ExamTopics Logo
Mail Usteam@examtopics.com
Menu
Fortinet Discussions
exam questions

Exam FCSS_EFW_AD-7.4 All Questions

View all questions & answers for the FCSS_EFW_AD-7.4 exam
Go to Exam

Exam FCSS_EFW_AD-7.4 topic 1 question 8 discussion

Actual exam question from Fortinet's FCSS_EFW_AD-7.4
Question #: 8
Topic #: 1
[All FCSS_EFW_AD-7.4 Questions]

A user reports that their computer was infected with malware after accessing a secured HTTPS website. However, when the administrator checks the FortiGate logs, they do not see that the website was detected as insecure despite having an SSL certificate and correct profiles applied on the policy.
How can an administrator ensure that FortiGate can analyze encrypted HTTPS traffic on a website?

  • A. The administrator must enable reputable websites to allow only SSL/TLS websites rated by FortiGuard web filter.
  • B. The administrator must enable URL extraction from SNI on the SSL certificate inspection to ensure the TLS three-way handshake is correctly analyzed by FortiGate.
  • C. The administrator must enable DNS over TLS to protect against fake Server Name Indication (SNI) that cannot be analyzed in common DNS requests on HTTPS websites.
  • D. The administrator must enable full SSL inspection in the SSL/SSH Inspection Profile to decrypt packets and ensure they are analyzed as expected.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
Community vote distribution
D (100%)
by Tweefo at March 26, 2025, 1:57 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Submit Cancel
greeklover84
1 day, 20 hours ago
Selected Answer: D
D. Fully Agree.
upvoted 1 times
...
tioeudes
5 days, 16 hours ago
Selected Answer: D
Everything @Tweefo said!
upvoted 1 times
...
Yaghu
1 week ago
Selected Answer: D
Enabling deep inspection (full SSL) within a policy allows the FG to decrypt all packets traveling through a policy. D is the answer.
upvoted 1 times
...
Tweefo
1 week, 3 days ago
Selected Answer: D
D is Correct. A : Reputable websites setting doesn't decrypt or inspect encrypted payloads B : SNI parsing is part of certificate inspection but does not decrypt traffic, limited to handshake and domain name info C : Not relevant to analyzing HTTPS content or SNI-based issue To detect malware or malicious activity inside encrypted HTTPS traffic, full SSL inspection is required Source : Study guide P163
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
MS-102
Hyderabad, 1 minute ago