A physical topology along with a traffic log is shown. You are using FortiAnalyzer to monitor traffic from the device with IP address 10.0.2.51, which is located behind the FortiGate internal segmentation firewall (ISFW) device. Unified threat management (UTM) is not enabled in the firewall policy on the HQ-ISFW device, and you are surprised to see a log with the action Malware, as shown in the exhibit. What are two reasons why FortiAnalyzer would display this log? (Choose two answers)

A. HQ-ISFW is not connected to FortiAnalyzer and traffic must go through HQ-NGFW-1.
B. UTM is enabled in the firewall policy in HQ-NGFW-1.
C. HQ-ISFW is in a Security Fabric environment.
D. Security rating is enabled in HQ-ISFW.

Correct Answer: B,C

Brave-Dump Clients Votes

BC 100%

Comments

Brave-Dumps Admin 2025-09-16 21:30:42

Selected Answers: B, C

I checked pages 260,261 at EFW 7.6 Study Guide and I think B&C is correct, what do you think?

Capi 2025-12-18 18:36:13

Selected Answers: B, C

I think you are right

Adam 2026-01-19 09:11:26

Selected Answers: B, C

https://docs.fortinet.com/document/fortianalyzer/7.6.5/administration-guide/767294/security-fabric-traffic-log-to-utm-log-correlation
//Security Fabric traffic log to UTM log correlation
In a Cooperative Security Fabric (CSF), the traffic log is generated by the ingress FortiGate, while UTM inspection (and subsequent logs) can occur on any of the FortiGates.
This feature adds extensions to traffic and UTM logs so that they can be correlated across different FortiGates within the same security fabric. It creates a UTM reference across CSF members and generates the missing UTM related log fields in the traffic logs as if the UTM was inspected on a single FortiGate.

In the above reference, we can see a screenshot from FortiAnalyzer, where we have UTM event with "Device Name" set to first FortiGate in that traffic path, but in the log details, we see Source -> Device Name as the upstream FortiGate that did the UTM inspection, so both are consolidated in one log.