FCP_FSA_AD-5.0 Exam Dumps - Fortinet Certified Professional Security Operations Questions and Answers

From the Attack Methodologies lesson, the Study Guide explicitly states:

" During the lateral movement stage, the attacker is trying to compromise and infect other computers in the network. If these computers are protected with FortiClient, FortiClient can send any file that the computer downloads, to FortiSandbox for analysis. "

" FortiDeceptor creates a network of decoys, to lure attackers and monitor their activities on the network. When attackers attack a decoy, an alert is generated. FortiDeceptor engages FortiSandBox to get a verdict on the suspected malware. "

" If you deploy FortiGate as an ISFW firewall, FortiGate can analyze the traffic moving across subnets and send any files to FortiSandbox for analysis to prevent propagation. "

Both FortiDeceptor (Option B) and FortiGate (Option D) are specifically identified as protecting against the lateral movement stage through their FortiSandbox integration.

The correct answer is C. cleandb . The FortiSandbox 5.0 Administrator Study Guide explicitly states: “The cleandb command will erase all stored data in the FortiSandbox database and reboot the system.” This directly matches the scenario, because the issue is that FortiSandbox contains many obsolete samples and related stored analysis data that are no longer needed. Removing those database contents is exactly what cleandb is designed to do.

The other options do not fit this requirement. The same study guide section says “The log-purge command will remove all system logs,” which affects logs only, not the stored sample database. It also says “The fsck-storage command will check the integrity of the hard disks and repair them if any issues are discovered,” which is for disk integrity troubleshooting, not cleanup of obsolete samples. A factory reset would be far more destructive and is not the stated maintenance tool for this issue. Therefore, cleandb is the correct CLI remediation tool.

From the Deployment and System Settings lesson, the Study Guide explicitly states:

" The status command shows information about the system, including firmware level, device serial number, disk usage, Windows VM status, states of the boot and data disks, and more. For VM appliances, it will also show the FortiSandbox license status. "

The key phrase is " For VM appliances, it will also show the FortiSandbox license status " — making the status command the correct choice for verifying license validity on a FortiSandbox VM deployment.

While vm-license -l shows installed Windows/Microsoft Office license keys, and vm-status shows guest VM image information, neither directly reports on the FortiSandbox appliance license validity. The status command is the definitive command for checking overall system and license status.

The exhibit shows the Connectivity and Services widget with VM Internet = GRAY (disabled) while Web Filter = GREEN (enabled) and Tracer/Rating = GREEN (enabled) .

Since VM Internet access is disabled (SIMNET mode), the Study Guide explicitly states what CANNOT be performed:

" When the malware does a DNS query, FortiSandbox responds with an internal IP address. Performing an IP reputation lookup on an internal IP would be meaningless. " — eliminates Option A

" When the malware attempts to download a file, FortiSandbox provides a fake download package. This allows the downloader to successfully execute; however, FortiSandbox cannot run its antivirus inspection on the file. " — eliminates Option B

" If the malware creates a callback connection to an IP, FortiSandbox cannot rate the IP, to determine if it ' s a botnet server. "

However, the Study Guide confirms URL rating CAN still be performed:

" FortiSandbox checks connection attempts to any URLs against the FortiGuard web filtering database. "

" Similarly, FortiSandbox assesses all IP connection attempts against the FortiGuard IP rating database to identify known command-and-control (C & C) servers. "

Since the Web Filter service is GREEN (active) , FortiSandbox can still:

Option C — Perform URL rating on HTTP GET requests using the FortiGuard web filtering database

Option D — Perform URL rating on FQDN seen in DNS requests using the FortiGuard web filtering database

These URL rating inspections use FortiSandbox ' s own internet connectivity (port1) to query FortiGuard, independent of the VM internet access status on port3.

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" VM images are downloaded from FortiGuard, using port1. So, you must ensure FortiSandbox has a default route and internet connectivity for port1. "

The exhibit confirms this — the test-network output shows:

System DNS resolve: Failed for both bing.com and fsavm.fortinet.net

fsavm.fortinet.net is the FortiGuard VM image download server

This DNS failure on the system side (port1) confirms there is no internet connectivity on port1 , preventing VM image downloads. Note that port3 internet shows " Warning: VM to access internet: Disabled " — but port3 is only for VM sandboxing traffic, not for downloading VM images.

The Results Analysis section gives direct malware-type definitions. It says: “A downloader attempts to download malicious content from a remote system” , “A dropper installs malicious content” , “A trojan appears to be a legitimate software application” , and most importantly, “A rootkit attempts to hide its components by replacing valid system files.”

That exact wording matches the question statement about malware attempting to replace vital system executables . Replacing valid system files is classic rootkit behavior because the purpose is concealment and persistence by hiding malicious components behind trusted operating-system files. A dropper’s main role is delivering payloads. A trojan is mainly deceptive software that appears legitimate. An exploit takes advantage of a vulnerability. None of those definitions match the described behavior as precisely as the rootkit definition in the Study Guide. Therefore, the malware type being observed is Rootkit .

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" The second section of the Scan Profile, VM Association, allows you to define file extensions and VM image associations. This means that specific files are sandboxed by the associated VM image. To assign a file to a VM image, the following conditions must be true:

The file type must be configured to enter the job queue (first section of the scan profile).

The VM image clone value cannot be a non-zero number. "

This directly confirms:

Option B — The VM image clone value must be a non-zero number (clones must be allocated)

Option C — The file type must be configured to enter the job queue via the scan profile Pre-Filter section

Options A and D, while potentially relevant in practice, are not listed as the two required conditions in the Study Guide.

From the Deployment and System Settings lesson, the Study Guide explicitly states:

" Initial port1 IP configuration must be performed from the console, using the commands shown on this slide. If your management computer is on a separate subnet from FortiSandbox, you must specify a gateway address using the commands shown on this slide. "

The two required commands are:

set port1-ip < IP address > — to assign the IP address to port1 for GUI access

set default-gw < IP Address > — to configure the default gateway so the management computer can reach FortiSandbox from a different subnet

Option B (set api-port port1) is for API access configuration, and Option C (set admin-port port1) is not a valid FortiSandbox CLI command for this purpose.

The uploaded FortiSandbox 5.0 Administrator Study Guide states that each VDOM is handled independently by FortiSandbox, not under the root VDOM’s authorization. It explicitly explains that “each VDOM is treated as a separate input device on FortiSandbox” and that each device must be authorized before FortiSandbox will process its submissions. It further adds that only when auto-authorization is enabled will FortiSandbox automatically authorize VDOMs as files are submitted.

Therefore, the new VDOM does not inherit the root VDOM’s authorized state. Since the question does not say that auto-authorization is enabled, FortiSandbox will not automatically trust or process that new VDOM as if it were already approved. This eliminates A and C. Option D is incorrect because the issue is not that the administrator must manually configure the VDOM on FortiSandbox; the study guide specifically identifies authorization as the required control. For that reason, B is the best answer: the new VDOM must be manually authorized before its submitted files are inspected.

The FortiSandbox 5.0 Administrator Lab Guide explicitly states during the inline scanning configuration: “FortiGate and FortiSandbox communicate through port 4443. Management or API ports grant access through port 4443.” In the same exercise, the guide has you enable API access on port2 specifically so inline scanning can function, which confirms that the integration depends on FortiGate reaching FortiSandbox over TCP/4443 .

In this scenario, the intermediate firewall currently allows TCP/3389, UDP/53, and TCP/443, but not TCP/4443 . That is why inline scanning stopped working after the redesign. TCP/443 is not sufficient here because the documented FortiGate-to-FortiSandbox inline communication port is 4443 , not standard HTTPS 443. The other ports in the options do not match the inline-scanning communication requirement described in the uploaded lab materials. Therefore, the required fix is to allow FortiGate access to FortiSandbox on TCP/4443 .