FCP_FSA_AD-5.0 FCP - FortiSandbox 5.0 Administrator Question and Answers

From the Deployment and System Settings lesson, the Study Guide explicitly states what SIMNET cannot do with real traffic:

" When the malware attempts to download a file, FortiSandbox provides a fake download package. This allows the downloader to successfully execute; however, FortiSandbox cannot run its antivirus inspection on the file. "

" If the malware creates a callback connection to an IP, FortiSandbox cannot rate the IP, to determine if it ' s a botnet server. "

This confirms:

Option A (AV inspection) — Cannot be performed because SIMNET provides fake download packages, preventing real antivirus scanning

Option C (IP reputation) — Cannot be performed because SIMNET uses internal IPs for DNS responses, making IP reputation lookups meaningless against real botnet databases

Dynamic scan and URL rating can still occur inside the sandbox even without real internet access.

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" FortiSandbox allows you to modify the number of CPUs and memory assigned to a custom VM. This feature is supported on hardware models and private cloud VMs. "

Hardware models = Device-based (Option C)

Private cloud VMs = Private cloud (Option A)

Azure non-nested mode and FortiSandbox Cloud do not support custom VM creation as per the Study Guide.

The FortiClient EMS Integration section is explicit on this point. It says: “You must include the sandbox profile in the active endpoint policy.” It then explains how off-fabric handling works: “FortiClient on-fabric detection rules configured within the policy will classify endpoints as on-fabric or off-fabric. The Profile (Off-Fabric) setting allows you to select a second profile to be applied to endpoints when they are determined to be off-fabric.”

This means the control point for applying FortiSandbox-related behavior to off-fabric endpoints is the endpoint policy , not the fabric connector, not a workgroup, and not the sandbox profile by itself. The sandbox profile defines FortiSandbox behavior, but it must be attached through the active endpoint policy, where the Off-Fabric profile selection is made. Therefore, the correct answer is C. As part of the endpoint policy configuration .

From the Deployment and System Settings lesson, the Study Guide states:

" Other ports, with the exception of port3, can also be configured as management ports from CLI. "

" You can set additional ports as management port using the CLI command shown on this slide. "

From the Lab Guide (Exercise 4 - Using Inline Scanning) :

" FortiGate and FortiSandbox communicate through port 4443. Management or API ports grant access through port 4443. "

" Enter the following command to enable API access on port2: set api-port port2 "

Ports that are designated as either administration interfaces or API interfaces cannot be selected for 802.3ad aggregate bonding because:

Option A — Port 4 configured as an administration interface is reserved for management traffic and cannot be repurposed for link aggregation

Option C — Port 4 configured as an API interface is dedicated for API communication (port 4443) and is similarly restricted from being used in aggregate bonding configurations

Port 4 in the Lab Guide is specifically referenced as the HA communication and management port, confirming these restrictions apply when special roles are assigned to interfaces.

From the Attack Methodologies lesson, the Study Guide explicitly states:

" During the lateral movement stage, the attacker is trying to compromise and infect other computers in the network. If these computers are protected with FortiClient, FortiClient can send any file that the computer downloads, to FortiSandbox for analysis. "

" FortiDeceptor creates a network of decoys, to lure attackers and monitor their activities on the network. When attackers attack a decoy, an alert is generated. FortiDeceptor engages FortiSandBox to get a verdict on the suspected malware. "

" If you deploy FortiGate as an ISFW firewall, FortiGate can analyze the traffic moving across subnets and send any files to FortiSandbox for analysis to prevent propagation. "

Both FortiDeceptor (Option B) and FortiGate (Option D) are specifically identified as protecting against the lateral movement stage through their FortiSandbox integration.

From the FortiGate Integration lesson, the Study Guide explicitly states:

" The quarantine daemon is involved in submitting files to FortiSandbox. "

" The quarantine daemon also receives the verdicts returned by FortiSandbox. "

" The quarantine daemon is responsible for sending requests for the dynamic lists generated by FortiSandbox. This includes the malware package, URL package, and the extension lists. "

From the Lab Guide (Exercise 3 - Using FortiGate Diagnostics):

" Enter the following commands to enable debugging for the quarantine daemon: diagnose debug application quarantine -1 "

The quarantined daemon (Option B) handles both file submissions to FortiSandbox AND receives verdicts back from FortiSandbox in real time, making it the correct daemon to monitor for verdict reception verification.

From the FortiGate Integration lesson, the Study Guide explicitly states:

" The quarantine daemon is involved in submitting files to FortiSandbox. "

From the Lab Guide (Exercise 3 - Using FortiGate Diagnostics) , the following is explicitly documented:

" Enter the following commands to enable debugging for the quarantine daemon: diagnose debug application quarantine -1 diagnose debug enable "

" Use the following CLI debug command to diagnose the connection and file transfer issue between HQ-FGT-1 and HQ-FSA-1: diagnose debug application quarantine -1 "

This command enables real-time debug output for the quarantine daemon on FortiGate, which is specifically responsible for submitting files to FortiSandbox and receiving verdicts. Option B clears the analytics cache rather than providing diagnostic information, and the other options relate to different functions entirely.

From the FortiClient EMS Integration lesson, the Study Guide states that FortiSandbox and FortiClient EMS integration helps break the kill chain by monitoring all downloads, removable media, mapped network drives, and email client file downloads — intercepting threats at the Delivery stage before they can execute on the endpoint.

Additionally, from the Attack Methodologies section: " When a USB is attached to a host protected with FortiClient, FortiClient can send the files on the USB drive to FortiSandbox for analysis, before allowing the user access to the files " — further confirming the Delivery stage focus.

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" VM images are downloaded from FortiGuard, using port1. So, you must ensure FortiSandbox has a default route and internet connectivity for port1. "

The exhibit confirms this — the test-network output shows:

System DNS resolve: Failed for both bing.com and fsavm.fortinet.net

fsavm.fortinet.net is the FortiGuard VM image download server

This DNS failure on the system side (port1) confirms there is no internet connectivity on port1 , preventing VM image downloads. Note that port3 internet shows " Warning: VM to access internet: Disabled " — but port3 is only for VM sandboxing traffic, not for downloading VM images.