Fortinet FCP_FSA_AD-5.0 - FCP - FortiSandbox 5.0 Administrator

From the Deployment and System Settings lesson, the Study Guide explicitly states:

" The status command shows information about the system, including firmware level, device serial number, disk usage, Windows VM status, states of the boot and data disks, and more. For VM appliances, it will also show the FortiSandbox license status. "

The key phrase is " For VM appliances, it will also show the FortiSandbox license status " — making the status command the correct choice for verifying license validity on a FortiSandbox VM deployment.

While vm-license -l shows installed Windows/Microsoft Office license keys, and vm-status shows guest VM image information, neither directly reports on the FortiSandbox appliance license validity. The status command is the definitive command for checking overall system and license status.

The FortiClient EMS Integration section is explicit on this point. It says: “You must include the sandbox profile in the active endpoint policy.” It then explains how off-fabric handling works: “FortiClient on-fabric detection rules configured within the policy will classify endpoints as on-fabric or off-fabric. The Profile (Off-Fabric) setting allows you to select a second profile to be applied to endpoints when they are determined to be off-fabric.”

This means the control point for applying FortiSandbox-related behavior to off-fabric endpoints is the endpoint policy , not the fabric connector, not a workgroup, and not the sandbox profile by itself. The sandbox profile defines FortiSandbox behavior, but it must be attached through the active endpoint policy, where the Off-Fabric profile selection is made. Therefore, the correct answer is C. As part of the endpoint policy configuration .

The Study Guide is explicit about the FortiMail–FortiSandbox workflow. It states: “On top of file submissions, FortiMail can also submit extracted URLs from emails to FortiSandbox for inspection. FortiMail queues the email while waiting for a verdict. FortiSandbox inspects all submitted files and URLs. FortiSandbox then generates a verdict and sends that verdict in reply to FortiMail. FortiMail uses the verdict to apply the configured action.”

This directly supports D because FortiSandbox analyzes file and URL objects . It supports B because FortiSandbox generates a verdict and returns it to FortiMail. And it supports E because the integrated workflow includes the email being queued during analysis while FortiSandbox is processing the submitted objects. Option C is incorrect because FortiMail is the device that submits the objects to FortiSandbox, not FortiSandbox itself. Option A is also incorrect because updating FortiGuard databases is not one of the three ATP integration actions described for the FortiMail workflow. Therefore, the correct three answers are B, D, and E .

The Study Guide states that HA is configured from the CLI and that “the main HA cluster CLI commands are hc-settings, hc-slave, and hc-status” . It also explains that “You use the hc-settings command and options to configure the main HA settings… node alias, group name, group password, and the HA interface.” The same HA section further says that the primary and secondary nodes must have a dedicated HA communication interface, and specifically notes that “port4 in this example” is the HA interface between them.

On the primary-node example configuration shown on page 137 of the uploaded study guide, the command uses -tM for the primary node with -iport4 for the HA interface. That directly matches option D . The other options use different node-type flags and do not correspond to the primary-node example. Therefore, the correct command is hc-settings -sc -tM -nPrimaryNode -cFSAGrp -p < password > -iport4 .

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" The rating engine analyzes the tracer engine ' s information. " — confirms Option E

" FortiSandbox checks connection attempts to any URLs against the FortiGuard web filtering database. FortiSandbox submits hashes of files generated during sandbox analysis to the Sandbox Community Cloud to check for existing verdicts. Additionally, it compares these file hashes against the FortiGuard Cloud-Based Threat Intelligence database. " — confirms Option B

" After analysis is complete, the rating engine generates a verdict. " — confirms Option D

" Finally, the rating engine generates a report containing all details collected by the tracer engine. "

Option A is incorrect as the rating engine does not rate third-party device effectiveness. Option C is incorrect — verdict sharing is done by the FortiSandbox system through malware/URL packages, not specifically by the rating engine component.

From the Results Analysis lesson, the Study Guide confirms:

" The Basic information section shows that, in this case, the file type is WEBLink and the file was submitted by FortiMail. "

From the Scanning and Rating Components lesson:

" The only exception to this is URL inputs. These inputs are submitted directly to the VM scan engine for sandboxing. "

When URLs are submitted to FortiSandbox (from FortiMail or other sources), they are classified as WEBLink file type — which is distinct from the standard .url file extension shown in the VM Association Web types (htm, js, lnk, url).

Looking at the exhibits:

The VM Association shows Web: htm, js, lnk, url — but WEBLink is NOT listed

The Advanced tab shows Real-time Zero-Day Anti-Phishing Service is enabled (green)

Despite RTAP being enabled, URLs cannot reach the VM scan stage without WEBLink being explicitly included in the scan profile ' s VM Association

Since RTAP operates during VM scanning, if WEBLink is not assigned to a VM in the scan profile, URLs submitted for inspection will never reach the VM, and therefore will never be evaluated by the RTAP service — regardless of RTAP being enabled.

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" FortiSandbox allows you to modify the number of CPUs and memory assigned to a custom VM. This feature is supported on hardware models and private cloud VMs. "

Hardware models = Device-based (Option C)

Private cloud VMs = Private cloud (Option A)

Azure non-nested mode and FortiSandbox Cloud do not support custom VM creation as per the Study Guide.

The best answer is B. enable Pipeline Mode . The FortiSandbox 5.0 Administrator Study Guide states: “The Pipeline Mode feature improves performance by allowing to scan multiple files, one at a time, without shutting down the VM instance after scanning each file.” It further explains that “FortiSandbox will continue scanning files without shutting down the VM instance, as long as the VM status hasn’t changed.” This directly improves the throughput of dynamic VM-based scanning , which is exactly what the question asks for.

The other options do not fit as well. Option A would reduce waiting time for users, but it lowers security because files could be accessed before a sandbox verdict is returned; the EMS lab profile intentionally enables “Wait for FortiSandbox Results before Allowing File Access” with a Low detection level to maintain strong protection. Option C also weakens security by making remediation apply only when the verdict “equals or exceeds the selected FortiSandbox Detection Verdict Level,” so raising it to Medium would ignore Low-risk detections. Option D enables prefiltering logic, which can reduce submissions, but it does not directly accelerate jobs that already require dynamic scanning. Therefore, Pipeline Mode is the only choice that both preserves a high security level and speeds dynamic scan processing.

The FortiSandbox 5.0 Administrator Lab Guide shows that, when diagnosing FortiMail submission issues, the required FortiMail debugs are sandboxclid and deferd . It explicitly instructs: “Enter the following commands to enable both deferd and sandboxclid debugging” and then shows that the deferd daemon spools the email and later releases the email from the queue folder after FortiSandbox processing.

Because sandboxclid is not one of the answer choices, the best answer among the listed FortiMail debug tools is deferd . It is the FortiMail daemon directly shown in the official lab workflow for troubleshooting submission-and-verdict handling. The other options in the answer list are not the ones the lab uses for FortiMail-to-FortiSandbox submission troubleshooting. So, based on the uploaded guide, diagnose debug application deferd is the correct choice.