Practice Free NSE4_FGT_AD-7.6 Exam Online Questions
Question #31
A network administrator enabled antivirus and selected an SSL inspection profile on a firewall policy. When downloading an EICAR test file through HTTP, FortiGate detects the virus and blocks the file. When downloading the same file through HTTPS, FortiGate does not detect the virus and does not block the file, allowing it to be downloaded. The administrator confirms that the traffic matches the configured firewall policy.
What are two reasons for the failed virus detection by FortiGate? (Choose two answers)
- A . The selected SSL inspection profile has certificate inspection enabled.
- B . The website is exempted from SSL inspection.
- C . The EICAR test file exceeds the protocol options oversize limit.
- D . The browser does not trust the FortiGate self-signed CA certificate.
Correct Answer: A, B
A, B
Explanation:
“The only security features you can apply using SSL certificate inspection mode are web filtering and application control… certificate inspection does not allow FortiGate to inspect the flow of encrypted data.”
“For antivirus or IPS control, you should use a deep-inspection profile.”
“Within the full SSL inspection profile, you can also specify which SSL sites, if any, you want to exempt from SSL inspection.”
Technical Deep Dive:
The correct answers are A and B.
A is correct because if the firewall policy uses certificate inspection, FortiGate can inspect certificate/SNI metadata only. It cannot decrypt the HTTPS payload, so the antivirus engine never sees the EICAR file contents. That means HTTPS malware scanning fails even though HTTP scanning works.
B is also correct because if the destination site is exempt from SSL inspection, FortiGate intentionally skips decryption for that HTTPS session. Again, no payload decryption means no antivirus content scan.
Why the others are wrong:
C is not the likely reason here, especially for EICAR, which is a very small test file.
D would usually cause browser certificate warnings or connection issues during deep inspection, not a clean download that bypasses AV inspection.
Operationally, HTTPS antivirus requires this chain to be true:
firewall policy match → SSL deep inspection active → site not exempted → AV profile applied.
If either certificate-inspection is used or the site is exempted, FortiGate cannot inspect the encrypted file body.
A, B
Explanation:
“The only security features you can apply using SSL certificate inspection mode are web filtering and application control… certificate inspection does not allow FortiGate to inspect the flow of encrypted data.”
“For antivirus or IPS control, you should use a deep-inspection profile.”
“Within the full SSL inspection profile, you can also specify which SSL sites, if any, you want to exempt from SSL inspection.”
Technical Deep Dive:
The correct answers are A and B.
A is correct because if the firewall policy uses certificate inspection, FortiGate can inspect certificate/SNI metadata only. It cannot decrypt the HTTPS payload, so the antivirus engine never sees the EICAR file contents. That means HTTPS malware scanning fails even though HTTP scanning works.
B is also correct because if the destination site is exempt from SSL inspection, FortiGate intentionally skips decryption for that HTTPS session. Again, no payload decryption means no antivirus content scan.
Why the others are wrong:
C is not the likely reason here, especially for EICAR, which is a very small test file.
D would usually cause browser certificate warnings or connection issues during deep inspection, not a clean download that bypasses AV inspection.
Operationally, HTTPS antivirus requires this chain to be true:
firewall policy match → SSL deep inspection active → site not exempted → AV profile applied.
If either certificate-inspection is used or the site is exempted, FortiGate cannot inspect the encrypted file body.