FCSS_NST_SE-7.6 Fortinet NSE 6 - Network Security 7.6 Support Engineer Questions and Answers

The correct answers are B and C .

The study guide has a section titled “Not Verified Status on the Collector Agent” and states:

“The collector agent cannot verify if the user is still logged in” and lists these common causes :

“A firewall is blocking traffic to port 139 and 445”

“The workstation remote registry service is not running”

The guide also explains the verification method:

“For WMI polling mode, the collector agent checks the WMI service. For all the other modes, the collector agent checks the HKEY_USERS hive through remote registry services.” If the workstation does not respond to these checks, the status can become not verified

An additional requirements slide in the same study guide confirms:

“TCP ports 139 and 445 must be open between the collector agent and all workstations”

“Remote registry service must be up and running on each workstation”

Why the other options are wrong:

A is wrong because the study guide mentions a workstation coming out of hibernate mode under a different problem: “No Internet After IP Address Change” , not as a common cause of Not Verified status

D is wrong because DNS resolution issues are also discussed under the IP address change scenario, where the collector agent uses DNS to resolve the workstation name after an IP change. That is separate from the Not Verified causes listed for this log message

So the verified answers are: B, C .

Intermittent behavior (working sometimes, failing others) points to resource or connectivity fluctuations rather than static misconfigurations.

B. Check that FortiGate is not entering conserve mode:

Reason: When FortiGate enters Conserve Mode (due to high memory usage), it changes its inspection behavior to save resources. Depending on the av-failopen setting, it may either bypass inspection (allowing blocked sites) or drop traffic (blocking valid sites) temporarily until memory recovers. This flapping between states causes intermittent filtering issues.

D. Check that the communication between FortiGate and FortiGuard is stable:

Reason: The Web Filter engine relies on real-time queries to the FortiGuard Distribution Network (FDN) to categorize URLs that are not in the local cache. If the internet connection or the specific path to FortiGuard is unstable (packet loss, latency), queries will time out. This results in " Rating Errors, " which can block or allow traffic unpredictably based on the " Allow websites when a rating error occurs " setting.

Why other options are incorrect:

A: A mismatch in inspection mode (e.g., Profile set to Proxy, Policy set to Flow) is a static configuration error. It would typically result in the profile not being selectable or consistently failing/not applying, rather than working intermittently.

C: If the wrong port is mapped (e.g., HTTP on 8080 is not mapped), the inspection engine will consistently ignore traffic on that port. It would not be intermittent.

The exhibit shows these key lines:

handle_req-Rcvd auth req ... for jsmith in Lab

start_search_dn-base: ' DC=TAC,DC=ottawa,DC=fortinet,DC=com ' filter:sAMAccountName=jsmith

get_all_dn-Found DN 1:CN=John Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

The study guide explicitly shows the same LDAP real-time debug pattern and says the request line includes the LDAP server object name:

handle_req-Rcvd auth req ... for jsmith in Lab ...

That supports A : Lab is the configured LDAP server name being used for this authentication request.

For the LDAP flow stage, the study guide states:

“An fnbamd_ldap_build_dn_search_req-base message indicates that FortiGate is performing step two: searching for the user in the LDAP tree.” It also says that if the LDAP server finds the user, the output shows the user’s full DN.

That matches the exhibit’s start_search_dn-base ... filter:sAMAccountName=jsmith and Found DN ... CN=John Smith... lines, so D is correct.

Why the other options are wrong:

B is wrong because the exhibit shows FortiOS has found the user DN CN=John Smith,..., but that does not mean the user is already authenticating with that DN in this step. The study guide says this DN is discovered in step 2 , and only in step 3 does FortiGate bind using the user DN.

C is wrong because the exhibit is showing step 2 (Search Request) , not step 3 (Bind Request) . The study guide separates these steps clearly and shows step 3 with fnbamd_ldap_build_userbind_req-Trying DN ... and __ldap_build_bind_req-Binding to ' CN=John Smith,... '

The correct answers are B and D .

The study guide explains that in the SP Login Dump section, FortiGate is acting as the service provider (SP) , and that you should read these fields:

“The IdP SSO URL, from the setting idp-single-sign-on-url in the FortiGate configuration”

“The SP SSO URL, from the setting single-sign-on-url in the FortiGate configuration”

“The IdP Entity ID, from the setting id-entity-id in the FortiGate configuration”

“The SP Entity ID, from the setting entity-id setting in the FortiGate configuration”

In the exhibit:

Destination= " https://10.1.10.2/saml-idp/nst/login/ " → this is the IdP SSO URL

< lasso:RemoteProviderID > http://10.1.10.2/samlidp/nst/metadata/ < /lasso:RemoteProviderID > → this is the IdP Entity ID

AssertionConsumerServiceURL= " https://10.1.10.254:1003/remote/saml/login/ " → this is the SP SSO URL

< saml:Issuer > https://10.1.10.254:1003/remote/saml/metadata/ < /saml:Issuer > → this is the SP Entity ID

The same study-guide example shows this exact mapping pattern, where:

Destination points to the IdP

AssertionConsumerServiceURL and Issuer point to the SP

Therefore:

10.1.10.2 is the IdP → D

10.1.10.254 is the SP → B

So the verified answers are: B, D .

The IKE_SA_INIT exchange in IKEv2 is responsible for DoS protection measures. During IKE_SA_INIT, before authentication and further exchange, the responder can use cookie challenges (per RFC 7296 and Fortinet VPN documentation). If a DoS attack is suspected (many requests from the same source), the responder replies with a cookie. Only after the initiator returns the correct cookie does the exchange proceed, protecting the responder from state exhaustion and certain forms of DoS traffic at the handshake stage.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-polling/ta-p/214349

From the snippet we can see that FortiGate (via the fssod daemon) is directly detecting the user logon rather than relying on a separate “collector” or “DC agent.” This indicates agentless polling—FortiGate polls the DC’s event logs over TCP 445 to discover logons. So: - FSSO is using agentless polling mode to detect logon events - In agentless mode, FortiGate will periodically poll the same IP (the DC) on port 445 to see if the user is still logged on

The exhibit includes these key debug lines:

start_search_dn-base: ' DC=TAC,DC=ottawa,DC=fortinet,DC=com ' filter:sAMAccountName=jsmith

get_all_dn-Found DN 1:CN=John Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

The study guide explains that in regular bind , LDAP authentication has four steps , and that during step 2 , FortiGate searches the LDAP tree to find the user’s DN:

“During the second step, FortiGate does a search query in the LDAP database to find the user’s location—in other words, the user’s DN. If the user is found, the server replies with the user’s DN.”

It also states for the real-time debug of step 2:

“An fnbamd_ldap_build_dn_search_req-base message indicates that FortiGate is performing step two: searching for the user in the LDAP tree. This message includes the base branch (distinguished name setting) and the name of the attribute used to locate the user... If the LDAP server finds the user, the output shows the user’s full DN.”

That directly proves:

D is correct because the debug is showing step 2: Search Request

A is correct because the base DN and found DN are under DC=TAC,DC=ottawa,DC=fortinet,DC=com, which corresponds to the LDAP domain/tree root TAC.ottawa.fortinet.com

Why the other options are wrong:

B is wrong because binding with the user’s credentials is step 3 , not the step shown here. The study guide says: “Step 3 – Bind user credentials” and shows that this happens later with fnbamd_ldap_build_userbind_req / __ldap_build_bind_req-Binding to ' CN=John Smith... '

C is wrong because collecting user group information is step 4 , not the step shown in the exhibit. The study guide says: “The last step is to get the user group information” and shows step 4 with Attr query / memberOf search

To identify the reason for the lack of prefixes, we must interpret the State/PfxRcd and Up/Down columns in the get router info bgp summary exhibit.

Analyze Neighbor Status:

Neighbor 10.125.0.60: State is OpenSent. This session is not established. It is stuck in the negotiation phase.

Neighbor 100.64.3.1: State is Active. This session is not established. The router is actively trying to initiate a TCP connection.

Neighbor 10.127.0.75:

Up/Down: 02:45:55. This indicates the BGP session has been Up (Established) for almost 3 hours.

State/PfxRcd: 0. This number represents the count of prefixes received. The session is fully established, but the neighbor has sent zero routes.

Determine the Cause:

Since the session with 10.127.0.75 is established, connectivity and handshakes (Options A, B, C) are not the issue for this neighbor.

The fact that it is Up but sending 0 prefixes strongly implies that the neighbor is configured to filter out its routes before sending them to the local FortiGate.

Option D correctly identifies this as a RIB-OUT (Routing Information Base - Outbound) configuration issue on the neighbor (Router 10.127.0.75), which prevents it from advertising its routes.

The correct answers are A and C .

The study guide describes this exact asymmetric ICMP scenario. It states:

“The server sends an echo request to the PC through port2 of the local router, effectively bypassing FortiGate. When it receives the echo request, the PC responds with an echo reply through its default gateway, 10.1.0.2, which is port1 on FortiGate. Because there is no existing session, the echo reply is dropped. All subsequent echo replies are blocked.”

That means the current problem exists because:

the ICMP request bypasses FortiGate

the ICMP reply goes through FortiGate

FortiGate has no matching session , so it drops the reply

The study guide then shows the exact corrective option:

“Allowing asymmetric routing:”

config system settings

set asymroute enable

end

It further explains:

“After the packet passes through the FortiGate CPU, FortiGate forwards the packet using the FIB, even though there are no session matches. FortiGate forwards all subsequent echo replies using the FIB.”

So A is correct.

The other valid fix is to make the traffic symmetric by changing the laptop’s default gateway so the reply no longer goes through FortiGate. In the exhibit, the alternate gateway is 10.1.0.254 , which is the local router on the same subnet. If the laptop uses 10.1.0.254 instead of 10.1.0.2, the ICMP echo reply follows the same bypass path as the echo request, so the server receives it without involving FortiGate session validation. This makes C correct.

Why the other options are wrong:

B is wrong because this is not an RPF problem. The study guide explains RPF as a reverse path lookup used to validate whether a packet arrived on a legitimate interface, mainly for spoofing protection. The issue in this scenario is a missing session due to asymmetric routing , not a strict-versus-feasible RPF failure

D is wrong because FortiGate already has the specific route 10.4.0.0/24 through port3 in the routing table shown in the exhibit, so adding a default static route to port3 is unnecessary and not the reason the echo reply is being dropped

So the verified answers are: A, C .

The partial output from diagnose hardware sysinfo memory provides details on system RAM allocation. According to Fortinet ' s technical documentation for memory troubleshooting and Linux memory management (which FortiOS is based on):

MemFree is the portion of physical memory not currently allocated to any running process or kernel function. Thus, 708880 kB is available and can be immediately used by user-space programs or system operations.

Inactive refers to pages in the memory cache that were previously in use for I/O or file system buffering but are now not actively referenced. These pages are retained in memory for quick access if needed again, but can be reclaimed for other memory operations if demand increases. The value 98908 kB here represents currently unused cache pages (inactive pages), ready for repurposing or deletion if the system requires more RAM.

Cached represents the total amount of system memory allocated to cache, which includes both active and inactive cache pages. It does not, by itself, represent I/O cache exclusively, nor does " inactive " mean memory “will never be used” as the kernel can re-purpose inactive pages on demand.

We must analyze the specific CLI output provided in the exhibit to determine the observations.

Analyze the Command and Output:

Command: # diagnose automation test HAFailOver

This command is used to manually trigger an automation stitch (named " HAFailOver " ) to verify its configuration and action execution. It simulates the trigger event to run the defined actions.

Output: automation test failed(1). stitch:HAFailOver

The output explicitly states that the test failed. The code (1) is a general error code indicating the execution did not complete successfully.

Evaluate the Options:

A. The configuration was backed up:

Incorrect. Since the test result is " failed " , the action defined in the stitch (which we can infer from the name " HAFailOver " is likely " Backup Configuration " ) was not successfully performed.

B. A high availability (HA) failover occurred:

Incorrect. The command diagnose automation test is a simulation tool. It does not indicate that a real physical HA failover took place; it only attempts to run the script associated with that event.

C. The test was unsuccessful:

Correct. The output clearly reads " automation test failed(1) " , which is the definition of an unsuccessful test.

D. The automation stitch test is not being logged:

Correct. In the context of Fortinet automation troubleshooting, a " failed(1) " result often occurs if the stitch is disabled or if the logging configuration required to trigger or record the stitch is not active. Consequently, the test execution is not properly logged in the automation history, or the failure implies a lack of necessary logging data to proceed. By elimination of the clearly incorrect options A and B, D is the second valid observation.

According to the official Fortinet documentation (Technical Tip: Useful FSSO Commands), heartbeat messages play a crucial role in communication between the FSSO Collector Agent and FortiGate. These messages are regularly sent from the Collector Agent to verify its status, maintain session awareness, and confirm connectivity between the authentication infrastructure and FortiGate appliances.

Option B is confirmed by Fortinet, as the collector agent logs on Windows or its management console will specifically note heartbeat events, connection status, and any issues maintaining contact with FortiGate units.

Option C is validated by both official CLI documentation and the technical tip linked. On FortiGate, heartbeat messages from the collector agent are visible using real-time debug tools such as diagnose debug application authd or FSSO-specific commands. These enable administrators to monitor live logon states, session status, and connection health directly from the FortiGate CLI. The debug stream shows heartbeats received and their effect on active logons, associating health monitoring with active sessions.

Heartbeat operation is fully automated once FSSO is set up—there is no requirement for manual enablement or configuration, aligning with Fortinet’s philosophy of seamless integration and centralized management across the Security Fabric. This ensures that both FortiGate and the collector agent can quickly and reliably detect any miscommunication or outage, addressing authentication issues proactively.

The study guide identifies this exact output as an expectation session created by the FTP session helper :

“run helper-ftp” indicates the FTP helper is in use.

“FortiGate created an expectation session and opened the pinhole port for the expected return traffic”

It also explains why this exists:

“Another important function of the session helper is to temporarily create an expected session (or pinhole) for the data channel connection that comes from the server.”

“The session helper automatically creates the session and opens the door for the incoming connection.”

“These incoming TCP sessions use random TCP port numbers.”

That directly proves C is correct.

For A , the exhibit shows expire=23. The study guide explains the expire field as the length of time until the session expires if no matching traffic arrives, and the FortiOS guide states for expectation sessions:

“Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.”

So with expire=23, FortiGate will allow that expected traffic only for the remaining 23 seconds; after that, it times out and the traffic is denied. That makes A correct.

Why the other options are wrong:

B is not supported . The study guide describes expectation sessions as being created by the session helper from the control-session negotiation, not as independent objects unaffected by the master session.

D is wrong as stated. Even though the output contains policy_id=25, the study guide explicitly says the incoming expected connection is allowed by the expected session itself, “even when no firewall policy allows it.”

From the exhibit, you can observe that the debug output captures an IKEv1 negotiation in aggressive mode. Let ' s break down the supporting details in line with official Fortinet IPsec VPN troubleshooting resources and debug guides:

For Option B:

The very first line of the debug output shows:

comes 10.0.0.2:500- > 10.0.0.1:500, ifindex=7.

This indicates the traffic direction—from the remote IP (10.0.0.2) with port 500 to the local IP (10.0.0.1) with port 500. According to Fortinet ' s documentation, the right side of the arrow always represents the local FortiGate gateway. Thus, 10.0.0.1 is the local gateway IP address.

For Option D:

You see the statement:

negotiation result " remote "

and

received peer identifier FQDNCE88525E7DE7F00D6C2D3C00000000

Official debug documentation describes that the " peer identifier " or peer ID sent by the initiator is displayed here. In the context of IKE/IPsec negotiation, this value is used as the IPsec peer ID for authentication and identification purposes. The initiator is providing " remote " as the peer ID for its connection.

Why Not A or C:

Perfect Forward Secrecy (PFS): The debug does not show any DH group negotiation in phase 2 (no reference to group2, group5, etc., for phase 2), so you cannot deduce the presence of PFS solely from this output.

Phase 2 negotiation: The log focuses on IKE (phase 1) negotiation and establishment; there’s no reference to ESP protocol, Quick Mode, or other identifiers that would show phase 2 SA negotiation and establishment.

This interpretation aligns with the explanation in the FortiOS 7.6.4 Administration Guide ' s VPN section and the official debug command output samples published in Fortinet’s documentation. It demonstrates how to distinguish between local and remote addresses and how to identify the use of peer IDs.

Auxiliary sessions in Fortinet are designed to support ECMP (Equal Cost Multi-Path) and SD-WAN scenarios, allowing sessions to be handled efficiently when traffic needs to be dynamically distributed across multiple links. With the auxiliary session setting enabled, FortiGate creates additional session table entries for each possible path in ECMP or SD-WAN—meaning that if the routing path changes (such as a link failover), a new session can be immediately activated and offloaded to the NP6 network processor for acceleration, ensuring minimal disruption. This greatly benefits high-throughput deployments.

Official documentation specifies that when auxiliary sessions are enabled, FortiGate doesn’t just rely on dynamically creating new sessions after a routing event, it proactively creates sessions for all potential paths. This means that in the event of a route change, two sessions exist and the traffic is quickly re-routed and offloaded, maximizing performance and reliability. Without this feature, multiple paths cannot be efficiently offloaded, and routing changes trigger a single session update, reducing failover performance.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Static-URL-filter-actions-explained/ta-p/206632

The correct answer is C. The session is offloaded using NPU .

The exact session example in the study guide shows:

proto=6 → this is a TCP session

expire=3599 → the session will expire in 3599 seconds , not in one second

hook=post dir=org act=snat 10.9.31.117:45388- > 200.8.57.5:443(10.1.0.3:45388)

hook=pre dir=reply act=dnat 200.8.57.5:443- > 10.1.0.3:45388(10.9.31.117:45388)

npu info: ... offload=8/8 ...

and the slide explicitly states: “Offloaded in both directions using NP6”

The study guide also explains this exact point clearly:

“Counters for hardware acceleration—The presence of the npu info field indicates the session has been offloaded to hardware acceleration. In this example, traffic is being offloaded in both directions using network processor (NP) 6, which is represented by the value of 8.”

Why the other options are wrong:

A is wrong because expire=3599, not 1. The duration=1 field means the session has existed for 1 second, not that it will expire in 1 second.

B is wrong because the original session is from 10.9.31.117 to the remote server 200.8.57.5:443. The IP 10.1.0.3 is the SNAT-translated source address , not the final destination.

D is not the best answer for this single-select question . The reply is indeed DNATed back toward the original client, but the exact validated takeaway highlighted by the study guide for this exhibit is the NPU offload state .

To capture encrypted IPsec phase 2 (ESP) traffic between two FortiGate devices, the correct protocol filter to use is ip proto 50. According to the Fortinet official sniffing and debugging documentation, ESP (Encapsulating Security Payload) is used for encrypted phase 2 payload transfer and always uses IP protocol number 50. Running the command diagnose sniffer packet any ' ip proto 50 '  captures only ESP packets, which represent the encrypted traffic—whether originating or transiting the device.

If there is no NAT device between FortiGates, ESP is not encapsulated in UDP (thus not on UDP port 4500; if NAT-T were required, packets would be UDP-encapsulated, but the scenario explicitly says NAT is not in use). UDP port 500 is for IKE control (negotiation) traffic, and AH (Authentication Header, ip proto 51) is not used for encryption in standard IPsec phase 2 with ESP.

This matches the official CLI reference from Fortinet for VPN and traffic analysis.

**

The correct answers are A and D .

The debug output shows:

Sent RADIUS req to server ' RadiusServer ' : IP=172.25.188.164 ... user= " student " using CHAP

Result for radius svr ' RadiusServer ' 172.25.188.164(0) is 0

Sending result 0 for req 2

The study guide explains that in RADIUS real-time debug, FortiGate shows the IP address of the RADIUS server it is querying. In the example, it says FortiGate “creates an access request to the RADIUS server at IP address 10.0.13.130” and shows the line Sent radius req to server ... IP=10.0.13.130

So in your exhibit, the queried server is clearly 172.25.188.164 , which makes A correct.

The study guide also states:

“The message fnbamd_comm_send_result-Sending result 0 indicates that the authentication was successful and that FortiGate received the Access-Accept message.”

Since your exhibit also ends with Sending result 0 , that makes D correct.

Why the other options are wrong:

B is wrong because result 0 means authentication successful , not failed

C is wrong because the debug explicitly shows using CHAP , and the study guide lists supported RADIUS schemes as CHAP, PAP, MS-CHAP, and MS-CHAPv2

E is wrong because the study guide says two-factor authentication would involve an Access-Challenge response: “If two-factor authentication is enabled on the server, the response is an Access-Challenge message” Your exhibit shows successful result 0 / Access-Accept , not a challenge.

So the verified answers are: A, D .

The 7.6 study guide explains the route selection order:

“Route Selection Process

Most specific route

Lowest distance

Lowest metric (dynamic routes)

Lowest priority (static routes)

ECMP (static, BGP, and OSPF routes)”**

It then states:

“If there are multiple routes with the same netmask, distance, metric, and priority, FortiGate shares the traffic among all of them. This is called equal-cost multi-path (ECMP).”

The FortiOS administration guide confirms the ECMP prerequisite:

“Routes must have the same destination and costs. In the case of static routes costs include distance and priority.”

In the exhibit, the kernel/FIB output shows the two default routes as:

gwy=100.64.1.254 dev=3 (port1) prio=0

gwy=100.64.2.254 dev=6 (port2) prio=10

So although both are default routes, their priorities are different . Since FortiGate uses the FIB/kernel for forwarding traffic, ECMP will not happen until the static-route priorities are the same. The study guide also notes that the FIB is the table used to perform standard routing

Therefore, to make the two default routes eligible for ECMP, the administrator must make the priorities equal. Since port2 is already 10, the needed change is to set the port1 default route priority to 10.

Why the other options are wrong:

A is wrong because snat-route-change affects how existing SNAT sessions react to routing changes, not whether static routes qualify for ECMP

B is wrong because changing port2 to priority 1 still would not match port1 at 0, so the routes still would not have equal cost for ECMP

C is wrong because preserve-session-route affects existing-session route persistence after routing changes, not ECMP qualification

The correct answers are A and D .

The Network Security Support Engineer 7.6 Study Guide explains that automation stitches consist of a trigger and one or more actions , and that they can detect events such as high CPU and conserve mode across the Security Fabric

The FortiOS administration guide then gives the exact practical example for A :

“Automation stitches can be created to run a CLI script and send an email message when memory or CPU usage exceeds specified thresholds.”

It also shows examples where the email body contains the script output using:

%%results%%

That directly confirms A .

For D , the FortiOS administration guide states:

“The URI and HTTP body can use parameters from logs or previous action results.”

It also explains the execution model:

“The stitch Action execution can be set to either Sequential or Parallel. In sequential execution actions will execute one after another with a delay (if specified). … In parallel execution all actions will execute immediately when the stitch is triggered.”

A concrete example shows a second action using the output of the first action:

“This string for the body text includes the results from the preceding CLI script action.” with

Body=%%results%%...

That confirms D .

Why the other options are wrong:

B is wrong because automation stitches can be triggered by IPS events, but the documentation does not describe them as modifying packet headers or payloads. Instead, they perform actions such as email, CLI script, webhook, quarantine, and similar automated responses

C is wrong because delay is associated with sequential execution, not parallel execution. The guide explicitly says: “A delay can be added before an action if Sequential action execution is used.”

So the verified answers are: A, D .

The correct answer is A .

The study guide explains the IKEv2 exchange order very clearly:

“The initial exchanges are: IKE_SA_INIT and IKE_AUTH.”

“Create_Child_SA exchange: Creates a new child SA or rekeys an existing child SA.”

It also states:

“After successful IKE_SA_INIT and IKE_AUTH exchanges, the CHILD_SA exchange takes place. In this exchange, the peers negotiate the CHILD_SA and the traffic selectors — traffic selector responder (TSr) and traffic selector initiator (TSi).”

That is why A is correct: if the tunnel was initially brought up successfully , then the initial exchanges already succeeded. A later problem during CREATE_CHILD_SA , especially with traffic selectors/phase 2 selectors , can cause the tunnel to fail during rekey or child-SA renegotiation.

Why the other options are wrong:

B is wrong because proposal mismatch for the IKE SA is handled during IKE_SA_INIT , not after the tunnel is already up. The study guide says IKE_SA_INIT negotiates the security settings to protect the IKE traffic

C is wrong because a pre-shared key mismatch is part of authentication and would prevent successful initial establishment during IKE_AUTH . The study guide shows that after IKE_AUTH, “authentication succeeded” and “established IKE SA” when it works

D is wrong because a Diffie-Hellman mismatch belongs to IKE_SA_INIT , which happens before the tunnel comes up. The study guide also states: “By IKEv2 design, no Diffie-Hellman public key is exchanged during an IKE_AUTH exchange.”

So the verified answer is: A .

The study guide states:

“The kernel memory slabs are collections of objects with a common purpose. The kernel uses them to store information in memory.”

It also gives the exact calculation rule:

“Total slab size = available objects x object size”

From the exhibit:

tcp_session 3 5 1500 ...

So:

available objects = 5

object size = 1500

Therefore:

Total slab size = 5 × 1500 = 7500 kB

That makes D correct, and it is associated with the kernel , not user space.

Why the other options are wrong:

A is wrong because sctp_session 0 0 1600 ... gives 0 × 1600 = 0 , but slabs are associated with the kernel , not user space.

B is wrong because ip_session 1 3 1200 ... gives 3 × 1200 = 3600 , but again slabs are kernel memory, not user space.

C is wrong because ip6_session 0 0 1300 ... gives 0 × 1300 = 0 , not 1300.

To solve this high CPU usage scenario involving the ipsengine, we must understand the specific functions of the diagnose test application ipsmonitor commands shown in the troubleshooting steps.

Analyze the Situation:

Exhibit: The diagnose sys top output shows the ipsengine process is in a run state (R) consuming 99% CPU.

Previous Action: The administrator already ran diagnose test application ipsmonitor 5.

Result: The CPU usage did not drop.

Understand the Commands:

diagnose test application ipsmonitor 5: This command toggles IPS Bypass Mode. When enabled, the IPS engine lets traffic pass through without inspection.

Implication: If the CPU was high due to traffic volume, enabling bypass would drop the CPU load immediately.

Failure: Since the CPU remained at 99% after bypass, the ipsengine process is likely frozen, stuck, or in an internal infinite loop unrelated to the current traffic flow. The process itself is the problem, not the traffic volume.

Evaluate the Solution (Option B):

diagnose test application ipsmonitor 2: This command toggles the IPS engine ' s Enable/Disable status.

Because the engine is stuck (bypass failed to relieve pressure), the " Immediate action " required is to stop or restart the process entirely.

Running option 2 effectively disables/kills the stuck IPS engine instance, which will immediately drop the CPU usage to near zero. (It can then be toggled again to restart it).

Why other options are incorrect:

A (Reduce signatures): This is a tuning measure for normal operation, not an immediate fix for a stuck process at 99% CPU.

C (Disable IPS on policies): This is a configuration change that takes time and requires a commit; it is not the most immediate diagnostic tool available.

D (Bypass all IPS engines): This describes the action of command 5 (Bypass), which the prompt explicitly states was already performed and failed.

The administrator is running a packet sniffer with the filter ' udp port 500 or udp port 4500 or esp ' . The result is " no output, " even though the VPN is attempting to establish (failing).

A. The VPN is configured to use IKE over TCP:

Standard IPsec IKE negotiation uses UDP port 500 (IKE) and UDP port 4500 (NAT-T).

However, if IKEv2 over TCP (RFC 8229) or Fortinet ' s proprietary IKE over TCP is configured (often used to bypass firewalls that block UDP), the traffic will use TCP (often port 4500 or 443).

The sniffer filter explicitly looks for udp or esp (IP Protocol 50).

If the traffic is encapsulated in TCP, it matches tcp protocol, not udp or esp (raw ESP). Therefore, the sniffer sees zero packets matching the filter.

Why other options are incorrect:

B: esp is a valid argument for diagnose sniffer packet. It is equivalent to filtering for IP protocol 50.

C: If the ISP were blocking traffic, the sniffer (running on the local FortiGate) would still see the outbound packets generated by the FortiGate trying to initiate the connection. " No output " implies the local device isn ' t even generating packets matching that filter.

D: Mismatched IKE versions would still generate IKE negotiation packets (proposals/errors) that would be captured by the sniffer.

The correct answer is A .

The debug output is for an HTTPS request and shows a hostname value. The study guide explains that with SSL certificate inspection, FortiGate extracts the FQDN from either:

“TLS extension server name indication (SNI)”

“SSL certificate common name (CN)”

So the hostname shown in the real-time web-filter debug can be derived from the SNI in the client request or, if needed, from the CN in the server certificate. That makes A correct.

Why the other options are wrong:

B is wrong because the study-guide example for web-filter real-time debug explicitly says: “This slide shows an example of real-time debug output when the URL to categorize isn ' t in the FortiGuard cache.” In these debugs, cat=255 appears before the final lookup result, so this does not indicate a local-cache hit.

C is wrong because ftgd-allow is the action , not the profile name. The debug line shows the action as action=9 (ftgd-allow) while the profile shown is profile= ' default ' . FortiOS web-filter logs also use the profile field separately from the action field

D is wrong because the final category shown is url_cat=52 , not 255. The study guide’s example shows the same pattern: an initial cat=255 in the request line, followed by the resolved result cat=52 url_cat=52

So the verified answer is: A .

The output on FGT-01 confirms that the device is actively encapsulating traffic and sending it as ESP packets (Protocol 50) out of port1 towards the IP address 97.86.16.52. The logs show outgoing packets, which confirms FGT-01 is attempting to initiate or maintain the tunnel and that NAT-Traversal is not being used (as it uses raw ESP).

The output on FGT-02 , however, displays (no packets captured). This is significant because the sniffer command diagnose sniffer packet any ' esp ' captures traffic at the network interface level (ingress), regardless of whether a matching VPN configuration exists on the receiving unit. The absence of packets proves that the ESP traffic generated by FGT-01 is physically not arriving at FGT-02 ' s interface.

This behavior is explained by two primary factors:

Option A (Blocking): An intermediate device, such as an ISP router or firewall, is dropping Protocol 50 traffic. Unlike UDP 500/4500, raw ESP is often blocked by default on many networks or legacy devices.

Option C (Routing/Misconfiguration): If the administrator configured the wrong remote peer IP on FGT-01 , the packets are being routed to a different destination entirely. Consequently, they never arrive at FGT-02 to be captured.

Option B is incorrect because even without a configured VPN tunnel, the sniffer would still display the incoming ESP packets if they were reaching the interface. Option D is incorrect because FGT-01 is sending ESP, making ' esp ' the correct filter.

The correct answer is D .

The study guide shows the ipsmonitor test usage exactly:

1: Display IPS engine information

2: Toggle IPS engine enable/disable status

5: Toggle bypass status

99: Restart all IPS engines and monitor

So diagnose test application ipsmonitor 5 is used to toggle bypass status , which corresponds to enabling IPS bypass mode .

Why the other options are wrong:

A is wrong because disabling the IPS engine is option 2 , not 5.

B is wrong because the study guide does not define option 5 as IPS session information.

C is wrong because restarting all IPS engines and monitors is option 99 , not 5.

So the verified answer is: D .

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate ' s subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

“Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.” This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

FortiTelemetry is a critical part of Security Fabric communications and requires explicit configuration for each participating FortiGate interface. The administrative access setting " fabric " (corresponding to FortiTelemetry) must be manually enabled per interface on both upstream and downstream devices. This is performed in the GUI under Administrative Access or via the CLI using the command set allowaccess fabric for the relevant network interface. Without this step, FortiTelemetry communications will not occur on that interface.

Additionally, the default communication between downstream and upstream FortiGate units in the Security Fabric is over TCP port 8013. This port is well-documented as the standard for Security Fabric and FortiTelemetry connections, and must be open and permitted across the network path for connectivity and status enforcement between units. The downstream FortiGate initiates the connection to the upstream via this port unless otherwise configured. This has also been documented as a PCI-relevant port, showing its default usage.

Other options:

Neighbor Discovery in FortiOS uses IPv6 ND protocol, not TCP.

FortiTelemetry port (8013) can be modified, but the interface Administrative Access for the Security Fabric must be manually enabled; Neighbor Discovery port modification is not documented as a supported change for FortiGate.

The correct answer is C .

The exhibit shows:

562 in ESTABLISHED state

27 in CLOSE state

memory_tension_drop=0

ephemeral=0/131072

According to the study guide, for TCP sessions: “The protocol state in the session table is a two-digit number. For TCP, the first number (from left to right) is related to the server-side state and is 0 when the session is not subject to any inspection (flow or proxy)… The second digit is the client-side state.” The same page also shows that value 1 = ESTABLISHED

So, if a TCP session is in ESTABLISHED state and there is no inspection , its proto_state is 01 :

first digit 0 = no inspection

second digit 1 = ESTABLISHED

That makes C correct. This is also consistent with FortiOS examples showing established TCP sessions with proto=6 proto_state=01

Why the other options are wrong:

A is wrong because the field that indicates sessions dropped due to low free memory is memory_tension_drop, and in the exhibit it is 0 , not 113. The study guide states: “If there is a lack of free memory, the kernel deletes the oldest sessions. The command shown on this slide displays the number of sessions the kernel deleted because of this mechanism.” So 113 is the clash value, not memory-tension drops.

B is wrong because ephemeral=0/131072 does not mean 131072 ephemeral sessions were recorded. The study guide explains that FortiGate “sets a hard limit on the maximum number of ephemeral sessions that can exist at the same time in the session table.” Therefore:

0 = current ephemeral sessions

131072 = maximum allowed ephemeral sessions for that model/context

D is wrong because the study guide says the temporary retention for possible out-of-order packets happens in state value 5 (TIME_WAIT) : “When a session is closed by both the sender and receiver, FortiGate keeps that session in the session table for a few seconds, to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the state value 5.” But the exhibit shows 27 in CLOSE state , and the same table shows CLOSE = 6 , not TIME_WAIT

So the verified answer is C .

The correct answers are C and D .

The study guide states: “SSL certificate inspection relies on extracting the FQDN of the URL from either: TLS extension server name indication (SNI), SSL certificate common name (CN).” It also says: “When using SSL certificate inspection, FortiGate is not decrypting the traffic. It is only inspecting the server digital certificates and the SNI field, which are interchanged before the encryption.”

This proves the second part of the answer:

under SSL certificate inspection , FortiGate does not decrypt the traffic

therefore, if the traffic is allowed , it still passes without decryption

That makes D correct.

For the SNI mismatch behavior, the FortiOS administration guide describes the default Server certificate SNI check behavior as:

“Enable: If it is mismatched use the CN in the server certificate for URL”

So if the SNI does not match the CN or any SAN, FortiGate falls back to using the CN from the Subject field for URL handling under the default setting. That makes C correct.

Why the other options are wrong:

A is wrong because with the default SNI-check behavior, when the SNI mismatches the certificate identity, FortiGate does not continue using the mismatched SNI . Instead, it uses the CN in the server certificate for the URL .

B is not the best answer in this single pair selection . While certificate inspection does not decrypt traffic, the key default behavior the documents explicitly highlight for this mismatch case is:

use the CN when SNI mismatches , and

certificate inspection does not decrypt allowed HTTPS traffic .

So the verified answers are: C, D .