Pass the Fortinet Certified Professional Security Operations FCP_FSA_AD-5.0 Questions and answers with ExamsMirror

From the FortiMail Integration lesson, the Study Guide explicitly states:

" The Scan timeout value determines how long FortiMail will wait for a response from FortiSandbox. The default is 30 minutes. So, if after 30 minutes FortiSandbox is unable to generate a verdict, FortiMail will release the email to the end user. "

" SMTP is a store-and-forward protocol. This allows FortiMail to queue the email while FortiSandbox inspects all submitted samples. FortiMail will release the email only if there is a scan timeout event, or FortiSandbox returns a clean verdict. "

The Integration Settings exhibit clearly confirms Scan timeout = 30 minutes , and the AV Profile shows both Attachment analysis and URL analysis are enabled — meaning FortiMail will hold/queue emails for up to 30 minutes while FortiSandbox completes inspection of all attachments and URLs before taking action.

From the FortiWeb Integration lesson, the Study Guide explicitly states:

" You can configure FortiSandbox file submission in a file security policy. Any files not detected by the FortiGuard antivirus engine will be uploaded to FortiSandbox. "

" You can configure FortiWeb to send attachments to FortiSandbox for additional scans to detect advanced persistent threats or zero-day attacks. "

From the Lab Guide (Exercise 1 - FortiWeb Integration):

" Click Web Protection > Input Validation > File Security. In the File Security Policy section, click Create New. Configure Send Files to FortiSandbox: Enabled. "

This confirms that File Security (Option A) is the correct location on FortiWeb to configure FortiSandbox file submission settings.

From the Lab Guide (Exercise 4 - Using Inline Scanning) , the following is stated:

" FortiGate and FortiSandbox communicate through port 4443. Management or API ports grant access through port 4443. "

And the CLI command used:

" Enter the following command to enable API access on port2: set api-port port2 "

This confirms:

Option B is correct: Port 4443 uses HTTPS only — API ports will not accept HTTP traffic.

Option C is correct: The API port configuration must be performed using the CLI (set api-port port2), as there is no GUI option for this.

Option A is incorrect: The Study Guide states port3 cannot be a management port, and HA communication ports have dedicated roles that are not interchangeable with API ports.

Option D is incorrect: The CLI command sets the API port directly without requiring a separate administrative interface designation.

The FortiClient EMS Integration section is explicit on this point. It says: “You must include the sandbox profile in the active endpoint policy.” It then explains how off-fabric handling works: “FortiClient on-fabric detection rules configured within the policy will classify endpoints as on-fabric or off-fabric. The Profile (Off-Fabric) setting allows you to select a second profile to be applied to endpoints when they are determined to be off-fabric.”

This means the control point for applying FortiSandbox-related behavior to off-fabric endpoints is the endpoint policy , not the fabric connector, not a workgroup, and not the sandbox profile by itself. The sandbox profile defines FortiSandbox behavior, but it must be attached through the active endpoint policy, where the Off-Fabric profile selection is made. Therefore, the correct answer is C. As part of the endpoint policy configuration .

From the Attack Methodologies lesson, the Study Guide explicitly states:

" During the lateral movement stage, the attacker is trying to compromise and infect other computers in the network. If these computers are protected with FortiClient, FortiClient can send any file that the computer downloads, to FortiSandbox for analysis. "

" FortiDeceptor creates a network of decoys, to lure attackers and monitor their activities on the network. When attackers attack a decoy, an alert is generated. FortiDeceptor engages FortiSandBox to get a verdict on the suspected malware. "

" If you deploy FortiGate as an ISFW firewall, FortiGate can analyze the traffic moving across subnets and send any files to FortiSandbox for analysis to prevent propagation. "

Both FortiDeceptor (Option B) and FortiGate (Option D) are specifically identified as protecting against the lateral movement stage through their FortiSandbox integration.

The FortiSandbox 5.0 Administrator Lab Guide shows that, when diagnosing FortiMail submission issues, the required FortiMail debugs are sandboxclid and deferd . It explicitly instructs: “Enter the following commands to enable both deferd and sandboxclid debugging” and then shows that the deferd daemon spools the email and later releases the email from the queue folder after FortiSandbox processing.

Because sandboxclid is not one of the answer choices, the best answer among the listed FortiMail debug tools is deferd . It is the FortiMail daemon directly shown in the official lab workflow for troubleshooting submission-and-verdict handling. The other options in the answer list are not the ones the lab uses for FortiMail-to-FortiSandbox submission troubleshooting. So, based on the uploaded guide, diagnose debug application deferd is the correct choice.

The uploaded FortiSandbox 5.0 Administrator Study Guide states that each VDOM is handled independently by FortiSandbox, not under the root VDOM’s authorization. It explicitly explains that “each VDOM is treated as a separate input device on FortiSandbox” and that each device must be authorized before FortiSandbox will process its submissions. It further adds that only when auto-authorization is enabled will FortiSandbox automatically authorize VDOMs as files are submitted.

Therefore, the new VDOM does not inherit the root VDOM’s authorized state. Since the question does not say that auto-authorization is enabled, FortiSandbox will not automatically trust or process that new VDOM as if it were already approved. This eliminates A and C. Option D is incorrect because the issue is not that the administrator must manually configure the VDOM on FortiSandbox; the study guide specifically identifies authorization as the required control. For that reason, B is the best answer: the new VDOM must be manually authorized before its submitted files are inspected.

From the Scanning and Rating Components lesson, the Study Guide states:

" The universal VM license is a single license that grants you access to multiple VMs. Provides a scalable and cost-effective solution with up to 200 VMs on a single unit. Clone count limits shown on the VM Settings view apply to all enabled VM Types. "

" When you enable Adaptive Scan, FortiSandbox dynamically adjusts the number of clones of any local VMs you have enabled. Enabling this option does not affect the number of remote Mac OS or Windows cloud VMs. "

This confirms:

Option A — Deploying remote WindowsCloudVM and MACOSX clones expands capacity beyond local clone limits since remote VMs are not subject to local clone restrictions

Option D — Adding VM licenses directly increases the number of available VMs up to 200 on a single unit

Reorganizing the scan priority list (B) only affects scan order, not capacity. Adding custom VMs (C) would still be subject to the same local clone limits.

From the FortiGate Integration lesson, the Study Guide explicitly states:

" The quarantine daemon is involved in submitting files to FortiSandbox. "

" The quarantine daemon also receives the verdicts returned by FortiSandbox. "

" The quarantine daemon is responsible for sending requests for the dynamic lists generated by FortiSandbox. This includes the malware package, URL package, and the extension lists. "

From the Lab Guide (Exercise 3 - Using FortiGate Diagnostics):

" Enter the following commands to enable debugging for the quarantine daemon: diagnose debug application quarantine -1 "

The quarantined daemon (Option B) handles both file submissions to FortiSandbox AND receives verdicts back from FortiSandbox in real time, making it the correct daemon to monitor for verdict reception verification.

The exhibit labels 10.25.1.50 as the cluster virtual IP address . The Study Guide explains that in HA configuration, “You must configure the HA group name, password, and the virtual IP only on the primary node.” It also says: “You must also configure an external interface for external communication and an IP address that will be used as a virtual IP for the whole cluster. Devices will interact with the cluster using this virtual IP.”

That is why the command for the primary node must point to the cluster virtual IP , not to the individual port1 addresses of the primary, secondary, or upstream firewall. In the exhibit, 10.25.1.30 is the primary node’s own port1 IP, 10.25.1.40 is the secondary node’s port1 IP, and 10.25.1.254 is the network device. The only address that matches the required cluster virtual IP is 10.25.1.50 , so the correct command is hc-settings -si iport1 -a10.25.1.50 .