View all questions & answers for the NSE 4 - FortiOS 7.6 Administrator Exam Materials exam


Question 28 Discussion

You have configured an application control profile, set peer-to-peer traffic to Block under the Categories tab, and applied it to the firewall policy. However, your peer-to-peer traffic on known ports is passing through the FortiGate without being blocked. What FortiGate settings should you check to resolve this issue? (Choose one answer)

  • A. FortiGuard category ratings
  • B. Application and Filter Overrides
  • C. Network Protocol Enforcement
  • D. Replacement Messages for UDP-based Applications
Correct Answer: C

Brave-Dump Clients Votes

C 60%
B 40%

Comments



Mahboab Ali Ghaleb 2025-07-11 23:24:27

Selected Answers: C


Network Protocol Enforcement:
ensures that traffic on a specific port matches the expected protocol.
Enabling it forces FortiGate to examine payloads even on known ports.
  • Brave-Dumps Admin 2025-07-12 23:46:44
    Thanks, Mahboab! for sharing your experience in the Brave-Dumps community. You're absolutely right, according to the FortiGate 7.6 Study Guide (page 311): "Enabling the Network Protocol enforcement option allows you to configure network services (for example, FTP, HTTP, and HTTPS) on known ports (for example, 21, 80, and 443), while blocking those services on other ports." "When the Block applications detected on non-default ports option enabled, FortiGate compares the ports used by the application with the ones defined in FortiGuard application signatures. The traffic is blocked if it does not match." This confirms that the correct answer is C, and I’ve updated the website, accordingly, Appreciate your valuable input!

Sedoalom Djadoo 2025-12-11 21:31:00

Selected Answers: B


1. Application and Filter Overrides: If any application overrides or filter overrides have been configured, the profile checks these first. If a match is found here, the configured action is applied, and further checks are skipped.
2. Categories: Only if the traffic does not match an override is the action configured for the general categories applied.

Since you set the Categories tab to Block for peer-to-peer traffic, but the traffic is still passing through, there is likely an entry in the Application and Filter Overrides section that is permitting this specific traffic (or a related signature or application) to bypass the general category block action. You should check the overrides to ensure that no exceptions are set to Allow or Monitor for the peer-to-peer applications you intended to block

Anonymous User 2026-01-25 13:41:44

Selected Answers: B


Correct answer is B. The question clearly states that the peer to peer traffic is on known ports, so network protocol enforcement does not apply.

Anonymous User 2026-01-25 23:39:35

Selected Answers: C


The peer-to-peer traffic is allowed through because it is not being identified as P2P at the application level. Application Control relies on signatures and behavioral patterns, and evasive or unknown-port traffic may not be classified as P2P. Network Protocol Enforcement addresses this by enforcing protocol-to-port compliance and treating traffic that does not match an expected service or port as a violation, allowing IPS to block it.

Anonymous User 2026-01-25 23:40:40

Selected Answers: C


If traffic isn’t being identified as the application you’re trying to block → you need protocol enforcement, not more application rules.