From the High Availability and Management lesson, the Study Guide states:

" You use the hc-settings command and options to configure the main HA settings, such as enable HA, and to configure the node ' s mode of operation, node alias, group name, group password, and the HA interface. "

The CLI flags breakdown:

-sc = Set configuration

-t = Node type flag where N = Secondary node

-n = Node alias (SecondaryNode)

-c = Cluster/group name (FSAGrp)

-p = Password

-i = HA interface (port4)

The Study Guide confirms the secondary node type uses -tN designation. Option B (-tM) represents the primary/master node, Option C (-tP) and Option D (-tR) are not valid node type designators for secondary nodes in the FortiSandbox HA CLI syntax.

From the Deployment and System Settings lesson, the Study Guide states:

" You can submit emails from an upstream MTA server to FortiSandbox using a BCC adapter. FortiSandbox will extract attachment files and URLs in an email body. "

For a BCC adapter to function correctly, two critical prerequisites must be in place:

Option C — The upstream SEG must be configured to BCC emails to a FortiSandbox sub-domain so that email copies are routed to FortiSandbox for analysis

Option D — An MX record must be added to the DNS server for the BCC email sub-domain, so that the sub-domain resolves to the FortiSandbox IP address, allowing the SEG to properly deliver BCC email copies

Option A is incorrect because the BCC adapter handles full email inspection — FortiSandbox itself extracts files and URLs rather than the SEG doing this. Option B is incorrect because an MX record (not just an A record) is the required DNS configuration for email routing.

The uploaded FortiSandbox 5.0 Administrator Study Guide states that each VDOM is handled independently by FortiSandbox, not under the root VDOM’s authorization. It explicitly explains that “each VDOM is treated as a separate input device on FortiSandbox” and that each device must be authorized before FortiSandbox will process its submissions. It further adds that only when auto-authorization is enabled will FortiSandbox automatically authorize VDOMs as files are submitted.

Therefore, the new VDOM does not inherit the root VDOM’s authorized state. Since the question does not say that auto-authorization is enabled, FortiSandbox will not automatically trust or process that new VDOM as if it were already approved. This eliminates A and C. Option D is incorrect because the issue is not that the administrator must manually configure the VDOM on FortiSandbox; the study guide specifically identifies authorization as the required control. For that reason, B is the best answer: the new VDOM must be manually authorized before its submitted files are inspected.

The correct answer is C. cleandb . The FortiSandbox 5.0 Administrator Study Guide explicitly states: “The cleandb command will erase all stored data in the FortiSandbox database and reboot the system.” This directly matches the scenario, because the issue is that FortiSandbox contains many obsolete samples and related stored analysis data that are no longer needed. Removing those database contents is exactly what cleandb is designed to do.

The other options do not fit this requirement. The same study guide section says “The log-purge command will remove all system logs,” which affects logs only, not the stored sample database. It also says “The fsck-storage command will check the integrity of the hard disks and repair them if any issues are discovered,” which is for disk integrity troubleshooting, not cleanup of obsolete samples. A factory reset would be far more destructive and is not the stated maintenance tool for this issue. Therefore, cleandb is the correct CLI remediation tool.

The Study Guide states that HA is configured from the CLI and that “the main HA cluster CLI commands are hc-settings, hc-slave, and hc-status” . It also explains that “You use the hc-settings command and options to configure the main HA settings… node alias, group name, group password, and the HA interface.” The same HA section further says that the primary and secondary nodes must have a dedicated HA communication interface, and specifically notes that “port4 in this example” is the HA interface between them.

On the primary-node example configuration shown on page 137 of the uploaded study guide, the command uses -tM for the primary node with -iport4 for the HA interface. That directly matches option D . The other options use different node-type flags and do not correspond to the primary-node example. Therefore, the correct command is hc-settings -sc -tM -nPrimaryNode -cFSAGrp -p < password > -iport4 .

From the Results Analysis lesson, the Study Guide confirms:

" The Basic information section shows that, in this case, the file type is WEBLink and the file was submitted by FortiMail. "

From the Scanning and Rating Components lesson:

" The only exception to this is URL inputs. These inputs are submitted directly to the VM scan engine for sandboxing. "

When URLs are submitted to FortiSandbox (from FortiMail or other sources), they are classified as WEBLink file type — which is distinct from the standard .url file extension shown in the VM Association Web types (htm, js, lnk, url).

Looking at the exhibits:

The VM Association shows Web: htm, js, lnk, url — but WEBLink is NOT listed

The Advanced tab shows Real-time Zero-Day Anti-Phishing Service is enabled (green)

Despite RTAP being enabled, URLs cannot reach the VM scan stage without WEBLink being explicitly included in the scan profile ' s VM Association

Since RTAP operates during VM scanning, if WEBLink is not assigned to a VM in the scan profile, URLs submitted for inspection will never reach the VM, and therefore will never be evaluated by the RTAP service — regardless of RTAP being enabled.

The exhibit summary says the file was “flagged by the PAIX engine” and describes it as “high-risk behavior.” The lab guide also states for a similar file analysis scenario: “The PAIX engine detected potentially malicious activity… The overall assessment is that there is a high likelihood of malicious activity.” In addition, the FortiGate integration lab explains that “FortiSandbox identified the fsa_dropper.exe file as high risk… because the advanced AI engine was able to detect malicious behaviour… at the static scan phase.” These extracts confirm that the advanced AI / PAIX engine identified the threat , so A is true .

Option D is not supported. The study guide distinguishes high risk from malicious and explains that high risk is a suspicious threat-level rating, not the same as a malicious verdict. It states that FortiSandbox groups results into ratings such as high risk, medium risk, low risk, clean, and malicious , and defines high-risk separately as a serious suspicious rating. Since the exhibit explicitly refers to high-risk behavior , not a malicious verdict, D is false as written . The duplicated B/C options are also not proven by the exhibit text provided.

If your original source intended D to say “The analysis resulted in a high-risk verdict” instead of malicious verdict , then the correct pair would be A and D .