Refer to the exhibit.
The exhibit shows the FortiGuard Category Based Filter section of a corporate web filter profile.
An administrator must block access to download.com, which belongs to the Freeware and Software Downloads category. The administrator must also allow other websites in the same category.
What are two solutions for satisfying the requirement? (Choose two.)
To block access to download.com while allowing other websites in the same category, the administrator can configure a firewall policy with action Deny and an FQDN address object for *.download.com. This ensures that any request specifically targeting download.com is denied without affecting other URLs in the category. Additionally, configuring a static URL filter entry for download.com with the Type set to Wildcard and Action set to Block directly targets the specific site without impacting other sites categorized under Freeware and Software Downloads. These two approaches provide precise control required for the scenario.
B. Configure a web override rating for download.com and select Malicious... D. Configure a static URL filter entry for download.com with Type and Action... FortiGate Security 7.2 Study Guide (p.268-269): "If you want to make an exception, for example, rather than unblock access to a potentially unwanted category, change the website to an allowed category. You can also do the reverse. You can block a website that belongs to an allowed category." "Static URL filtering is another web filter feature. Configured URLs in the URL filter are checked against the visited websites. If a match is found, the configured action is taken. URL filtering has the same patterns as static domain filtering: simple, regular expressions, and wildcard." A. Configure a separate firewall policy with action Deny and an FQDN address object for *.download.com... (incorrect because you still allow root domain) Download study guide: https://ebin.pub/fortinet-fortigate-security-study-guide-for-fortios-72.html
I would go for B & D. C is definitivly wrong, and A is to complicated to achieve this. NSE4-SEC Page 268+269 for reference. Even the "wildcard" statement should not be a problem.
FortiGate Security 7.2 study guide A. web filter profiles flow based Page 263 D. URL Filtering Page 269
My first guess were ABD ... B would work, but it's not kosher. A Definetly work, as *.download.com FQDN will resolve IP addresses and regardles of protocol it will be blocked. D: Static URL filtering is normal thing to do (unless your license is expired, then use A)
I don't think it's A because of "object for *.download.com" you can still reach it with https://download.com. The *. don't exclude apply on https://download.com iirc
Why not B?
I believe it is because the profile is in Flow-based mode.
Tested on 7.0.14 : B : OK D: OK A : NO, fortigate can't resolve *.download.com, but with download.com it's works
Options B and C do not meet the requirement because they do not provide fine control over specific websites. Option B involves overriding the rating by classifying the website as Malicious, which might not be the correct classification and would not block the site. Option C sets the entire category to Warning, which would only issue a warning to users and would not block access to download.com.
And I tested A and D on my FGT and solution works.
AD is valid
BD is a valid response
B. Configure a web override rating for download.com and select Malicious Websites as the subcategory. D. Configure a static URL filter entry for download.com with Type and Action set to Wildcard and Block, respectively.
FortiGate Security 7.2 Study Guide (p.268-269)
Such as Brazillian guys says "Confia no pai!..." Correct answers: BD
Hola creo B y D son correctas: B: If you want to make an exception, for example, rather than unblock access to a potentially unwanted category, change the website to an allowed category. You can also do the reverse. You can block a website that belongs to an allowed category. Remember that changing categories does not automatically result in a different action for the website. This depends on the settings within the web filter profile. en la imagen nos muestra una categoria como denegada dentro del perfil (malicious Websites).
Could anyone tell me why B,D isnt the correct answer? I would never create a new firewall policy to block a single site but i have many times in the past used web override ratings to block or unblock sites while leaving the rest intact.
My vote is AB
I think D is incorrect because the type should be "simple" not "wildcard". My vote is A & B.
I think B should work.