Fortinet FCP_FSA_AD-5.0 Dumps

The FortiClient EMS Integration section is explicit on this point. It says: “You must include the sandbox profile in the active endpoint policy.” It then explains how off-fabric handling works: “FortiClient on-fabric detection rules configured within the policy will classify endpoints as on-fabric or off-fabric. The Profile (Off-Fabric) setting allows you to select a second profile to be applied to endpoints when they are determined to be off-fabric.”

This means the control point for applying FortiSandbox-related behavior to off-fabric endpoints is the endpoint policy , not the fabric connector, not a workgroup, and not the sandbox profile by itself. The sandbox profile defines FortiSandbox behavior, but it must be attached through the active endpoint policy, where the Off-Fabric profile selection is made. Therefore, the correct answer is C. As part of the endpoint policy configuration .

The correct answer is B. 50 seconds . The Study Guide explicitly states: “FortiGate holds the file while waiting for a verdict from FortiSandbox… The default file inspection timeout, and maximum, is 50 seconds.” This is the clearest direct statement for the default timeout used with inline scanning mode on FortiGate.

The Lab Guide confirms the same design limit from the operational side. During the inline scanning exercise, it notes: “Because of the inline scanning time-out limit (maximum of 50 seconds), it ' s not recommended to submit files for VM inspection.” That reinforces that inline scanning is designed for quick decision phases such as active content, community cloud, antivirus, and static analysis, not long VM dynamic analysis jobs. Therefore, options A, C, and D are incorrect because they are far above the documented inline inspection limit. The default FortiGate inline scanning timeout is 50 seconds .

The best answer is B. enable Pipeline Mode . The FortiSandbox 5.0 Administrator Study Guide states: “The Pipeline Mode feature improves performance by allowing to scan multiple files, one at a time, without shutting down the VM instance after scanning each file.” It further explains that “FortiSandbox will continue scanning files without shutting down the VM instance, as long as the VM status hasn’t changed.” This directly improves the throughput of dynamic VM-based scanning , which is exactly what the question asks for.

The other options do not fit as well. Option A would reduce waiting time for users, but it lowers security because files could be accessed before a sandbox verdict is returned; the EMS lab profile intentionally enables “Wait for FortiSandbox Results before Allowing File Access” with a Low detection level to maintain strong protection. Option C also weakens security by making remediation apply only when the verdict “equals or exceeds the selected FortiSandbox Detection Verdict Level,” so raising it to Medium would ignore Low-risk detections. Option D enables prefiltering logic, which can reduce submissions, but it does not directly accelerate jobs that already require dynamic scanning. Therefore, Pipeline Mode is the only choice that both preserves a high security level and speeds dynamic scan processing.

The best answer is B . The Study Guide explains that under VM settings, “FortiSandbox has a Browser selection that allows you to choose which internet browser the VM instance will use. This helps to customize the test using an internet browser that more closely resembles the user’s environment or just monitor if the test delivers different results.” It also states that the default browser choices are Internet Explorer, Firefox, Chrome, and Edge . In addition, the guide says that “The VM images provided by Fortinet might not suit your needs… You can generate a custom VM that fits your organization’s needs and upload it to FortiSandbox.”

Because only endpoints using Opera are affected, the clean verdict likely occurred because the sandbox environment does not accurately reproduce the exploited browser environment. The most effective fix is to make the sandbox environment match the real target environment more closely by using a custom VM with the same browser behavior as the affected endpoints. The other answers do not address the root cause. STIX/TAXII is unrelated, changing the scan profile file type does not solve a browser-specific exploit path, and job queue priority affects order, not analysis fidelity. Therefore, the required action is to configure a custom VM to use the same browser as the exploited end stations .

The Study Guide states that in an HA cluster, “As well as normal scanning duties, the primary node also manages the cluster, distributes jobs, and gathers the verdicts.” It also says that “The worker nodes provide load balancing. The primary node distributes scan jobs to the worker nodes.”

From those official statements, the primary node is not just a coordinator. It also performs normal scanning duties itself, while distributing scan jobs across worker nodes for load balancing. That rules out A, because the secondary node is for failover, not normal job distribution. It rules out C, because the primary is not restricted to itself only. It also rules out D, because the primary can still perform scanning duties and is not limited to sending all jobs only to workers. Therefore, when the primary receives MTA jobs, the correct behavior is that it distributes the MTA jobs to itself or to worker nodes .

From the FortiGate Integration lesson, the Study Guide explicitly states:

" The quarantine daemon is involved in submitting files to FortiSandbox. "

From the Lab Guide (Exercise 3 - Using FortiGate Diagnostics) , the following is explicitly documented:

" Enter the following commands to enable debugging for the quarantine daemon: diagnose debug application quarantine -1 diagnose debug enable "

" Use the following CLI debug command to diagnose the connection and file transfer issue between HQ-FGT-1 and HQ-FSA-1: diagnose debug application quarantine -1 "

This command enables real-time debug output for the quarantine daemon on FortiGate, which is specifically responsible for submitting files to FortiSandbox and receiving verdicts. Option B clears the analytics cache rather than providing diagnostic information, and the other options relate to different functions entirely.

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" The rating engine analyzes the tracer engine ' s information. " — confirms Option E

" FortiSandbox checks connection attempts to any URLs against the FortiGuard web filtering database. FortiSandbox submits hashes of files generated during sandbox analysis to the Sandbox Community Cloud to check for existing verdicts. Additionally, it compares these file hashes against the FortiGuard Cloud-Based Threat Intelligence database. " — confirms Option B

" After analysis is complete, the rating engine generates a verdict. " — confirms Option D

" Finally, the rating engine generates a report containing all details collected by the tracer engine. "

Option A is incorrect as the rating engine does not rate third-party device effectiveness. Option C is incorrect — verdict sharing is done by the FortiSandbox system through malware/URL packages, not specifically by the rating engine component.

The exhibit labels 10.25.1.50 as the cluster virtual IP address . The Study Guide explains that in HA configuration, “You must configure the HA group name, password, and the virtual IP only on the primary node.” It also says: “You must also configure an external interface for external communication and an IP address that will be used as a virtual IP for the whole cluster. Devices will interact with the cluster using this virtual IP.”

That is why the command for the primary node must point to the cluster virtual IP , not to the individual port1 addresses of the primary, secondary, or upstream firewall. In the exhibit, 10.25.1.30 is the primary node’s own port1 IP, 10.25.1.40 is the secondary node’s port1 IP, and 10.25.1.254 is the network device. The only address that matches the required cluster virtual IP is 10.25.1.50 , so the correct command is hc-settings -si iport1 -a10.25.1.50 .

The exhibit summary says the file was “flagged by the PAIX engine” and describes it as “high-risk behavior.” The lab guide also states for a similar file analysis scenario: “The PAIX engine detected potentially malicious activity… The overall assessment is that there is a high likelihood of malicious activity.” In addition, the FortiGate integration lab explains that “FortiSandbox identified the fsa_dropper.exe file as high risk… because the advanced AI engine was able to detect malicious behaviour… at the static scan phase.” These extracts confirm that the advanced AI / PAIX engine identified the threat , so A is true .

Option D is not supported. The study guide distinguishes high risk from malicious and explains that high risk is a suspicious threat-level rating, not the same as a malicious verdict. It states that FortiSandbox groups results into ratings such as high risk, medium risk, low risk, clean, and malicious , and defines high-risk separately as a serious suspicious rating. Since the exhibit explicitly refers to high-risk behavior , not a malicious verdict, D is false as written . The duplicated B/C options are also not proven by the exhibit text provided.

If your original source intended D to say “The analysis resulted in a high-risk verdict” instead of malicious verdict , then the correct pair would be A and D .

From the Deployment and System Settings lesson, the Study Guide explicitly states:

" The status command shows information about the system, including firmware level, device serial number, disk usage, Windows VM status, states of the boot and data disks, and more. For VM appliances, it will also show the FortiSandbox license status. "

The key phrase is " For VM appliances, it will also show the FortiSandbox license status " — making the status command the correct choice for verifying license validity on a FortiSandbox VM deployment.

While vm-license -l shows installed Windows/Microsoft Office license keys, and vm-status shows guest VM image information, neither directly reports on the FortiSandbox appliance license validity. The status command is the definitive command for checking overall system and license status.

The Study Guide states that HA is configured from the CLI and that “the main HA cluster CLI commands are hc-settings, hc-slave, and hc-status” . It also explains that “You use the hc-settings command and options to configure the main HA settings… node alias, group name, group password, and the HA interface.” The same HA section further says that the primary and secondary nodes must have a dedicated HA communication interface, and specifically notes that “port4 in this example” is the HA interface between them.

On the primary-node example configuration shown on page 137 of the uploaded study guide, the command uses -tM for the primary node with -iport4 for the HA interface. That directly matches option D . The other options use different node-type flags and do not correspond to the primary-node example. Therefore, the correct command is hc-settings -sc -tM -nPrimaryNode -cFSAGrp -p < password > -iport4 .

The uploaded FortiSandbox 5.0 Administrator Study Guide states that each VDOM is handled independently by FortiSandbox, not under the root VDOM’s authorization. It explicitly explains that “each VDOM is treated as a separate input device on FortiSandbox” and that each device must be authorized before FortiSandbox will process its submissions. It further adds that only when auto-authorization is enabled will FortiSandbox automatically authorize VDOMs as files are submitted.

Therefore, the new VDOM does not inherit the root VDOM’s authorized state. Since the question does not say that auto-authorization is enabled, FortiSandbox will not automatically trust or process that new VDOM as if it were already approved. This eliminates A and C. Option D is incorrect because the issue is not that the administrator must manually configure the VDOM on FortiSandbox; the study guide specifically identifies authorization as the required control. For that reason, B is the best answer: the new VDOM must be manually authorized before its submitted files are inspected.