FCSS – Enterprise Firewall Administrator 7.4 — Question 41

A vulnerability scan report has revealed that a user has generated traffic to the website example.com (10.10.10.10) using a weak SSL/TLS version supported by the HTTPS web server.
What can the firewall administrator do to block all outdated SSL/TLS versions on any HTTPS web server to prevent possible attacks on user traffic?

Answer options

• A. Configure the unsupported SSL version and set the minimum allowed SSL version in the HTTPS settings of the SSL/SSH inspection profile.
• B. Enable auto-detection of outdated SSL/TLS versions in the SSL/SSH inspection profile to block vulnerable websites.
• C. Install the required certificate in the client's browser or use Active Directory policies to block specific websites as defined in the SSL/SSH inspection profile.
• D. Use the latest certificate, Fortinet_SSL_ECDSA256, and replace the CA certificate in the SSL/SSH inspection profile.

Correct answer: A

Explanation

The correct answer is A because configuring the minimum allowed SSL version directly addresses the issue of blocking outdated protocols. Option B, while helpful, may not effectively prevent all outdated versions without specific configuration. Options C and D do not focus on blocking outdated SSL/TLS versions and instead address certificate management, which is not the primary concern in this scenario.