Application Control is the FortiGate feature designed to identify and control applications using signatures from the FortiGuard service. It leverages the Intrusion Prevention System (IPS) engine and its protocol decoders to analyze network traffic patterns and accurately detect thousands of applications, including those that are not web-based (non-URL). By configuring an Application Control profile and applying it to a firewall policy, an administrator can explicitly block specific applications or categories of applications, thereby controlling traffic based on its application signature and behavior.

A. DNS filter operates by inspecting Domain Name System (DNS) requests and blocking access based on domain ratings and categories, not by using IPS protocol decoders for general application signatures.

C. SD-WAN rules use application detection to make intelligent routing and path selection decisions, not primarily to block traffic as a security enforcement action.

D. Web filter is used to control access to web traffic (HTTP/HTTPS) based on URLs and content categories, not for identifying and blocking the wide range of non-web applications that Application Control handles.

1. Fortinet FortiOS 7.4.0 Administration Guide

Security Profiles > Application Control

Page 1018: "Application control uses IPS protocol decoders to identify the applications that generate network traffic. It can be used to create policies that allow

deny

or restrict access to applications." This statement directly links Application Control with IPS decoders for the purpose of controlling applications.

2. Fortinet FortiOS 7.4.0 Administration Guide

Security Profiles > Intrusion Prevention

Page 1001: "The IPS engine also provides the application detection that powers the application control feature." This confirms that the underlying technology for application detection

which involves analyzing transmission patterns and signatures

is the IPS engine.

The command output provides two key statements that directly support the correct answers. First, the lines "It is an area border router" and "Number of areas in this router is 2" explicitly confirm that the FortiGate device is connected to more than one OSPF area. Second, the line "It is an autonomous system boundary router" indicates that the FortiGate is configured to redistribute routes from an external routing protocol or static routes into the OSPF autonomous system, thereby injecting external routing information.

A. The output does not contain information about the Designated Router (DR) or Backup Designated Router (BDR) status, which is specific to an interface and not the overall OSPF process.

D. The provided output is a summary of the OSPF process status and does not include details about the Equal-Cost Multi-Path (ECMP) configuration.

1. FortiOS Administration Guide 7.0.0

Page 1030

"OSPF router types". This section defines an Area Border Router (ABR) as a router with interfaces in more than one area. It also defines an Autonomous System Boundary Router (ASBR) as a router that connects the OSPF network to a non-OSPF network (an external autonomous system) and injects external routes. The exhibit's output directly identifies the FortiGate as both an ABR and an ASBR.

2. FortiGate CLI Reference 7.0.0

Page 1598

get router info ospf status. The documentation for this command confirms that the output fields "It is an area border router" and "It is an autonomous system boundary router" are displayed to indicate the router's configured OSPF roles. This directly validates the interpretation of the exhibit.

The Fortinet Internet Service Database (ISDB) is a feature that simplifies firewall policy creation by grouping all IP addresses, protocols, and port numbers associated with a specific internet service (like Microsoft 365 or Google Services). FortiGuard Labs continuously maintains and updates this database, which the FortiGate downloads. When an ISDB object is used in a firewall policy with a 'deny' action, the FortiGate blocks traffic at OSI Layers 3 (IP addresses) and 4 (TCP/UDP ports) that matches the entries in the database for that specific service. This provides an efficient way to control access without manually tracking all of a service's network endpoints.

C. The ISDB is a database of network endpoints, not an inspection mode. It can be used in firewall policies operating in either flow or proxy mode; it is not exclusive to proxy mode.

D. Limiting access by URL and domain is a Layer 7 function performed by the Web Filter security profile, not the ISDB, which operates primarily at Layers 3 and 4.

1. FortiOS 7.4.0 Administration Guide

Page 1010

Section: Internet Service Database.

"The FortiGuard Internet Service Database is a comprehensive

up-to-date list of all public IP addresses used by popular internet services... Each Internet Service can contain multiple entries

and each entry consists of an IP address or range

and a protocol and port number." This statement directly supports options A and B by defining the ISDB as a list of IPs and ports provided by FortiGuard.

2. FortiOS 7.4.0 Administration Guide

Page 1011

Section: Internet Service Database.

"When an Internet Service is selected as the source or destination in a firewall policy

traffic matching any of the IP addresses and port numbers in the service will have the policy's action applied to it." This confirms that the ISDB's mechanism is to match and block (or allow) based on the predefined IP addresses and ports (Layers 3 and 4).

3. FortiOS 7.4.0 Administration Guide

Page 1178

Section: Web filter.

"The web filter security profile can inspect HTTP

HTTPS

and FTP traffic... You can configure the web filter profile to block or allow access to web sites by matching their URLs against lists of URLs..." This clearly distinguishes the function of Web Filtering (URL/domain-based) from the ISDB (IP/port-based)

invalidating option D.

To establish an eBGP session using loopback interfaces, two specific configurations are required. First, the update-source command must be used to change the source IP address of the BGP packets from the physical egress interface to the loopback interface's IP address.

Second, by default, eBGP peers are expected to be directly connected (TTL=1), a rule enforced by ebgp-enforce-multihop. Since loopback interfaces are not physically connected, this enforcement must be disabled (set ebgp-enforce-multihop disable) to allow the BGP session to establish between these non-adjacent IP addresses.

ibgp-enforce-multihop: This command applies to internal BGP (iBGP) sessions within the same autonomous system, not to an external (eBGP) session with an ISP.

recursive-next-hop: This setting relates to the resolution of the next-hop attribute in BGP route advertisements, not the establishment of the BGP peering session itself.

1. FortiOS 7.6.0 CLI Reference

config router bgp section

page 1789.

update-source : "Enable/disable use of the interface as the source IP address of BGP connections." This confirms the need to specify the loopback interface.

ebgp-enforce-multihop {enable | disable}: "Enable/disable enforcement of single-hop for EBGP neighbors." The default is enable. This confirms the need to disable this setting for loopback peering.

2. Fortinet Cookbook

"eBGP configuration using loopback interfaces" recipe.

This guide explicitly details the configuration steps for establishing an eBGP session using loopback interfaces

stating: "On both routers

it is necessary to configure set update-source to use the loopback interface as the source of the BGP traffic

and set ebgp-multihop enable [or set ebgp-enforce-multihop disable in modern FortiOS] because the peer is not directly connected."

The exhibit shows a FortiGate connected to a pair of FortiSwitch devices using a single logical interface. This topology represents a Multi-Chassis Link Aggregation (MCLAG) configuration, which provides link and device redundancy.

To connect to an MCLAG peer group, the FortiGate must use a Link Aggregation Group (LAG) interface, which is standardized as IEEE 802.3ad. This bundles the physical links to each switch into one logical interface.

This integrated deployment is managed using FortiLink, where the 802.3ad aggregate interface on the FortiGate is configured as the FortiLink interface. This allows the FortiGate to act as the switch controller, centrally managing the FortiSwitch units and provisioning VLANs across the switched network.

A. MCLAG is specifically designed to provide a loop-free, active-active topology, making Spanning Tree Protocol (STP) on the aggregate links unnecessary.

D. SD-WAN is a feature for aggregating and managing multiple Wide Area Network (WAN) links for internet and private network access, not for LAN-side switch connectivity.

1. FortiSwitch—Managed by FortiOS 7.4.0

Administration Guide

Page 51

Section: "FortiLink split interface and MCLAG".

The documentation states: "On the FortiGate unit

you create an 802.3ad aggregate interface with at least two member interfaces." This directly supports that an 802.3ad interface type is required (Answer B).

The same section describes this exact topology as a FortiLink configuration for managing an MCLAG peer group

which includes VLAN management (Answer C).

2. FortiSwitchOS 7.4.0

Administration Guide

Page 183

Section: "Configuring MCLAG".

The guide explains: "MCLAG provides Layer-2 redundancy by preventing the spanning-tree protocol (STP) from blocking the redundant links between the MCLAG peer group and the client network device." This confirms that STP is not the required loop-prevention mechanism (Refutes Answer A).

3. FortiOS 7.4.0

Administration Guide

Page 1789

Section: "SD-WAN".

The guide defines SD-WAN: "SD-WAN simplifies the management of multiple WAN connections...". This confirms SD-WAN is a WAN technology

not used for LAN switch connections (Refutes Answer D).