TTechclick All lessons
Fortinet · FortiGate · Security Profiles + UTM🔥 ~70% Fortinet interviews · #6 frequency · NSE4 coreInteractive · L1 / L2 / L3

FortiGate Security Profiles — Flow vs Proxy, Web Filter, AppCtrl, IPS, AV in 11 Minutes

Most L1 candidates say "UTM means IPS, AV, web filter — done." Then the interviewer asks "flow or proxy?" and the room goes quiet. This blog gives you the next four lines — why deep-inspection breaks Teams, how Pooja confirms a CVE-2024-21762 sig is actually blocking, when DLP forces you back to proxy mode, and the one command that tells you which profile killed your packet.

📅 2026-05-26 · ⏱ 11 min · 5 SVG infographics · 2 packet visualizers · 🏷 10-Q Bloom-tiered assessment + AI Tutor

⚡ Quick Answer

FortiGate security profiles in 11 visual minutes — flow vs proxy inspection, Web Filter, App Control, IPS, AV, SSL deep-inspection done right, and the CVE-2024-21762 sig check L2s must know.

Pick your path — jump to your weak spot

1

Flow vs Proxy

The single architecture choice that decides perf vs depth. Plus the silent-disable trap.

2

Web Filter + AppCtrl

Categories, rating override, App Control precedence — what wins when both fire.

3

IPS + AV deep-dive

Monitor vs block, custom sigs, the CVE-2024-21762 sig check L2s must know.

4

SSL deep-inspection done right

CA cert push, pinned-cert breakage, Teams/banking exemptions — the L3 playbook.

FortiGate Security Profiles — Flow vs Proxy, Web Filter, AppCtrl, IPS, AV in 11 Minutes student learning map A visual study map for FortiGate Security Profiles — Flow vs Proxy, Web Filter, AppCtrl, IPS, AV in 11 Minutes showing learning path, evidence, traps, and practice sequence. TECHCLICK STUDY MAP FortiGate Security Profiles — Flow vs Proxy, Web... Fortinet · learn the flow, prove with evidence, avoid unsafe shortcuts 1. Start Pick your path — jump to your weak... 2. Understand Why this matters — the... 3. Prove Web Filter + App Control — what... 4. Practice IPS + AV — monitor vs block, and... How to use this page First build the mental model, then connect the concept to a realistic production decision. Finish by testing yourself. Techclick Infosec Pvt Ltd | ai.techclick.in | Training Contact: WhatsApp +91 92772 29456
Content-specific feature visual for this lesson: use it as the 60-second map before reading the full detail.

Why this matters — the airport-security analogy

Imagine the security stack at Mumbai T2. Every passenger walks the same line, but each layer of the check is doing something different. Boarding-pass scan asks "where are you going?" — that's your Web Filter. X-ray asks "what's in the bag?" — that's App Control. Behavior analyst watches gait and nervousness — that's IPS. Bomb-sniffing dog is the chemical signature check — that's AV. And when CISF wants to open the bag because something looks weird? That's deep-inspection — the firewall opens the TLS bag, inspects, and zips it back up before forwarding.

Now the catch. The airport runs two parallel security lines — one is fast (everyone walks through, scanners look for obvious things), the other is slow (full unpack, swab, behavioral profile). T2 calls them domestic vs international. FortiGate calls them flow-based vs proxy-based inspection. Same UTM tools — totally different depth and cost.

Scenario · Pooja at Tata Communications Mumbai

Pooja (SOC L2, 14 months in) owns content-inspection rollout for a banking customer's DC perimeter. The customer wants "everything inspected" — web filter, app control, IPS, AV, and now DLP because Compliance escalated a credit-card-leak audit finding from last quarter.

She enabled flow-based mode on the customer VDOM 6 months ago — perf was great, 8 Gbps clean throughput. But yesterday her DLP profile silently stopped firing in FortiOS 7.0. Today she opens a 9.8-rated CVE-2024-21762 IPS alert and her boss asks "is the IPS sig actually blocking, or just monitoring?" Two questions, two profiles, two inspection modes — and a deadline tomorrow. The next 11 minutes are her playbook.

The 90-second mental model

Flow-based inspection reads the packet stream as it passes, pattern-matching in-line. It's fast (NPU-friendly, low memory) and good enough for IPS signatures, basic AV stream-scan, web filter URL lookup, and App Control. Proxy-based inspection buffers the entire object (a file, a full HTTP transaction) in FortiOS memory, reassembles it, scans the full reconstructed object, then forwards. Higher CPU + memory cost, but it's the only way to do full DLP pattern matching, sandbox handoff, and some advanced AV checks.

The interview line you need: "Flow is the default. Proxy is the exception. Pick proxy only when the profile literally cannot work in flow."

LegendFlow-based path (default, fast)Proxy-based path (deep scan)Proxy buffer / reassemble stepHigh CPU & added latency cost
Flow-based vs Proxy-based inspection — architecture side-by-side Two parallel processing paths. Left: flow-based path — packet enters, IPS engine pattern-matches in-line, AV stream-scan runs, packet forwarded with minimal buffering. Right: proxy-based path — packet enters, FortiOS proxy fully reassembles the object into memory, scans the reconstructed payload, then re-injects to forward. The right path shows higher CPU and latency cost. Flow-based vs Proxy-based — two ways FortiGate inspects content FLOW-BASED (default) Pattern-match the byte stream as it passes 1. Packet arrives at kernel 2. IPS engine — in-line pattern match 3. AV stream-scan (no buffering) 4. Web filter URL + AppCtrl sig 5. Forward — NPU-eligible after pkt 1 ⚡ LOW CPU · LOW LATENCY ~8 Gbps clean throughput on 100F PROXY-BASED (deep) Buffer the whole object, reassemble, scan 1. Packet arrives at kernel 2. FortiOS proxy buffers full object 3. Reassemble file / HTTP transaction 4. Full AV + DLP + sandbox handoff 5. Re-inject, forward — NPU bypassed 🔥 HIGH CPU · ADDED LATENCY ~30-50% throughput drop vs flow VS
Figure 1. Side-by-side. Left: flow-based — packet inspected as it streams, NPU-eligible, ~wire-speed. Right: proxy-based — full object buffered, reassembled, deeply scanned, then forwarded. Same UTM "what" — radically different "how".

Three terms every interviewer will test

Flow-based mode reads the byte stream, fires signatures as patterns match, makes a forward/drop decision per packet. Proxy-based mode buffers the whole transaction in memory before deciding. UTM is just the umbrella name — it's what every interviewer means when they say "security profile".

Flow-based
tap to flip

Default. In-line stream pattern-match. NPU-eligible. ~Wire-speed. Good for IPS, basic AV, web filter, AppCtrl. Cannot do full DLP, some sandbox handoffs (in 7.0/7.2).

🔍
Proxy-based
tap to flip

Full object buffered in FortiOS memory. Reassembly + deep scan. Required for full DLP (pre-7.4), some advanced AV. Cost: 30-50% throughput drop, NPU bypass.

🌐
Web Filter
tap to flip

URL category + static URL filter + FortiGuard rating override. Categories beat individual URLs unless you create an explicit override. Works in both flow and proxy.

📱
App Control
tap to flip

L7 fingerprinting. ~7k FortiGuard signatures. Identifies Teams, Zoom, Dropbox, ChatGPT regardless of port. Bandwidth shaping + monitor + block actions per category.

🛡
IPS
tap to flip

~20k+ signatures. Action per filter: pass / monitor / block / reset / quarantine. Monitor logs but doesn't drop — production rules must use block. Sigs ship within days of major CVE disclosure.

🦠
AV
tap to flip

Two DBs: extreme (default) + extended (broader, more CPU). Stream-scan in flow, full-file in proxy. Flow handles known malware fine; proxy needed when you also want sandbox / DLP correlation.

The silent-disable trap — why Pooja's DLP stopped firing

Here is the part that catches even experienced engineers. When you flip a VDOM or policy from proxy-based to flow-based for throughput, FortiOS does not throw an error if a profile can't run in flow — on FortiOS 7.0/7.2 the DLP fingerprint and document-matching features simply stop enforcing. No log line, no alert. The policy looks healthy. The data just walks out.

That is exactly what bit Pooja: six months ago throughput was the priority, so the VDOM went flow-based. The DLP profile was still attached, still "enabled" in the GUI — but the engine that does fingerprint matching needs the proxy to hold the whole object, and in flow mode there is no whole object to hold.

⚙ Trace it — a file download through proxy-based inspection

Press Play and watch why proxy mode can do deep DLP and sandbox — and why it costs you the NPU.

Flow User requests report.pdf. In flow mode the FortiGate would scan bytes as they stream — fast, but it never holds the whole file.
Proxy Policy is proxy-based. The FortiGate intercepts the session and starts buffering the object into FortiOS memory.
Reassemble The full report.pdf is rebuilt in memory — every byte, in order, exactly as the server sent it.
Deep scan Now the heavy checks run on the complete file: full AV signature scan, DLP fingerprint match, optional FortiSandbox submission.
Forward Verdict clean → re-inject and forward. Cost: NPU offload bypassed, latency up. That's why you scope proxy to only the policies that need it.
Press Play to watch the trace step by step.
FortiGate · set a policy to proxy-based (profile-based NGFW)
config firewall policy
    edit 12
        set inspection-mode proxy
    next
end
# verify which mode a policy is in
show firewall policy 12 | grep inspection-mode
Expected output
        set inspection-mode proxy
Common mistake — "DLP is enabled, so we're covered"

The symptom Pooja saw: DLP profile attached, GUI shows it enabled, but credit-card patterns stop being caught after a move to flow mode — with no error. Always confirm the policy's inspection-mode matches what the profile needs. Pre-7.4, fingerprint DLP and clean sandbox handoff need proxy.

Quick check · Q1 of 10 · Apply

Pooja flips the customer VDOM to flow-based mode for throughput. A week later her DLP profile silently stops catching credit-card patterns — no error, no log. Most likely cause?

Correct: a. Flow vs proxy is the hidden variable. Pre-7.4, deep DLP needs the proxy to buffer and reassemble the object — flow mode can't fingerprint a file it never holds. It fails open silently, which is exactly why it's a favourite interview trap.

Web Filter + App Control — what wins when both fire

Back to the airport. Web Filter is the boarding-pass scan: it judges where you're going — the URL and its FortiGuard category. App Control is the X-ray: it judges what the traffic actually is — the L7 application, regardless of port. New engineers assume one overrides the other. It doesn't work like that.

Scenario · Rahul at Wipro, Pune

Rahul (network security L1) gets a ticket: "Marketing can open Google Drive but can't upload files." He checks Web Filter — the File Sharing category is set to allow, so the URL is fine. Then he checks App Control logs and sees Google.Drive.Upload = block. Two profiles, two verdicts, one session. Which one wins?

The answer: they are independent gates, evaluated separately — a block in EITHER one drops the traffic. Web Filter allowed the category, but App Control independently blocked the upload sub-application. There is no "most-permissive wins" vote. Every attached profile is its own checkpoint, and any single block is final.

Web Filter and App Control are independent gates A session enters and passes through two separate checkpoints in series. Gate 1 is Web Filter, judging the URL category — it allows the File Sharing category. Gate 2 is App Control, judging the L7 application — it blocks the Google Drive upload sub-application. Because any single block drops the session, the final result is a drop even though Web Filter allowed it. Independent gates — any single block wins HTTPS session drive.google.com + upload Gate 1 · Web Filter Category: File Sharing ALLOW ✓ Gate 2 · App Control Google.Drive.Upload BLOCK ✕ RESULT DROPPED Web Filter allowed the URL — but App Control blocked the app. A block in either gate is final. Profiles are checkpoints in series, not a most-permissive vote.
Figure 2. Web Filter judges the URL/category; App Control judges the L7 app. They run independently — allowing the category does not "unblock" the application.

Web Filter also lets you override a single URL against its category — useful when FortiGuard miscategorises a site your business depends on. The order to remember: a static URL filter entry (allow/block/monitor) is checked before the FortiGuard category rating, so an explicit allow can rescue one site without opening the whole category.

💡Pro tip — App Control precedence inside the sensor

Within an Application Control sensor, a more specific application override beats a broad category action. So you can set the "Video/Audio" category to monitor while explicitly blocking "BitTorrent" — the specific entry wins. Build the exceptions first, the broad strokes last.

Quick check · Q2 of 10 · Analyze

A user reaches https://drive.google.com (Web Filter allows the "File Sharing" category) but uploads fail. App Control logs show Google.Drive.Upload = block. Which engine wins, and why?

Correct: c. Profiles are independent gates, not a vote. Web Filter judges the URL/category; App Control judges the L7 app and its sub-functions. If any attached profile says block, the session is dropped. Allowing the category does not "unblock" the app.

IPS + AV — monitor vs block, and the CVE-2024-21762 trap

IPS is the behaviour analyst at the airport — it watches the stream for known attack patterns. The single biggest IPS mistake on FortiGate is confusing monitor with block. Monitor logs the match and lets the packet through. Block actually drops it. A sensor full of "monitor" filters generates beautiful dashboards and stops nothing.

FortiGate IPS signature actions — what each one does Five IPS actions in a row. Pass lets traffic through with no log. Monitor logs the match but does not drop, shown in amber as detect-only. Block drops the matching packet. Reset drops and sends a TCP reset. Quarantine blocks and isolates the source. Block, reset and quarantine are marked as enforcing actions that actually stop the attack; monitor is marked as the trap. IPS actions — only some of these actually stop the attack Pass allow, no log (does nothing) Monitor ⚠ LOGS the match does NOT drop Block ✓ drops the packet + logs Reset ✓ drops + TCP RST tears the session Quarantine ✓ blocks + isolates the source IP "I see alerts" ≠ "I'm protected." Monitor is detect-only. Production rules must use block / reset / quarantine for anything you actually want stopped.
Figure 3. Pass and Monitor do not stop traffic. Only Block, Reset and Quarantine enforce. Sensors left on the default/monitor action are the most common reason "the IPS didn't stop it".

The companion engine is AV. In flow it stream-scans for known malware; in proxy it reassembles and scans the whole file, which is what you need for grayware and sandbox handoff. For most user traffic flow-based AV with the extreme DB is plenty.

CVE-2024-21762 — the question an L2 must not get wrong

CVE-2024-21762 is an out-of-bounds write in FortiOS sslvpnd (the SSL-VPN daemon) — unauthenticated remote code execution, CVSS 9.8, on CISA's Known Exploited Vulnerabilities list since Feb 2024. FortiGuard ships an IPS signature for it, but here's the trap: the flaw lives in the FortiGate's own SSL-VPN service. You cannot reliably IPS-protect a box from a vulnerability in its own daemon — the real fix is to patch FortiOS to a fixed build. If you can't patch immediately, disable SSL-VPN, restrict exposure, and hunt for compromise. (PSIRT advisory: FG-IR-24-015.)

FortiGate · confirm an IPS sensor is actually set to block
config ips sensor
    edit "protect-edge"
        config entries
            edit 1
                set severity high critical
                set action block
            next
        end
    next
end
# check current content/engine version
diagnose autoupdate versions | grep -A1 "IPS Attack Engine"
Expected output
IPS Attack Engine
Version: 7.x.xxx   Contract Expiry: 2026-xx-xx   Last Updated: ...
Quick check · Q3 of 10 · Analyze

An IPS sensor logs CVE-2024-21762 detections, but Sneha confirms the matching traffic still reached the server. The sensor is attached to the policy. Why didn't it stop the attack?

Correct: b. "I see alerts" ≠ "I'm protected." Monitor is detect-only. The most common FortiGate IPS mistake is leaving filters on monitor/default and assuming logs mean blocks. Set the action to block for anything you actually want stopped.

SSL deep-inspection done right — CA push, pinned certs, exemptions

Most of the airport's "bags" are now sealed — encrypted in TLS. Web Filter can still read the destination from the SNI, but IPS, AV and DLP are blind to the contents unless you open the bag. That's SSL deep-inspection — and it's a controlled man-in-the-middle.

Two modes matter. Certificate-inspection reads only the SNI/certificate — no decryption, no client trust needed, but shallow. Deep-inspection terminates TLS, decrypts, inspects, then re-signs the session with the FortiGate CA and re-encrypts to the client. For that to work, every client must trust the FortiGate CA — push it via GPO (Windows), Intune/Jamf/MDM (Mac, mobile), and a Firefox enterprise policy for the ~5% on Firefox's own trust store.

SSL deep-inspection decision tree A decision diamond asks whether the destination is a pinned or sensitive application such as banking, health, Apple or Microsoft. If yes, the path leads to exempt — bypass deep-inspection because the app rejects substituted certificates. If no, the path leads to deep-inspect, which requires the FortiGate CA to be trusted on the client; if that CA is not installed, the user sees certificate errors on every site. Should this session be deep-inspected? Pinned / sensitive app? banking · health · Apple · MS YES EXEMPT (bypass) Pinned apps reject the re-signed cert. Use ssl-exempt. NO DEEP-INSPECT Decrypt → inspect → re-sign with the FortiGate CA ⚠ Pre-condition for deep-inspect: the FortiGate CA must be trusted on the client CA not pushed → "NET::ERR_CERT_AUTHORITY_INVALID" on every HTTPS site. Push via GPO / Intune / Jamf / MDM / Firefox policy.
Figure 4. Exempt the pinned/sensitive destinations (they'll break otherwise), deep-inspect the rest — and only after the FortiGate CA is trusted everywhere.

Certificate pinning is the other half. Banking apps (HDFC, ICICI, SBI YONO), Apple services, some Microsoft activation flows and a few SaaS clients embed the expected issuer in their code. When the FortiGate substitutes its cert, they detect the mismatch and refuse to connect. You don't fight pinning — you exempt it, ideally via the FortiGuard Finance and Banking and Health and Wellness categories plus a small custom list.

FortiGate · deep-inspection profile with a category exemption
config firewall ssl-ssh-profile
    edit "deep-custom"
        set server-cert-mode re-sign
        config https
            set ports 443
            set status deep-inspection
        end
        config ssl-exempt
            edit 1
                set type fortiguard-category
                set fortiguard-category 31
            next
        end
    next
end
Expected output — category 31 = Finance and Banking is now bypassed
profile "deep-custom" set · ssl-exempt: 1 entry (fortiguard-category 31)
Common mistakes — the two that page you at 2am
FortiGate security profiles — one-glance cheat sheet A summary card. Top strip contrasts flow-based mode (default, fast, NPU-eligible) with proxy-based mode (deep, needed for full DLP and sandbox). Below are five profile tiles: Web Filter judges the URL category; App Control judges the L7 application; IPS pattern-matches exploits and must be set to block; AV scans files for malware; SSL deep-inspection opens encrypted traffic and needs the FortiGate CA trusted. A bottom note says deep-inspect everything except pinned and sensitive apps. FortiGate security profiles — revision card FLOW (default) Fast · in-line · NPU-eligible · most traffic PROXY (exception) Deep · buffers object · full DLP + sandbox 🌐 Web Filter URL category + override. Judges WHERE. 📱 App Control L7 app, any port. Judges WHAT. 🛡 IPS Exploit sigs. Set to BLOCK, not monitor. 🦠 Antivirus extreme/extended DB. Stream-scan in flow, full-file in proxy. 🔐 SSL deep-inspection Opens encrypted traffic. Needs FortiGate CA trusted on every client. Golden rule: flow by default · proxy only where a profile demands it Deep-inspect everything except pinned/sensitive apps (banking, health, Apple, MS) — exempt those.
Figure 5. The whole lesson on one card — flow vs proxy, the five profiles, and the two golden rules. Screenshot this for revision.

🤖 Ask the AI Tutor

Tap a question — instant, context-aware answer from this lesson. No login.

Pre-curated from Fortinet docs + the FortiGuard PSIRT. For deeper/live questions, ask at chat.techclick.in.

✍ Teach it back

In two lines, explain to a teammate why flipping a VDOM to flow-based mode can silently break DLP. Saying it in your own words is what moves it from "read" to "known".

Model answer: flow inspects bytes in-line and never reassembles the full file, so fingerprint DLP — which needs the complete object — has nothing to match and quietly stops enforcing.

Frequently Asked Questions

The FortiGate security-profile questions interviewers ask and engineers Google mid-incident.

What is the difference between flow-based and proxy-based inspection on FortiGate?

Flow-based inspects the packet stream in-line as it passes — fast, NPU-eligible, low latency, and the default. Proxy-based buffers the entire object (a file or full HTTP transaction) in FortiOS memory, reassembles it, scans the complete payload, then forwards.

Flow is right for most traffic (Web Filter, App Control, IPS, basic AV). Proxy is the exception for things that need the whole object — full DLP, sandbox handoff, some advanced AV. Expect roughly a 30–50% throughput drop on proxy policies.

When should I use proxy-based inspection instead of flow-based?

Use proxy only when a profile cannot work in flow: full DLP fingerprinting/document matching (pre-FortiOS 7.4), clean FortiSandbox submission, and certain advanced AV/grayware checks. Scope proxy to just those policies — don't switch the whole VDOM, or every flow pays the performance cost.

Why do users get certificate errors after I enable SSL deep-inspection?

Deep-inspection re-signs each site with the FortiGate CA. If that CA isn't trusted by the client, the browser treats every HTTPS site as a man-in-the-middle and shows NET::ERR_CERT_AUTHORITY_INVALID.

Fix it by pushing the FortiGate CA to every client's trust store: GPO for domain Windows, Intune/Jamf/MDM for Mac and mobile, and a separate Firefox enterprise policy (Firefox uses its own store).

Which apps break under SSL deep-inspection, and how do I fix it?

Apps that use certificate pinning — banking apps (HDFC, ICICI, SBI YONO), Apple services, some Microsoft activation flows, certain SaaS and VPN clients. They reject any substituted certificate by design, so they fail behind deep-inspection.

You don't inspect them — you exempt them. Add the FortiGuard Finance and Banking and Health and Wellness categories (plus a small custom domain list) to the SSL exemption list, evaluated above the deep-inspect rule.

What is the difference between SSL certificate-inspection and deep-inspection?

Certificate-inspection only reads the SNI and certificate fields — no decryption, no client-trust requirement, but it can't see inside the payload. Deep-inspection terminates TLS, decrypts, lets IPS/AV/DLP inspect the cleartext, then re-encrypts. Deep-inspection is the only way to inspect content in HTTPS, but it requires the FortiGate CA on every client and breaks pinned apps unless exempted.

My FortiGate IPS shows alerts but isn't blocking the attack — why?

The signature or filter action is almost certainly set to monitor (or left at a pass/monitor default). Monitor logs the match but never drops — "I see alerts" is not "I'm protected". Set the action to block (or reset / quarantine) for anything you want stopped, and confirm the sensor is applied to the correct policy and direction.

If Web Filter allows a site but App Control blocks the app, what happens?

The session is dropped. Web Filter and App Control are independent gates evaluated separately — a block in either one is final. There is no "most-permissive wins"; allowing the URL category does not override an App Control block on the application or one of its sub-functions (like a file upload).

Is a FortiGate IPS signature enough to protect against CVE-2024-21762?

No. CVE-2024-21762 is an unauthenticated RCE in FortiOS's own sslvpnd daemon (CVSS 9.8, on CISA's KEV list since February 2024). You can't reliably IPS-protect a box from a flaw in its own service — the fix is to patch FortiOS to a fixed build immediately. If patching must wait, disable SSL-VPN, restrict access, and hunt for compromise. PSIRT advisory: FG-IR-24-015.

Flow or proxy for DLP and FortiSandbox?

On FortiOS 7.0/7.2, full DLP (fingerprinting/document matching) and clean sandbox handoff need proxy-based inspection because they require the fully reassembled object. FortiOS 7.4 introduced more flow-mode DLP capability, but if you're on 7.2 and your DLP "silently stops working", the usual cause is a policy that was switched to flow mode.

📝 Check your understanding — 10 questions, 70% to pass

Q1–Q3 above already count toward your 10. Below are Q4 to Q10. Pick an answer for each, then Submit.

Q4 of 10 · Remember

Which inspection mode is the default for new policies in recent FortiOS — the one you keep unless a profile specifically needs otherwise?

Correct: b. Flow is the default and the right call most of the time — NPU-eligible, low latency. Proxy is the deliberate exception for the few profiles that can't run in flow.
Q5 of 10 · Apply

Aditya needs full content DLP with file fingerprinting plus FortiSandbox handoff for email attachments on FortiOS 7.2. Which inspection mode must those profiles use?

Correct: d. Fingerprint DLP and sandbox need the full reconstructed file, which only the proxy holds. Don't flip the whole VDOM — scope proxy-based profiles to the policies that need depth and leave the rest on flow.
Q6 of 10 · Apply

Karthik must allow YouTube for the Marketing group but cap its bandwidth, while blocking it for everyone else. Cleanest FortiGate approach?

Correct: c. App Control sees the app regardless of port and supports per-application/category shaping. Combine it with identity-based policies so Marketing gets throttled-allow and everyone else gets block — one engine, both outcomes.
Q7 of 10 · Analyze

Right after enabling SSL deep-inspection, every user gets "NET::ERR_CERT_AUTHORITY_INVALID" on all HTTPS sites. Root cause?

Correct: a. Deep-inspection is a controlled MITM. The firewall presents its own re-signed certificate, so the FortiGate CA must be a trusted root on every client. "Errors on every HTTPS site" is the classic missing-CA signature.
Q8 of 10 · Analyze

After SSL deep-inspection rollout, the HDFC mobile-banking app fails on corporate Wi-Fi while normal HTTPS browsing works fine. Why, and the fix?

Correct: b. Pinned apps (banking, Apple, some Microsoft/SaaS) refuse any substituted cert by design. You can't inspect them — you exempt them. FortiGuard's Finance and Banking category exemption covers most banks automatically.
Q9 of 10 · Evaluate

5,000 users on a FortiGate 600F: you need Web Filter, App Control, IPS and AV at line rate, plus full DLP only for the Finance VDOM. Best design?

Correct: d. The senior answer is surgical: keep the fleet on flow for speed, spend proxy's CPU budget only where a profile demands it (Finance DLP), and never blanket-disable a security engine to save CPU — that's a regression, not a fix.
Q10 of 10 · Evaluate

Post-CVE-2024-21762 (unauthenticated SSL-VPN RCE, CVSS 9.8) on a fleet of internet-facing FortiGates, the correct response is:

Correct: a. When the vulnerable service runs on the firewall itself, patching is the control — you can't reliably IPS-protect a box from a flaw in its own daemon. KEV + CVSS 9.8 + active exploitation = emergency patch window, with disable-SSL-VPN as the stopgap.
Lesson complete — score saved to your profile.
Score below 70%. Re-read the section you got wrong and retake.

Glossary — quick reference

Next up — FortiGate SSL-VPN & IPSec hardening

You've inspected the traffic. Next: secure remote access on FortiGate the right way — SSL-VPN vs IPSec, MFA, and the post-CVE-2024-21762 hardening checklist.

Sources cited inline

  1. FortiGate 7.4 Administration Guide — inspection modes & security profiles
  2. FortiGate Admin Guide — Application Control & Web Filter
  3. FortiGate Admin Guide — SSL/SSH inspection & exemptions
  4. FortiGuard PSIRT FG-IR-24-015 — CVE-2024-21762
  5. NVD — CVE-2024-21762 (CVSS 9.8, CISA KEV)
  6. Fortinet Community — flow vs proxy & DLP behaviour threads