Exam FCP_FGT_AD-7.4 Topic 2 Question 1 Discussion
Actual exam question for Fortinet's FCP_FGT_AD-7.4 exam
Question #: 1
Topic #: 2
Question #: 1
Topic #: 2
Refer to the exhibits.
The exhibits show a firewall policy (Exhibit A) and an antivirus profile (Exhibit B).
Why is the user unable to receive a block replacement message when downloading an infected file for the first time?
The exhibits show a firewall policy (Exhibit A) and an antivirus profile (Exhibit B).
Why is the user unable to receive a block replacement message when downloading an infected file for the first time?
Suggested Answer: D Vote an answer
The flow-based inspection is used, which resets the last packet to the user.
Key to right answer is "unable to receive a block replacement message when downloading an infected file for the first time".
* "ONLY" If the virus is detected at the "START" of the connection, the IPS engine sends the block replacement message immediately
* When a virus is detected on a TCP session (FIRST TIME), but where "SOME PACKETS" have been already forwarded to the receiver, FortiGate "resets the connection" and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that if a "SECOND ATTEMPT" to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.
Two possible scenarios can occur when a virus is detected:
- When a virus is detected on a TCP session where some packets have been already forwarded to the receiver, FG resets the connection and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that IF A SECOND ATTEMPT TO TRANSMIT THE FILE IS MADE, THE IPS ENGINE WILL SEND A BLOCK REPLACEMENT MESSAGE to the client instead of scanning the file again.
- If the virus is detected at the start of the connection, the IPS engine sends the block replacement message immediately.
In flow based inspection, when a virus is detected on a TCP session where some packets have been already forwarded to the receiver, FortiGate resets the connection and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that if a second attempt to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.
Key to right answer is "unable to receive a block replacement message when downloading an infected file for the first time".
* "ONLY" If the virus is detected at the "START" of the connection, the IPS engine sends the block replacement message immediately
* When a virus is detected on a TCP session (FIRST TIME), but where "SOME PACKETS" have been already forwarded to the receiver, FortiGate "resets the connection" and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that if a "SECOND ATTEMPT" to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.
Two possible scenarios can occur when a virus is detected:
- When a virus is detected on a TCP session where some packets have been already forwarded to the receiver, FG resets the connection and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that IF A SECOND ATTEMPT TO TRANSMIT THE FILE IS MADE, THE IPS ENGINE WILL SEND A BLOCK REPLACEMENT MESSAGE to the client instead of scanning the file again.
- If the virus is detected at the start of the connection, the IPS engine sends the block replacement message immediately.
In flow based inspection, when a virus is detected on a TCP session where some packets have been already forwarded to the receiver, FortiGate resets the connection and does not send the last piece of the file. Although the receiver got most of the file content, the file has been truncated and therefore, can't be opened. The IPS engine also caches the URL of the infected file, so that if a second attempt to transmit the file is made, the IPS engine will then send a block replacement message to the client instead of scanning the file again.
by Susie at Apr 03, 2025, 08:33 PM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).