Free and Premium Fortinet FCP_FSA_AD-5.0 Dumps Questions Answers

The correct answer is C. cleandb . The FortiSandbox 5.0 Administrator Study Guide explicitly states: “The cleandb command will erase all stored data in the FortiSandbox database and reboot the system.” This directly matches the scenario, because the issue is that FortiSandbox contains many obsolete samples and related stored analysis data that are no longer needed. Removing those database contents is exactly what cleandb is designed to do.

The other options do not fit this requirement. The same study guide section says “The log-purge command will remove all system logs,” which affects logs only, not the stored sample database. It also says “The fsck-storage command will check the integrity of the hard disks and repair them if any issues are discovered,” which is for disk integrity troubleshooting, not cleanup of obsolete samples. A factory reset would be far more destructive and is not the stated maintenance tool for this issue. Therefore, cleandb is the correct CLI remediation tool.

The best answer is B . The Study Guide explains that under VM settings, “FortiSandbox has a Browser selection that allows you to choose which internet browser the VM instance will use. This helps to customize the test using an internet browser that more closely resembles the user’s environment or just monitor if the test delivers different results.” It also states that the default browser choices are Internet Explorer, Firefox, Chrome, and Edge . In addition, the guide says that “The VM images provided by Fortinet might not suit your needs… You can generate a custom VM that fits your organization’s needs and upload it to FortiSandbox.”

Because only endpoints using Opera are affected, the clean verdict likely occurred because the sandbox environment does not accurately reproduce the exploited browser environment. The most effective fix is to make the sandbox environment match the real target environment more closely by using a custom VM with the same browser behavior as the affected endpoints. The other answers do not address the root cause. STIX/TAXII is unrelated, changing the scan profile file type does not solve a browser-specific exploit path, and job queue priority affects order, not analysis fidelity. Therefore, the required action is to configure a custom VM to use the same browser as the exploited end stations .

The Study Guide states that in an HA cluster, “As well as normal scanning duties, the primary node also manages the cluster, distributes jobs, and gathers the verdicts.” It also says that “The worker nodes provide load balancing. The primary node distributes scan jobs to the worker nodes.”

From those official statements, the primary node is not just a coordinator. It also performs normal scanning duties itself, while distributing scan jobs across worker nodes for load balancing. That rules out A, because the secondary node is for failover, not normal job distribution. It rules out C, because the primary is not restricted to itself only. It also rules out D, because the primary can still perform scanning duties and is not limited to sending all jobs only to workers. Therefore, when the primary receives MTA jobs, the correct behavior is that it distributes the MTA jobs to itself or to worker nodes .

The correct answer is D . The Study Guide states that FortiSandbox has default administrative profiles and specifically says: “The Read Only profile is intended to be used for system-wide monitoring and reporting tasks, whereas the Device profile is intended to be used for monitoring alerts and reporting for a specific device.” That wording directly matches the question requirement to limit access based on the system that submitted the scan request . In other words, FortiSandbox uses administrator profiles to control whether an admin can view broad system-wide activity or only jobs and alerts related to a specific submitting device.

This eliminates the other options. The Study Guide does not describe device groups , log server settings , or netshare groups as the mechanism for restricting admin visibility of scan jobs by submitter. Instead, access control is tied to the admin profile model . The Device profile is the exact fit because it narrows monitoring and reporting to a particular device context rather than the entire system. Therefore, the way to limit an administrator’s access to scan jobs by the submitting system is by configuring administrator profiles that define job access .

From the Scanning and Rating Components lesson, the Study Guide states:

" The universal VM license is a single license that grants you access to multiple VMs. Provides a scalable and cost-effective solution with up to 200 VMs on a single unit. Clone count limits shown on the VM Settings view apply to all enabled VM Types. "

" When you enable Adaptive Scan, FortiSandbox dynamically adjusts the number of clones of any local VMs you have enabled. Enabling this option does not affect the number of remote Mac OS or Windows cloud VMs. "

This confirms:

Option A — Deploying remote WindowsCloudVM and MACOSX clones expands capacity beyond local clone limits since remote VMs are not subject to local clone restrictions

Option D — Adding VM licenses directly increases the number of available VMs up to 200 on a single unit

Reorganizing the scan priority list (B) only affects scan order, not capacity. Adding custom VMs (C) would still be subject to the same local clone limits.

The FortiSandbox 5.0 Administrator Lab Guide explicitly states during the inline scanning configuration: “FortiGate and FortiSandbox communicate through port 4443. Management or API ports grant access through port 4443.” In the same exercise, the guide has you enable API access on port2 specifically so inline scanning can function, which confirms that the integration depends on FortiGate reaching FortiSandbox over TCP/4443 .

In this scenario, the intermediate firewall currently allows TCP/3389, UDP/53, and TCP/443, but not TCP/4443 . That is why inline scanning stopped working after the redesign. TCP/443 is not sufficient here because the documented FortiGate-to-FortiSandbox inline communication port is 4443 , not standard HTTPS 443. The other ports in the options do not match the inline-scanning communication requirement described in the uploaded lab materials. Therefore, the required fix is to allow FortiGate access to FortiSandbox on TCP/4443 .

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" VM images are downloaded from FortiGuard, using port1. So, you must ensure FortiSandbox has a default route and internet connectivity for port1. "

The exhibit confirms this — the test-network output shows:

System DNS resolve: Failed for both bing.com and fsavm.fortinet.net

fsavm.fortinet.net is the FortiGuard VM image download server

This DNS failure on the system side (port1) confirms there is no internet connectivity on port1 , preventing VM image downloads. Note that port3 internet shows " Warning: VM to access internet: Disabled " — but port3 is only for VM sandboxing traffic, not for downloading VM images.

From the Deployment and System Settings lesson, the Study Guide explicitly states:

" The status command shows information about the system, including firmware level, device serial number, disk usage, Windows VM status, states of the boot and data disks, and more. For VM appliances, it will also show the FortiSandbox license status. "

The key phrase is " For VM appliances, it will also show the FortiSandbox license status " — making the status command the correct choice for verifying license validity on a FortiSandbox VM deployment.

While vm-license -l shows installed Windows/Microsoft Office license keys, and vm-status shows guest VM image information, neither directly reports on the FortiSandbox appliance license validity. The status command is the definitive command for checking overall system and license status.

The exhibit labels 10.25.1.50 as the cluster virtual IP address . The Study Guide explains that in HA configuration, “You must configure the HA group name, password, and the virtual IP only on the primary node.” It also says: “You must also configure an external interface for external communication and an IP address that will be used as a virtual IP for the whole cluster. Devices will interact with the cluster using this virtual IP.”

That is why the command for the primary node must point to the cluster virtual IP , not to the individual port1 addresses of the primary, secondary, or upstream firewall. In the exhibit, 10.25.1.30 is the primary node’s own port1 IP, 10.25.1.40 is the secondary node’s port1 IP, and 10.25.1.254 is the network device. The only address that matches the required cluster virtual IP is 10.25.1.50 , so the correct command is hc-settings -si iport1 -a10.25.1.50 .

From the FortiClient EMS Integration lesson, the Study Guide states that FortiSandbox and FortiClient EMS integration helps break the kill chain by monitoring all downloads, removable media, mapped network drives, and email client file downloads — intercepting threats at the Delivery stage before they can execute on the endpoint.

Additionally, from the Attack Methodologies section: " When a USB is attached to a host protected with FortiClient, FortiClient can send the files on the USB drive to FortiSandbox for analysis, before allowing the user access to the files " — further confirming the Delivery stage focus.

From the Scanning and Rating Components lesson, the Study Guide explicitly states:

" FortiSandbox allows you to modify the number of CPUs and memory assigned to a custom VM. This feature is supported on hardware models and private cloud VMs. "

Hardware models = Device-based (Option C)

Private cloud VMs = Private cloud (Option A)

Azure non-nested mode and FortiSandbox Cloud do not support custom VM creation as per the Study Guide.

From the Attack Methodologies lesson, the Study Guide explicitly states:

" During the lateral movement stage, the attacker is trying to compromise and infect other computers in the network. If these computers are protected with FortiClient, FortiClient can send any file that the computer downloads, to FortiSandbox for analysis. "

" FortiDeceptor creates a network of decoys, to lure attackers and monitor their activities on the network. When attackers attack a decoy, an alert is generated. FortiDeceptor engages FortiSandBox to get a verdict on the suspected malware. "

" If you deploy FortiGate as an ISFW firewall, FortiGate can analyze the traffic moving across subnets and send any files to FortiSandbox for analysis to prevent propagation. "

Both FortiDeceptor (Option B) and FortiGate (Option D) are specifically identified as protecting against the lateral movement stage through their FortiSandbox integration.