freefiles

Fortinet NSE7_PBC-7.2 Exam Dumps & Practice Test Questions

Question 1:

A network administrator is using FortiManager to apply bulk CLI script configurations to multiple FortiGate devices. Which of the following statements are accurate regarding these changes? (Select two.)

A. Changes executed on the Policy Package within the ADOM database are applied immediately to the managed FortiGate devices.
B. Changes executed in the Device Database require the administrator to use the installation wizard to apply them to the managed FortiGate devices.
C. When changes are executed across all FortiGate devices in the ADOM, they are automatically installed without generating a new revision history.
D. When modifications are applied directly to a remote FortiGate device, administrators cannot review or confirm the changes before installation.

Answer: B, D

Explanation:

FortiManager is a centralized management platform that allows administrators to manage multiple FortiGate devices through features such as bulk CLI script configurations. It operates with ADOMs (Administrative Domains) to segment configurations and policies for different groups of devices.

Here’s an analysis of each statement:

A. Changes executed on the Policy Package within the ADOM database are applied immediately to the managed FortiGate devices.

  • Incorrect. Changes made within the Policy Package in FortiManager’s ADOM database do not apply immediately. Once changes are made, they need to be installed to the managed FortiGate devices. FortiManager uses a revision-based approach, meaning configurations are not applied instantly but are subject to a review process before being committed to the devices.

B. Changes executed in the Device Database require the administrator to use the installation wizard to apply them to the managed FortiGate devices.

  • Correct. The Device Database in FortiManager is where specific configurations for individual devices are stored. When changes are made here, they must be installed to the managed FortiGate devices using the installation wizard. This ensures the configurations are applied to the devices in a controlled manner, providing an additional layer of verification.

C. When changes are executed across all FortiGate devices in the ADOM, they are automatically installed without generating a new revision history.

  • Incorrect. Any changes made in FortiManager, including those across multiple FortiGate devices in an ADOM, generate a new revision in the revision history. This revision system allows administrators to track changes, revert configurations if needed, and ensure a structured process for applying changes.

D. When modifications are applied directly to a remote FortiGate device, administrators cannot review or confirm the changes before installation.

  • Correct. When configurations are applied directly to a remote FortiGate device (via a direct configuration), FortiManager does not require a review or confirmation before the changes are applied. This is a less controlled process compared to making changes through the ADOM database, where changes can be reviewed and confirmed before installation.

Thus, the correct answers are B and D.

Question 2:

What tasks are automated by the Install Wizard in FortiManager? (Choose two.)

A. Display pending configuration changes for the managed devices.
B. Add new devices to FortiManager's management.
C. Retrieve policy packages from the managed devices.
D. Apply configuration changes to the managed devices.
E. Retrieve interface mappings from the managed devices.

Answer: A, D

Explanation:

The Install Wizard in FortiManager is a key component used to manage the deployment of configurations from FortiManager to managed FortiGate devices. It ensures that configuration changes made within Policy Packages or Device Databases are systematically and safely applied to FortiGates. This tool provides a guided and automated process that allows administrators to validate, preview, and install configuration changes.

Here is a detailed breakdown of each option:

A. Display pending configuration changes for the managed devices.

  • Correct. The Install Wizard automatically displays the pending configuration changes between FortiManager and the targeted FortiGate device. This is a crucial step, as it allows administrators to review the delta between the current configuration on the FortiGate and the proposed configuration from FortiManager before pushing the changes. This preview feature helps in preventing misconfigurations and ensures clarity on what will be modified.

B. Add new devices to FortiManager's management.

  • Incorrect. Adding new devices to FortiManager is not handled by the Install Wizard. This task is typically performed via the Device Manager, where devices can be discovered or manually added. The Install Wizard only works with devices that are already added and authorized in FortiManager.

C. Retrieve policy packages from the managed devices.

  • Incorrect. Policy packages are not retrieved from FortiGate devices. Instead, FortiManager pushes policy packages to the devices. In fact, policies are created and stored within FortiManager’s ADOM database, and FortiGate devices are recipients, not sources, of these packages. If policies exist on FortiGate before it is managed, they are not automatically imported—this would require a separate manual process, not the Install Wizard.

D. Apply configuration changes to the managed devices.

  • Correct. This is the primary function of the Install Wizard. It installs (applies) the configuration changes, including policies, objects, and settings from FortiManager to the managed FortiGate devices. The wizard supports various scopes—such as full policy package installations, partial installations, and object-only updates.

E. Retrieve interface mappings from the managed devices.

  • Incorrect. Interface mappings are typically retrieved during initial device addition or manual sync operations, not by the Install Wizard. If interface mapping updates are needed, administrators generally use the Device Manager to perform a configuration retrieval or refresh.

In summary, the Install Wizard's purpose is to safely deploy configuration changes and provide visibility into those changes. It is not used for onboarding devices, retrieving existing policies, or fetching interface mappings. Its focus is on managing and applying configuration changes already made within FortiManager.

Therefore, the correct answers are A and D.

Question 3:

When reviewing the IPS exit log on a FortiGate device, the following log entry is observed:
 # diagnose test application ipsmonitor 3

ipsengine exit log

pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2017 code = 11, reason: manual

What does this log indicate about the IPS status on the device?

A. The IPS engine's memory usage has surpassed the device's predefined limit.
B. The IPS daemon has crashed.
C. There are communication issues between the IPS engine and the management database.
D. All IPS-related features have been disabled in the FortiGate's configuration.

Answer: B

Explanation:

The log snippet shown in the question is from the Intrusion Prevention System (IPS) diagnostic tool in FortiOS. When analyzing FortiGate behavior related to IPS functionality, this command—diagnose test application ipsmonitor 3—is used to display logs of IPS engine exits, which help identify why and when the IPS process was terminated.

Let's analyze the components of the log:

pid = 93 (cfg), duration = 5605322 (s) at Wed Apr 19 09:57:26 2017 code = 11, reason: manual

  • pid = 93 – This is the process ID of the IPS engine at the time it exited.

  • duration = 5605322 (s) – Indicates how long the IPS engine was running before the exit.

  • code = 11 – This is the exit code, which is key to interpreting the cause.

  • reason: manual – Provides a high-level reason string.

Despite the label “manual,” the exit code = 11 is the most critical piece. In FortiOS, exit code 11 generally signifies a segmentation fault, which means that the process accessed an invalid memory location—a strong indicator of a crash. This code aligns with common UNIX/Linux signals, where signal 11 (SIGSEGV) refers to a segmentation violation.

Now, let's examine each of the answer choices:

A. The IPS engine's memory usage has surpassed the device's predefined limit.

  • Incorrect. If the IPS engine were terminated due to memory constraints, the log would indicate a memory threshold or resource exhaustion-related error, not exit code 11. There would likely be a different signal or reason (such as memory overuse protection or OOM killer activity).

B. The IPS daemon has crashed.

  • Correct. The exit code 11 points to a segmentation fault, a type of runtime error indicating that the process attempted to access invalid memory, leading to a crash. Despite the string "reason: manual," this does not imply a clean or user-initiated shutdown. This field can be misleading because it's sometimes populated by FortiOS even in abnormal terminations. Thus, the most accurate interpretation is that the IPS daemon (engine) crashed.

C. There are communication issues between the IPS engine and the management database.

  • Incorrect. Such issues would typically produce specific log messages indicating synchronization, timeout, or RPC errors, and not a segmentation fault or code 11 crash.

D. All IPS-related features have been disabled in the FortiGate's configuration.

  • Incorrect. If IPS were disabled, there would be no active IPS engine process to crash, and no exit logs would be generated. Additionally, disabling IPS is a configuration action and would not cause an exit code 11 or leave traces like a process ID and duration.

In summary, while the term "manual" appears in the log, the exit code takes precedence in diagnostics. Code 11 clearly indicates a segmentation fault, which is the result of a crash in the IPS engine. Therefore, the best conclusion is that the IPS daemon crashed.

Thus, the correct answer is B, the IPS daemon has crashed.

Question 4:

An administrator needs to capture ESP traffic exchanged between two FortiGate devices using the built-in sniffer tool. There is no NAT device involved between the two FortiGates. Which command should be used to correctly capture this ESP traffic?

A. diagnose sniffer packet any "udp port 500"
B. diagnose sniffer packet any "udp port 4500"
C. diagnose sniffer packet any "esp"
D. diagnose sniffer packet any "udp port 500 or udp port 4500"

Answer: C

Explanation:

When dealing with IPsec VPNs, traffic can be carried in several different formats depending on the presence or absence of NAT and the phase of the IPsec tunnel negotiation.

To understand why ESP is the correct protocol to capture in this specific scenario, we need to break down the structure of IPsec traffic and how FortiGate handles it.

Understanding IPsec and ESP:

IPsec tunnels typically rely on three key protocols during operation:

  1. UDP port 500 (ISAKMP/IKE) – Used for phase 1 negotiations (IKEv1 or IKEv2).

  2. UDP port 4500 (NAT-T) – Used when NAT Traversal (NAT-T) is enabled, and one or both peers are behind NAT devices. The original ESP packets are encapsulated in UDP/4500.

  3. ESP (Encapsulating Security Payload) – Protocol number 50, used to actually carry the encrypted IP payload after the tunnel is established, when there is no NAT involved.

Applying to the Scenario:

In the question, it's clearly stated that:

  • The administrator is trying to capture ESP traffic, not IKE negotiation.

  • There is no NAT device between the two FortiGate devices.

This is crucial because NAT-T is not required when there is no NAT. Therefore, FortiGate devices will send pure ESP packets, using protocol 50, not UDP/4500. So, options B and D, which focus on UDP/4500, are not applicable in this context.

Evaluating the Options:

A. diagnose sniffer packet any "udp port 500"

  • Incorrect. This command would capture IKE phase 1 negotiation traffic but not the ESP packets themselves. It helps in VPN setup troubleshooting, but it is not relevant for capturing the encrypted data payload.

B. diagnose sniffer packet any "udp port 4500"

  • Incorrect. UDP/4500 is only used when NAT Traversal is enabled due to NAT devices in the path. Since the question specifies no NAT, ESP traffic will not be encapsulated in UDP.

C. diagnose sniffer packet any "esp"

  • Correct. This is the precise filter needed to capture ESP protocol (IP protocol number 50). It allows the administrator to view the actual encrypted data packets sent through the IPsec tunnel between the two FortiGates when NAT-T is not involved.

D. diagnose sniffer packet any "udp port 500 or udp port 4500"

  • Incorrect. This is useful if you're capturing both IKE negotiation and NAT-T encapsulated traffic, but in this case, NAT is not used. Therefore, UDP/4500 traffic will not be present, and this filter will miss ESP traffic entirely.

In an IPsec tunnel where there is no NAT, the data plane uses the ESP protocol (protocol 50) directly. To capture the encrypted tunnel traffic, the administrator must filter on "esp" using FortiGate’s built-in sniffer tool.

Therefore, the correct answer is C, diagnose sniffer packet any "esp".

Question 5:

Which conditions must be met for a static route to be considered "active" and included in the routing table on a FortiGate device? (Select three.)

A. The next-hop IP address is reachable.
B. No other route with a lower distance exists for the same destination.
C. If configured, the link health monitor is functioning properly.
D. The next-hop IP address must be within the subnet of the outgoing interface.
E. The outgoing interface must be operational.

Answer: A, C, E

Explanation:

In FortiGate’s routing logic, a static route is not automatically included in the active routing table (FIB - Forwarding Information Base) just because it has been configured. Several conditions must be met for the route to be considered active and usable for traffic forwarding.

Let’s examine each answer choice based on how FortiGate handles static routes:

A. The next-hop IP address is reachable.

  • Correct. For a static route to become active, reachability to the next-hop IP address is essential. FortiGate determines this by verifying that a route exists to reach the next-hop IP. If the next-hop is unreachable (i.e., not resolvable through another route or directly connected subnet), the static route is not considered valid and is excluded from the routing table.

B. No other route with a lower distance exists for the same destination.

  • Incorrect. This statement relates to route selection, not whether a static route is active. A static route can still be considered active even if there is a lower distance route for the same destination—it just won’t be used unless it has the lowest administrative distance. The concept of "active" here means it’s available to be used, not necessarily the one that will be chosen.

C. If configured, the link health monitor is functioning properly.

  • Correct. If a static route is associated with a link health monitor (e.g., for route failover), FortiGate monitors the target using pings or TCP checks. If the health check fails, the route is withdrawn from the active routing table. Therefore, for a static route tied to a health monitor, the health check must be passing for the route to be active.

D. The next-hop IP address must be within the subnet of the outgoing interface.

  • Incorrect. While it is a common network practice to place the next-hop IP within the subnet of the outgoing interface, FortiGate does not require this. FortiGate can resolve the next-hop using recursive lookups, meaning the next-hop does not have to be directly reachable through the interface’s own subnet. Instead, as long as there is a route (static or dynamic) to reach the next-hop IP, FortiGate considers it valid.

E. The outgoing interface must be operational.

  • Correct. The status of the outgoing interface is critical. If the interface is down (administratively or due to a physical issue), the static route is marked inactive. FortiGate will not install a static route into the routing table if the interface it points to is unavailable.

Active Route Requirements in FortiGate:

For a static route to be active, FortiGate ensures:

  • The next-hop IP is reachable via another route or directly.

  • The outgoing interface is up.

  • If a link health monitor is tied to the route, it must pass.

It’s important to separate route validity (active) from route selection (preferred). Even if multiple routes to the same destination exist, all valid routes will be active, but only the best route (based on distance and priority) will be selected for traffic.

Thus, the correct answers are A, C, and E.

Question 6:

An administrator has configured a high-availability (HA) cluster with two FortiGate devices. During a failover test, the administrator observes that some network switches continue to forward traffic to the former primary unit. To resolve this, the administrator enables the link-failed-signal feature. 

Which of the following best describes the behavior of the link-failed-signal command?

A. It forces the former primary device to shut down all non-heartbeat interfaces for one second during failover.
B. It sends an ARP packet to all devices, indicating the new master is reachable after failover.
C. It broadcasts a link-failed signal to all connected devices.
D. It disables all non-heartbeat interfaces on both HA units for two seconds after a failover.

Answer: A

Explanation:

The link-failed-signal feature in FortiGate HA configurations is specifically designed to address a common issue that can occur during failover: switches or neighboring devices continue to send traffic to the old primary unit, unaware that the active role has changed. This typically happens due to MAC address learning delays on the switches or because ARP tables haven’t updated fast enough.

What the link-failed-signal Command Does:

The link-failed-signal feature is a failover enhancement available in FortiOS for FortiGate HA clusters. It provides a mechanism to signal downstream switches and routers that the old primary unit is no longer active. Here’s how it works:

  • When a failover event occurs, the former primary FortiGate device will temporarily bring down all of its non-heartbeat interfaces for one second.

  • This brief interface shutdown causes connected switches to detect a link-down event, prompting them to flush or update their MAC address tables.

  • The link-flap makes the switches stop forwarding traffic to the old MAC address associated with the former primary.

  • As a result, traffic is correctly redirected to the new primary unit, whose interfaces are up and actively processing traffic.

This is particularly useful in environments where:

  • The switching infrastructure has slow MAC aging.

  • The failover needs to be seamless, and delays in traffic redirection are not acceptable.

  • ARP updates alone are not sufficient to force traffic redirection.

Evaluating the Options:

A. It forces the former primary device to shut down all non-heartbeat interfaces for one second during failover.

  • Correct. This is a precise description of what the link-failed-signal command does. It deliberately disables the non-heartbeat interfaces for a short duration to signal connected devices that this unit is no longer active.

B. It sends an ARP packet to all devices, indicating the new master is reachable after failover.

  • Incorrect. While FortiGate HA does perform gratuitous ARP updates during failover to advertise the MAC address of the new primary unit, this is not part of the link-failed-signal feature. ARP alone may not be sufficient for some switching environments, which is why the link-failed-signal is used as an additional measure.

C. It broadcasts a link-failed signal to all connected devices.

  • Incorrect. This answer is vague and misleading. FortiGate does not send a special "link-failed" packet; rather, it uses a physical method (interface down/up) to induce a link state change on the switch.

D. It disables all non-heartbeat interfaces on both HA units for two seconds after a failover.

  • Incorrect. Only the former primary’s non-heartbeat interfaces are affected, and they are disabled for one second, not two. The current primary (new master) remains fully operational to ensure service continuity.

The link-failed-signal command is an effective tool to enhance failover responsiveness in HA setups by prompting adjacent network devices to immediately recognize the failover event and redirect traffic appropriately. It achieves this by temporarily shutting down the interfaces of the old primary unit, helping to mitigate issues related to stale MAC address entries on switches.

Therefore, the correct answer is A.

Question 7:

An administrator needs to configure a FortiGate firewall to ensure that denied traffic is properly logged. Which step must be taken to enable traffic logs for denied sessions?

A. Enable "log denied traffic" in the policy settings.
B. Use the CLI command set log-denied-traffic enable in the firewall policy.
C. Enable "traffic logging" on the interface settings.
D. Configure logging on the session policies.

Answer: B

Explanation:

Logging denied traffic on a FortiGate firewall is a crucial step in ensuring full visibility into unauthorized access attempts, blocked traffic, or misconfigured policies. By default, FortiGate only logs accepted sessions unless explicitly configured to log denied ones. To achieve this, administrators must modify specific system-wide or policy-level logging settings, depending on the desired granularity.

Where Denied Traffic Logging Happens:

Denied traffic can occur in various places:

  • At the policy level, where firewall rules explicitly deny traffic.

  • At the implicit deny rule, which catches traffic not matching any defined policies.

  • As part of session handling behaviors (e.g., failed TCP handshakes, expired sessions).

Key Logging Configuration Options:

  1. set log-denied-traffic (CLI command)
     This command is configured globally under the config log setting section or per firewall policy under config firewall policy. It controls what types of denied traffic are logged. Options may include:

    • disable

    • enable

    • utm

    • violation

    • all

  2. Enabling it ensures the FortiGate logs denied packets, either globally or for a specific policy.

  3. Policy GUI Settings ("Log Allowed Traffic" and "Log Denied Traffic")
     In the GUI, logging settings for allowed and denied traffic can be enabled in the policy configuration window, but only if the policy is designed to handle traffic in the first place. The implicit deny rule is not visible in the GUI and must be configured via CLI.

Evaluating the Options:

A. Enable "log denied traffic" in the policy settings.

  • Incorrect. While this option does exist in the GUI, it only applies to explicit firewall policies. It does not handle logging for implicit denies, which is often where logging is most needed for security monitoring. Additionally, for global denied traffic logging, the correct method is through the CLI.

B. Use the CLI command set log-denied-traffic enable in the firewall policy.

  • Correct. This CLI command directly enables logging of denied traffic for specific policies or globally, depending on where it's applied. It's especially important for implicit deny logs, which are only configurable via the CLI. This ensures that all denied traffic, even from connections that do not match a policy, is logged.

C. Enable "traffic logging" on the interface settings.

  • Incorrect. Interfaces on FortiGate do not control traffic logging at the policy decision level. Logging on interfaces may be used for diagnostics (like NetFlow or sFlow), but not for capturing denied session logs.

D. Configure logging on the session policies.

  • Incorrect. FortiGate does not use the term "session policies" in this context. Traffic logging is configured via firewall policies, not session-specific policies. Denied traffic would not reach the session stage in the FortiGate processing flow.

To properly log denied traffic, especially traffic denied by the implicit rule, an administrator must use the CLI command set log-denied-traffic enable. This ensures visibility into all blocked sessions, which is vital for troubleshooting, compliance, and security auditing.

Therefore, the correct answer is B.


Question 8:

Which command should be used to view the current session count on a FortiGate device?

A. get system performance top
B. diagnose sys session list
C. show system session stats
D. diagnose system session status

Answer: D

Explanation:

Monitoring session count is crucial on a FortiGate device to evaluate performance, detect abnormal behavior, or identify potential issues related to session exhaustion. FortiGate tracks active sessions, and each session represents a connection tracked by the firewall for stateful inspection (e.g., a TCP handshake, UDP stream, etc.). The current session count tells you how many active connections are currently being handled by the device, which is vital for capacity planning and troubleshooting.

Breakdown of the Commands:

A. get system performance top

  • Incorrect. This command provides a real-time performance summary, showing key metrics like CPU usage, memory usage, network throughput, and session rate (sessions per second), but not the current session count. It shows the session rate, which is how fast sessions are being established—not the total number of active sessions. So while useful, it does not directly display the session count.

B. diagnose sys session list

  • Incorrect. This command lists all active sessions individually, showing detailed information about each one (source/destination IPs, ports, protocol, etc.). While technically you could count the lines to estimate session count, this is not practical or efficient. The output is too verbose for simply checking the number of sessions.

C. show system session stats

  • Incorrect. This command does not exist in the FortiOS command hierarchy. “Show” commands are used for viewing configuration, not statistics or runtime data. Therefore, this is an invalid option.

D. diagnose system session status

  • Correct. This is the precise command used to display session-related statistics on a FortiGate. It shows:

    • Total current sessions

    • Session setup rate

    • TCP/UDP session counts

    • Other session-related counters

This command provides a concise summary like the following:
# diagnose system session status

session_count       : 8324

setup_rate          : 50

...

  •  This is the most direct and efficient way to see the current number of active sessions on the FortiGate device, which is what the question is asking for.

Why Session Count Matters:

  • Performance Monitoring: The FortiGate model has a maximum session capacity. Approaching that limit can lead to dropped connections.

  • Troubleshooting: An unexpected spike in sessions could indicate a DDoS attack, malware outbreak, or misbehaving application.

  • Capacity Planning: Helps in understanding load trends for future upgrades or tuning.

To directly check how many sessions are currently being tracked by a FortiGate device, the best and most appropriate command is diagnose system session status. It provides a concise overview without overwhelming detail and is the go-to tool for administrators monitoring firewall activity at a glance.

Therefore, the correct answer is D.


Question 9:

Which type of traffic is subject to SSL inspection on a FortiGate firewall?

A. All HTTP and HTTPS traffic regardless of the destination.
B. Only traffic to websites listed in the SSL inspection profile.
C. All encrypted traffic including SSL and TLS protocols.
D. Only inbound traffic from internal devices to external servers.

Answer: C

Explanation:

SSL inspection on FortiGate devices is a powerful capability designed to intercept, decrypt, inspect, and then re-encrypt encrypted traffic, primarily for the purposes of threat detection, content filtering, and policy enforcement. Given the increasing use of HTTPS and other encrypted protocols, SSL inspection is critical for maintaining visibility into traffic that could otherwise bypass firewall controls.

Understanding SSL Inspection on FortiGate:

FortiGate supports two main types of SSL inspection:

  1. Deep Inspection (Full SSL Inspection):

    • The firewall acts as a man-in-the-middle (MITM) between the client and the server.

    • The FortiGate presents its own certificate to the client.

    • It decrypts the session, applies security inspection (AV, IPS, Web Filtering, etc.), and then re-encrypts the traffic.

    • Requires clients to trust the FortiGate certificate.

  2. SSL Certificate Inspection (Shallow):

    • The firewall only inspects the SSL handshake and checks the certificate details (like issuer, expiration, domain match).

    • Does not decrypt the content.

Which Traffic is Subject to SSL Inspection?

SSL inspection can be applied to:

  • HTTPS (SSL over HTTP) traffic.

  • Other protocols that use SSL/TLS, such as IMAPS, SMTPS, FTPS, etc.

This means SSL inspection applies to any encrypted traffic using SSL/TLS, if matched by a policy that enables SSL inspection. The key determinant is not just the destination or direction, but whether the firewall policy and the SSL inspection profile are applied.

Evaluating the Options:

A. All HTTP and HTTPS traffic regardless of the destination.

  • Incorrect. HTTP is unencrypted and does not require SSL inspection. HTTPS traffic can be inspected, but only if SSL inspection is enabled in the relevant policy. Also, FortiGate does not automatically inspect all HTTPS traffic unless explicitly configured.

B. Only traffic to websites listed in the SSL inspection profile.

  • Incorrect. SSL inspection profiles may include exceptions (such as trusted sites to be bypassed), but SSL inspection is not limited to predefined websites. It applies to any traffic matched by policy with the inspection profile attached.

C. All encrypted traffic including SSL and TLS protocols.

  • Correct. SSL inspection is capable of targeting all encrypted traffic that uses SSL/TLS protocols, provided that a firewall policy with an SSL inspection profile is applied. This includes HTTPS, as well as encrypted email and file transfer protocols. The firewall does not restrict itself to web traffic alone.

D. Only inbound traffic from internal devices to external servers.

  • Incorrect. SSL inspection is bidirectional. It can inspect inbound traffic to servers hosted internally (using a certificate for deep inspection on incoming sessions), or outbound traffic from internal clients to external services. This flexibility is configured by applying SSL inspection profiles to appropriate policies.

FortiGate’s SSL inspection capabilities are not limited to specific websites, directions, or only HTTP/HTTPS. Instead, it can be applied to all encrypted traffic that uses SSL or TLS, as long as the relevant policy includes an SSL inspection profile. This includes traffic such as HTTPS, SMTPS, IMAPS, and other secure protocols. The administrator controls which traffic is inspected by applying the appropriate inspection profile to specific firewall rules.

Therefore, the correct answer is C.


Question 10:

In a FortiGate Web Filtering profile, which option is used to block access to content based on user-defined keywords?

A. Static URL Filtering
B. Dynamic URL Filtering
C. DNS Filtering
D. Keyword Filtering

Answer: D

Explanation:

FortiGate’s Web Filtering capabilities offer granular control over the types of web content users can access, enabling organizations to enforce acceptable use policies, improve productivity, and protect users from accessing malicious or inappropriate content. One of the more customizable components of this system is keyword filtering, which allows administrators to define specific words or phrases to trigger a block action when they appear in URLs or web content.

Breakdown of Web Filtering Options:

1. Static URL Filtering (A)

  • Incorrect. Static URL filtering blocks or allows access to specific URLs or patterns of URLs that are explicitly defined by the administrator.

  • For example, you can enter www.example.com or use wildcards like *.socialmedia.com.

  • However, this method does not scan for keywords in the URL unless the exact match or pattern is defined.

  • It's powerful for precise control, but not flexible for generalized keyword-based blocking.

2. Dynamic URL Filtering (B)

  • Incorrect. Dynamic URL filtering relies on FortiGuard’s real-time categorization database, which evaluates websites and assigns them to predefined categories like “Social Networking,” “Malware,” or “Adult Content.”

  • Administrators can choose to block or allow access based on these categories.

  • It does not allow keyword customization, as it depends on external categorization from Fortinet.

3. DNS Filtering (C)

  • Incorrect. DNS filtering inspects and blocks domain requests based on domain names at the DNS resolution layer, rather than the full URL or content.

  • It's useful for blocking malicious or unwanted domains before a connection is established.

  • However, it operates on domain-level granularity and does not use keyword-based inspection.

  • For example, DNS filtering might block badsite.com but cannot inspect whether a keyword like “gambling” exists in a subpage or query.

4. Keyword Filtering (D)

  • Correct. Keyword filtering is specifically designed to allow administrators to define custom keywords.

  • When a keyword is present in a URL, webpage title, or content, the FortiGate can block the page.

  • For instance, if “proxy” or “torrent” is listed as a keyword, any URL containing these strings can be denied access.

  • Keyword filtering is part of FortiGate’s Web Filtering profile settings and adds an additional layer of policy customization on top of category-based filtering.

  • It’s especially useful in education or corporate settings where policy enforcement requires control over specific types of terms, rather than entire website categories.

How Keyword Filtering Works in FortiGate:

  • Located under Security Profiles > Web Filter.

  • Within the profile, the admin can navigate to the Keyword Filtering section and add terms to be monitored or blocked.

  • Options include match case sensitivity, block or monitor action, and logging.

  • Applies to HTTP and HTTPS traffic, with deeper visibility when SSL inspection is enabled.

While Static URL Filtering, Dynamic URL Filtering, and DNS Filtering all play key roles in controlling web access, only Keyword Filtering allows administrators to define and block access based on specific user-defined keywords found within URLs, page titles, or web content. This makes it the ideal choice when the policy goal is to block access based on content themes or specific terms rather than URLs or domain categories.

Therefore, the correct answer is D.