An administrator received a FortiAnalyzer alert that a 1 disk filled up in a day. Upon investigation, they found thousands of unusual DNS log requests, such as JHCMQK.website.com, with no answers. They later discovered that DNS exfiltration was
occurring through both UDP and TLS.
How can the administrator prevent this data theft technique?

1. A. Create an inline-CASB to protect against DNS exfiltration.
2. B. Configure a File Filter profile to prevent DNS exfiltration.
3. C. Enable DNS Filter to protect against DNS exfiltration.
4. D. Use an IPS profile and DNS exfiltration-related signatures.

Correct Answer: D
The excessiveDNS log requests with random subdomainssuggest aDNS exfiltration attack, where attackers encode and transmit data via DNS queries. Since this technique can useboth UDP and TLS (DoH - DNS over HTTPS), a comprehensive security approach is needed.
Using anIPS profile with DNS exfiltration-specific signaturesallows FortiGate to: Detect and block abnormal DNS query patternsoften used in exfiltration. Inspect encrypted DNS (DoH, DoT) trafficif SSL inspection is enabled.
Identify known exfiltration domains and techniquesbased on FortiGuard threat intelligence.

What does the command set forward-domain in a transparent VDOM interface do?

1. A. It configures the interface to prioritize traffic based on the domain ID, enhancing quality of service for specified VLANs.
2. B. It isolates traffic within a specific VLAN by assigning a broadcast domain to an interfacebased on the VLAN ID.
3. C. It restricts the interface to managing traffic only from the specified VLAN, effectively segregating network traffic.
4. D. It assigns a unique domain ID to the interface, allowing it to operate across multiple VLANs within the same VDOM.

Correct Answer: B
In atransparent mode Virtual Domain (VDOM)configuration, FortiGate operates as a
Layer 2 bridgerather than performing Layer 3 routing. Theset forward-domain
<domain_ID>command is used to control how traffic is forwarded between interfaces within the sametransparent VDOM.
Aforward-domainacts as abroadcast domain, meaning only interfaces with thesame forward-domain IDcan exchange traffic. This setting is commonly used toseparate different VLANs or network segmentswithin the transparent VDOM while still allowing FortiGate to apply security policies.

An administrator must minimize CPU and RAM use on a FortiGate firewall while also enabling essential security features, such as web filtering and application control for HTTPS traffic.
Which SSL inspection setting helps reduce system load while also enabling security features, such as web filtering and application control for encrypted HTTPS traffic?

1. A. Use full SSL inspection to thoroughly inspect encrypted payloads.
2. B. Disable SSL inspection entirely to conserve resources.
3. C. Configure SSL inspection to handle HTTPS traffic efficiently.
4. D. Enable SSL certificate inspection mode to perform basic checks without decrypting traffic.

Correct Answer: D
To minimizeCPU and RAM usagewhile still enforcingsecurity features like web filtering and application control,SSL certificate inspection modeis the best choice.
SSL certificate inspectionallows FortiGate to inspectonly the SSL/TLS handshake, including theServer Name Indication (SNI) and certificate details, without decrypting the full encrypted payload.
This enables features likeweb filtering and application controlbecause FortiGate can determine thedestination website or applicationbased onSNI and certificate information.
Itsignificantly reduces system loadcompared tofull SSL inspection, which requires full decryption and re-encryption of traffic.

An administrator must standardize the deployment of FortiGate devices across branches with consistent interface roles and policy packages using FortiManager.
What is the recommended best practice for interface assignment in this scenario?

1. A. Enable metadata variables to use dynamic configurations in the standard interfaces of FortiManager.
2. B. Use the Install On feature in the policy package to automatically assign different interfaces based on the branch.
3. C. Create interfaces using device database scripts to use them on the same policy package of FortiGate devices.
4. D. Create normalized interface types per-platform to automatically recognize device layer interfaces based on the FortiGate model and interface name.

Correct Answer: A
Whenstandardizing the deployment of FortiGate devices across branchesusing FortiManager, thebest practiceis to usemetadata variables. This allows fordynamic interface configurationwhile maintaining asingle, consistent policy packagefor all branches.
Metadata variablesin FortiManager enableinterface roles and configurations to be dynamically assignedbased on the specific FortiGate device.
This ensuresscalabilityandconsistent security policy enforcementacross all branches without manually adjusting interface settings for each device.
When a new branch FortiGate is deployed, metadata variables automaticallymap to the correct physical interfaces, reducing manual configuration errors.

A vulnerability scan report has revealed that a user has generated traffic to the website example.com (10.10.10.10) using a weak SSL/TLS version supported by the HTTPS web server.
What can the firewall administrator do to block all outdated SSL/TLS versions on any HTTPS web server to prevent possible attacks on user traffic?

1. A. Configure the unsupported SSL version and set the minimum allowed SSL version in the HTTPS settings of the SSL/SSH inspection profile.
2. B. Enable auto-detection of outdated SSL/TLS versions in the SSL/SSH inspection profile to block vulnerable websites.
3. C. Install the required certificate in the client's browser or use Active Directory policies to block specific websites as defined in the SSL/SSH inspection profile.
4. D. Use the latest certificate, Fortinet_SSL_ECDSA256, and replace the CA certificate in the SSL/SSH inspection profile.

Correct Answer: A
Thebest wayto block outdated SSL/TLS versions is toconfigure the SSL/SSH inspection profileto enforce aminimum SSL/TLS versionand disable weak SSL versions.
By setting theminimum allowed SSL versionin theHTTPS settings of the SSL/SSH inspection profile, FortiGate will:
Block any connection usingoutdated SSL/TLS versions(such as SSLv3, TLS 1.0, or TLS 1.1).
Enforce secure communication usingonly strong SSL/TLS versions(such as TLS 1.2 or TLS 1.3).
Protect users fromman-in-the-middle (MITM) and downgrade attacksthat exploit weak encryption.