granular enforcement without disrupting legitimate email communications. By enforcing antivirus and attachment inspection, organizations prevent malware propagation, protect endpoints, reduce the risk of ransomware outbreaks, and ensure compliance with regulatory standards.

B) This describes enabling NAT on internal interfaces. NAT modifies IP addresses but does not inspect email content or block malware. NAT alone cannot secure email.

C) This describes increasing TTL for SMTP sessions. TTL affects packet lifespan but does not provide content inspection or malware detection. Adjusting TTL cannot prevent email-borne malware.

D) This describes configuring static routes for email servers. Routing ensures connectivity but does not inspect content or enforce security policies. Static routes alone cannot prevent malware from entering via email.

Antivirus scanning and attachment inspection in email filter profiles are the only configuration that effectively blocks malware and ransomware from email attachments. Therefore, A is correct.

Question 180

Answer: A

Explanation

A) This describes applying SSL deep inspection profiles with antivirus, web filter, and application control to SSL VPN policies. SSL VPN provides encrypted remote access to internal resources, which, if uninspected, could allow malware, phishing attempts, or unauthorized applications to infiltrate the network. SSL deep inspection decrypts traffic so antivirus scanning can detect malware, ransomware, and trojans. Web filtering blocks access to malicious websites, phishing domains, and inappropriate content. Application control ensures that only approved applications are allowed over SSL VPN connections. Logs provide visibility into blocked traffic, detected threats, and enforcement actions, supporting auditing, compliance, and incident response. Trusted exceptions can be configured to reduce disruption while maintaining security. SSL deep inspection ensures encrypted traffic cannot bypass corporate security policies, enforces organizational policies, and supports zero-trust principles for remote access. This configuration secures internal resources while enabling monitored and controlled remote access.

B) This describes enabling NAT on SSL VPN interfaces. NAT modifies IP addresses but does not inspect traffic or block malware or unauthorized applications. NAT alone cannot secure SSL VPN access.

D) This describes configuring static routes for SSL VPN users. Routing ensures connectivity but does not inspect traffic or enforce policies. Static routes alone cannot secure SSL VPN sessions.

SSL deep inspection with antivirus, web filter, and application control applied to SSL VPN policies is the only configuration that ensures secure, monitored remote access. Therefore, A is correct.

Related posts: