Fortinet FCP_FSA_AD-5.0 FCP - FortiSandbox 5.0 Administrator Exam Practice Test

The uploaded FortiSandbox 5.0 Administrator Study Guide states that each VDOM is handled independently by FortiSandbox, not under the root VDOM’s authorization. It explicitly explains that “each VDOM is treated as a separate input device on FortiSandbox” and that each device must be authorized before FortiSandbox will process its submissions. It further adds that only when auto-authorization is enabled will FortiSandbox automatically authorize VDOMs as files are submitted.

Therefore, the new VDOM does not inherit the root VDOM’s authorized state. Since the question does not say that auto-authorization is enabled, FortiSandbox will not automatically trust or process that new VDOM as if it were already approved. This eliminates A and C. Option D is incorrect because the issue is not that the administrator must manually configure the VDOM on FortiSandbox; the study guide specifically identifies authorization as the required control. For that reason, B is the best answer: the new VDOM must be manually authorized before its submitted files are inspected.

From the Deployment and System Settings lesson, the Study Guide states:

" You can submit emails from an upstream MTA server to FortiSandbox using a BCC adapter. FortiSandbox will extract attachment files and URLs in an email body. "

For a BCC adapter to function correctly, two critical prerequisites must be in place:

Option C — The upstream SEG must be configured to BCC emails to a FortiSandbox sub-domain so that email copies are routed to FortiSandbox for analysis

Option D — An MX record must be added to the DNS server for the BCC email sub-domain, so that the sub-domain resolves to the FortiSandbox IP address, allowing the SEG to properly deliver BCC email copies

Option A is incorrect because the BCC adapter handles full email inspection — FortiSandbox itself extracts files and URLs rather than the SEG doing this. Option B is incorrect because an MX record (not just an A record) is the required DNS configuration for email routing.

The Results Analysis section gives direct malware-type definitions. It says: “A downloader attempts to download malicious content from a remote system” , “A dropper installs malicious content” , “A trojan appears to be a legitimate software application” , and most importantly, “A rootkit attempts to hide its components by replacing valid system files.”

That exact wording matches the question statement about malware attempting to replace vital system executables . Replacing valid system files is classic rootkit behavior because the purpose is concealment and persistence by hiding malicious components behind trusted operating-system files. A dropper’s main role is delivering payloads. A trojan is mainly deceptive software that appears legitimate. An exploit takes advantage of a vulnerability. None of those definitions match the described behavior as precisely as the rootkit definition in the Study Guide. Therefore, the malware type being observed is Rootkit .

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" The second section of the Scan Profile, VM Association, allows you to define file extensions and VM image associations. This means that specific files are sandboxed by the associated VM image. To assign a file to a VM image, the following conditions must be true:

The file type must be configured to enter the job queue (first section of the scan profile).

The VM image clone value cannot be a non-zero number. "

This directly confirms:

Option B — The VM image clone value must be a non-zero number (clones must be allocated)

Option C — The file type must be configured to enter the job queue via the scan profile Pre-Filter section

Options A and D, while potentially relevant in practice, are not listed as the two required conditions in the Study Guide.

From the Deployment and System Settings lesson, the Study Guide explicitly states:

" The status command shows information about the system, including firmware level, device serial number, disk usage, Windows VM status, states of the boot and data disks, and more. For VM appliances, it will also show the FortiSandbox license status. "

The key phrase is " For VM appliances, it will also show the FortiSandbox license status " — making the status command the correct choice for verifying license validity on a FortiSandbox VM deployment.

While vm-license -l shows installed Windows/Microsoft Office license keys, and vm-status shows guest VM image information, neither directly reports on the FortiSandbox appliance license validity. The status command is the definitive command for checking overall system and license status.

The exhibit shows the Connectivity and Services widget with VM Internet = GRAY (disabled) while Web Filter = GREEN (enabled) and Tracer/Rating = GREEN (enabled) .

Since VM Internet access is disabled (SIMNET mode), the Study Guide explicitly states what CANNOT be performed:

" When the malware does a DNS query, FortiSandbox responds with an internal IP address. Performing an IP reputation lookup on an internal IP would be meaningless. " — eliminates Option A

" When the malware attempts to download a file, FortiSandbox provides a fake download package. This allows the downloader to successfully execute; however, FortiSandbox cannot run its antivirus inspection on the file. " — eliminates Option B

" If the malware creates a callback connection to an IP, FortiSandbox cannot rate the IP, to determine if it ' s a botnet server. "

However, the Study Guide confirms URL rating CAN still be performed:

" FortiSandbox checks connection attempts to any URLs against the FortiGuard web filtering database. "

" Similarly, FortiSandbox assesses all IP connection attempts against the FortiGuard IP rating database to identify known command-and-control (C & C) servers. "

Since the Web Filter service is GREEN (active) , FortiSandbox can still:

Option C — Perform URL rating on HTTP GET requests using the FortiGuard web filtering database

Option D — Perform URL rating on FQDN seen in DNS requests using the FortiGuard web filtering database

These URL rating inspections use FortiSandbox ' s own internet connectivity (port1) to query FortiGuard, independent of the VM internet access status on port3.

The correct answer is C. cleandb . The FortiSandbox 5.0 Administrator Study Guide explicitly states: “The cleandb command will erase all stored data in the FortiSandbox database and reboot the system.” This directly matches the scenario, because the issue is that FortiSandbox contains many obsolete samples and related stored analysis data that are no longer needed. Removing those database contents is exactly what cleandb is designed to do.

The other options do not fit this requirement. The same study guide section says “The log-purge command will remove all system logs,” which affects logs only, not the stored sample database. It also says “The fsck-storage command will check the integrity of the hard disks and repair them if any issues are discovered,” which is for disk integrity troubleshooting, not cleanup of obsolete samples. A factory reset would be far more destructive and is not the stated maintenance tool for this issue. Therefore, cleandb is the correct CLI remediation tool.

The Study Guide is explicit about the FortiMail–FortiSandbox workflow. It states: “On top of file submissions, FortiMail can also submit extracted URLs from emails to FortiSandbox for inspection. FortiMail queues the email while waiting for a verdict. FortiSandbox inspects all submitted files and URLs. FortiSandbox then generates a verdict and sends that verdict in reply to FortiMail. FortiMail uses the verdict to apply the configured action.”

This directly supports D because FortiSandbox analyzes file and URL objects . It supports B because FortiSandbox generates a verdict and returns it to FortiMail. And it supports E because the integrated workflow includes the email being queued during analysis while FortiSandbox is processing the submitted objects. Option C is incorrect because FortiMail is the device that submits the objects to FortiSandbox, not FortiSandbox itself. Option A is also incorrect because updating FortiGuard databases is not one of the three ATP integration actions described for the FortiMail workflow. Therefore, the correct three answers are B, D, and E .

From the Scanning and Rating Components lesson, the Study Guide states:

" The universal VM license is a single license that grants you access to multiple VMs. Provides a scalable and cost-effective solution with up to 200 VMs on a single unit. Clone count limits shown on the VM Settings view apply to all enabled VM Types. "

" When you enable Adaptive Scan, FortiSandbox dynamically adjusts the number of clones of any local VMs you have enabled. Enabling this option does not affect the number of remote Mac OS or Windows cloud VMs. "

This confirms:

Option A — Deploying remote WindowsCloudVM and MACOSX clones expands capacity beyond local clone limits since remote VMs are not subject to local clone restrictions

Option D — Adding VM licenses directly increases the number of available VMs up to 200 on a single unit

Reorganizing the scan priority list (B) only affects scan order, not capacity. Adding custom VMs (C) would still be subject to the same local clone limits.

From the High Availability and Management lesson, the Study Guide states:

" You must configure the HA group name, password, and the virtual IP only on the primary node. After you configure those, you can add the secondary node to the group using the commands shown on this slide. "

The hc-slave command (shown as hc-worker for secondary) requires pointing to the Primary Node ' s HA interface IP , not the cluster virtual IP or the primary node ' s port1.

From the exhibit:

Primary Node port4 (HA interface) = 10.50.1.30

Secondary Node port4 = 10.50.1.40

Primary Node port1 = 10.25.1.30

Cluster Virtual IP = 10.25.1.50

The secondary node must connect to the Primary Node ' s dedicated HA communication port (port4 = 10.50.1.30) to join the cluster, making Option B the correct answer.

The FortiSandbox 5.0 Administrator Lab Guide shows that, when diagnosing FortiMail submission issues, the required FortiMail debugs are sandboxclid and deferd . It explicitly instructs: “Enter the following commands to enable both deferd and sandboxclid debugging” and then shows that the deferd daemon spools the email and later releases the email from the queue folder after FortiSandbox processing.

Because sandboxclid is not one of the answer choices, the best answer among the listed FortiMail debug tools is deferd . It is the FortiMail daemon directly shown in the official lab workflow for troubleshooting submission-and-verdict handling. The other options in the answer list are not the ones the lab uses for FortiMail-to-FortiSandbox submission troubleshooting. So, based on the uploaded guide, diagnose debug application deferd is the correct choice.

The best answer is B . The Study Guide explains that under VM settings, “FortiSandbox has a Browser selection that allows you to choose which internet browser the VM instance will use. This helps to customize the test using an internet browser that more closely resembles the user’s environment or just monitor if the test delivers different results.” It also states that the default browser choices are Internet Explorer, Firefox, Chrome, and Edge . In addition, the guide says that “The VM images provided by Fortinet might not suit your needs… You can generate a custom VM that fits your organization’s needs and upload it to FortiSandbox.”

Because only endpoints using Opera are affected, the clean verdict likely occurred because the sandbox environment does not accurately reproduce the exploited browser environment. The most effective fix is to make the sandbox environment match the real target environment more closely by using a custom VM with the same browser behavior as the affected endpoints. The other answers do not address the root cause. STIX/TAXII is unrelated, changing the scan profile file type does not solve a browser-specific exploit path, and job queue priority affects order, not analysis fidelity. Therefore, the required action is to configure a custom VM to use the same browser as the exploited end stations .