Examice

Exam nse4_fgt-72 All QuestionsBrowse all questions from this exam

Go to Exam

Question 46

Refer to the exhibits.

The exhibits show a firewall policy (Exhibit A) and an antivirus profile (Exhibit B).

Why is the user unable to receive a block replacement message when downloading an infected file for the first time?

The firewall policy performs a full content inspection on the file.

The intrusion prevention security profile must be enabled when using flow-based inspection mode.

Flow-based inspection is used, which resets the last packet to the user.

The volume of traffic being inspected is too high for this model of FortiGate.

Correct Answer: C

Flow-based inspection is used in this scenario, which has a particular behavior when it detects a virus. When a virus is detected in a session where some packets have already been forwarded to the receiver, the FortiGate device resets the connection and does not send the last piece of the file. This means the user may receive most of the file, but it is incomplete and cannot be opened. As a result, the user does not receive a block replacement message during the initial download attempt.

Discussion

BoostBorisOption: C

In flow based inspection, when a virus is detected on a TCP session where some packets have been already forwarded to the receiver, FortiGate resets the connection and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can’t be opened. The IPS engine also caches the URL of the infected file, so that if a second attempt to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.

erawemkOption: C

NSE4_FortiGate_Security_7.2_Study_Guide page 350

raydel92Option: C

C. Flow-based inspection is used, which resets the last packet to the user. Reference and download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html

Cisco_SE_765Option: C

C is the correct one

Slash_JMOption: C

FortiGate Security 7.2 Study Guide p.350

darkstar15Option: C

Security 7_2 pag. 363. For flow-based inspection mode scanning, if a virus is detected at the start of the stream, the block replacement page is displayed at the first attempt. If a virus is detected after a few packets have been transmitted, the block replacement page is not displayed. However, FortiGate caches the URL and can display the replacement page immediately, on the second attempt.