View all questions & answers for the NSE 4 - FortiOS 7.6 Administrator Exam Materials exam


Question 13 Discussion

Which three statements explain a flow-based antivirus profile? (Choose three answers)

  • A. FortiGate buffers the whole file but transmits to the client at the same time.
  • B. Flow-based inspection uses a hybrid of the scanning modes available in proxy-based inspection.
  • C. If a virus is detected, the last packet is delivered to the client.
  • D. Flow-based inspection optimizes performance compared to proxy-based inspection.
  • E. The IPS engine handles the process as a standalone.
Correct Answer: A,B,D

Brave-Dump Clients Votes

ABD 37.5%
ADE 25%
BDE 25%
AB 12.5%

Comments



Alex 2025-06-30 10:38:16

Selected Answers: A, D, E


I think this is ADE, flow-based anti-virus is handles by the IPS engine. It's worth checking this one.
  • Brave-Dumps Admin 2025-07-02 01:01:32
    Hi Alex, Correct is ABD, E is totally not correct please check page 233 on study guide
  • Jay gabasa 2025-10-28 05:01:29
    A is also wrong because its proxy mode which buffers the whole file. Flow, scans it on the fly.
  • Jay gabasa 2025-10-28 05:01:34
    A is also wrong because its proxy mode which buffers the whole file. Flow, scans it on the fly.

Flo Dew 2025-12-01 16:54:19

Selected Answers: A, B, D


Agree A B D

Dizzle D 2025-12-12 09:01:53

Selected Answers: A, D, E


The key lies in the difference between flow-based inspection in general and how flow-based antivirus scanning actually works:
Flow-based antivirus scanning
• FortiGate does not fully buffer traffic like proxy mode does.
• Instead, it uses the IPS engine to scan packets as they flow.
• However, when scanning files (like HTTP downloads or SMTP attachments), FortiGate does buffer the file stream in memory while simultaneously transmitting it to the client.
• This means the client starts receiving the file right away, but FortiGate is still scanning the buffered stream in parallel.


Why A is correct
• Statement A: "FortiGate buffers the whole file but transmits to the client at the same time" is describing this parallel buffering + transmission behavior.
  • Dizzle D 2025-12-12 09:03:11
    Oops. I meant ABD. not ADE.

Ijaz 2025-12-20 06:41:05

Selected Answers: B, D, E


1. Why D is correct (Performance):
The primary advantage of Flow-based inspection is performance. It scans active traffic packet-by-packet (streaming) without holding up the connection to buffer the entire file. This reduces latency and resource usage compared to Proxy-based inspection, which buffers the full file before delivery.


2. Why E is correct (IPS Engine):
In Flow mode, all security profiles (AV, Web Filter, IPS, Application Control) are processed by the IPS Engine in a single pass. There is no separate "WAD" (Worker) process handling the content like in Proxy mode. The IPS engine handles the antivirus scanning directly as part of its flow processing.


3. Why B is correct (Hybrid Mode):
Modern FortiOS versions (since 6.4/7.0) use a "Hybrid" scanning mode by default for Flow-based AV. This allows the flow engine to employ advanced detection techniques (like emulation) that were traditionally reserved for proxy mode, offering a balance of speed and security accuracy.

Anonymous User 2025-12-28 14:24:29

Selected Answers: A, B, D


“Flow-based inspection scans content as it passes through the FortiGate.”
“Flow-based inspection provides better performance compared to proxy-based inspection.”

ali pc 2026-01-08 15:38:44

Selected Answers: A, B, D


.

Kacper 2026-02-25 22:02:17

Selected Answers: A, B


A and B - agree
Regarding D: Because the file is transmitted at the same time, flow-based mode consumes more CPU cycles than proxy-based mode. However, depending on the FortiGate model, some
operations can be offloaded to secure processing units (SPU) to improve performance.
"Flow-based inspection mode packet flow"

Anonymous User 2026-02-28 10:49:57

Selected Answers: B, D, E


B,D,E is correct