View all questions & answers for the NSE 7 - Enterprise Firewall 7.6 Administrator Exam Materials exam


Question 38 Discussion

An organization’s guest internet policy, operating in proxy mode, blocks access to artificial intelligence technology sites using FortiGuard. However, a guest user accessed a page in this category using port 8443. Which configuration change must you make for FortiGate to analyze HTTPS traffic on nonstandard ports like 8443, when full SSL inspection is active in the guest policy? (Choose one answer)

  • A. Enable network protocol enforcement for port 8443 with the protocol HTTPS in FortiGuard application control.
  • B. Enter 443, 8443 to analyze both standard (443) and non-standard (8443) HTTPS ports in the protocol port mapping section of the SSL/SSH inspection profile.
  • C. Block untrusted SSL certificates in the SSL/SSH inspection profile.
  • D. Block traffic on nonstandard ports by enabling server certificate SNI check in the SSL/SSH inspection profile.
Correct Answer: B

Brave-Dump Clients Votes

B 100%

Comments



Hasan Ahmed 2025-11-27 17:35:19

Selected Answers: B


Correct answer is B

When using the FortiGate in proxy inspection mode with full SSL inspection, the device only inspects traffic on specific ports defined within the SSL/SSH Inspection profile by default.

By default, FortiGate is configured to look for HTTPS traffic only on the standard port 443.
To force the FortiGate to apply SSL inspection (and subsequent security policies like FortiGuard web filtering) to HTTPS traffic arriving on non-standard ports like 8443, you must explicitly add that port to the list of "Protocol Port Mapping" within the relevant SSL inspection profile.
The FortiGate will then correctly identify the traffic as HTTPS, perform the full SSL inspection (decrypting and inspecting the content), and subsequently apply the FortiGuard web filtering policies that block AI websites.

Adam 2026-01-19 10:05:48

Selected Answers: B


Protocol port mapping can be enabled with an outbound policy only if the following conditions are met: SSL inspection must be activated for multiple clients connecting to multiple servers, full SSL inspection must be employed, and the appropriate protocol port-mapping settings must be configured. Additionally, protocol port mapping is applicable only to proxy-based inspections, while flow-based inspections assess all ports, regardless of protocol port-mapping settings.