NSE5_FSW_AD-7.6 Fortinet NSE 5 - FortiSwitch 7.6 Administrator Questions and Answers

While FortiSwitch can collect all the listed LLDP-MED TLVs (Network Policy, Power Management, Location, and Inventory Management), the primary focus for tracking and identifying network devices is on the Inventory Management TLV.

This TLV carries critical details such as:

Manufacturer

Model

Hardware/Firmware versions

Serial/Asset numbers

This information provides a granular understanding of the devices on your network.

According to the FortiSwitchOS 7.6 FortiLink Guide and the FortiSwitch 7.6 Study Guide , managed FortiSwitch units support a feature called Inter-VLAN Routing Offload . Traditionally, in a FortiLink deployment, traffic between VLANs is "hair-pinned" back to the FortiGate for routing and security inspection. However, to increase performance and reduce latency, the FortiGate can program the managed FortiSwitch to handle Layer 3 routing of trusted traffic locally.

The technical mechanism behind this performance gain is the use of the Forwarding Information Base (FIB) programmed directly into the switch's ASIC (Application-Specific Integrated Circuit) . When routing offload is enabled (specifically using the set switch-controller-offload enable command on the VLAN interface), the FortiGate pushes the necessary routing table and gateway information to the switch hardware. This allows the FortiSwitch to perform packet lookups and forwarding decisions at wire speed within the silicon, bypassing the general-purpose CPU and the FortiLink control plane for that specific traffic flow.

The documentation notes that this feature requires an Advanced Features License on the tier-1 FortiSwitch and is typically applied to the switch closest to the FortiGate. 2 While dynamic routing (Option B) is supported on FortiSwitch, it is not the only thing offloaded; static routes and inter-VLAN gateway traffic are the primary use cases for this offload mechanism. Therefore, the correct architectural description is that the switch utilizes its hardware-based FIB to accelerate inter-VLAN communication.

In mixed-vendor network environments, such as deployments that include both FortiSwitch and Cisco devices, proper Layer 2 discovery protocols must be enabled to allow devices to automatically discover neighbors and exchange essential device and interface information. FortiSwitchOS 7.6 supports both Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) to ensure interoperability.

Cisco Discovery Protocol (CDP) is a Cisco-proprietary Layer 2 discovery protocol widely used by Cisco switches, routers, and IP phones. When CDP is enabled on FortiSwitch interfaces, Cisco devices can discover FortiSwitch neighbors and receive information such as device ID, port ID, platform, and capabilities. This is particularly important in Cisco-centric networks where CDP is the primary discovery mechanism.

Link Layer Discovery Protocol (LLDP) , defined by IEEE 802.1AB, is a vendor-neutral discovery protocol supported by both Fortinet and Cisco devices. Enabling LLDP allows FortiSwitch and Cisco devices to exchange standardized information including system name, port description, VLAN information, and management address. LLDP is essential for cross-vendor compatibility and is commonly enabled by default in modern enterprise networks.

The remaining options are incorrect. Unidirectional Link Detection (UDLD) is used to detect unidirectional fiber or copper link failures and does not provide device discovery or information exchange. LLDP-MED is an extension of LLDP specifically designed for media endpoints such as IP phones and is not required for general switch-to-switch discovery.

Therefore, to ensure automatic discovery and information exchange between FortiSwitch and Cisco devices, both CDP and LLDP must be enabled , making Options B and C the correct and fully verified answers based on FortiSwitchOS 7.6 documentation.

Based on the DHCP snooping configuration details provided in the exhibit:

B. FortiSwitch is configured to trust DHCP replies coming on FortiLink interface. The configuration segment shows "trusted ports : port2 FlInK1 MLAG0," indicating that the FortiSwitch is configured to trust DHCP replies coming from the specified ports, including the FortiLink interface labeled FlInK1. This setup is critical in environments where the FortiLink interface connects directly to a trusted device, such as a FortiGate appliance, ensuring that DHCP traffic on these ports is considered legitimate.

D. Global configuration for DHCP snooping is set to forward DHCP client requests on all ports in the VLAN. The "DHCP Broadcast Mode" set to 'All' under the DHCP Global Configuration indicates that DHCP client requests are allowed to broadcast across all ports within the VLAN. This setting is essential for environments needing broad DHCP client servicing across multiple access ports without restriction, facilitating network connectivity and management.

In dynamic routing on FortiSwitch, certain types of interfaces are utilized to participate in the routing processes. The types of interfaces that can be used include:

Loopback Interfaces (B): Loopback interfaces are virtual interfaces that are always up, making them ideal for use in routing protocols where a stable interface is necessary. They are commonly used to establish router IDs and manage routing information more reliably.

Switch Virtual Interfaces (C): Switch Virtual Interfaces (SVIs) are assigned to VLANs and can have IP addresses assigned to them, making them capable of participating in Layer 3 routing. SVIs are essential for routing between different VLANs on a switch and can participate in dynamic routing protocols to advertise networks or make routing decisions.

Physical Interfaces (D) and Detected Management Interfaces (A) are not typically used directly by dynamic routing protocols for their operations in the context of FortiSwitch.

In FortiSwitchOS 7.6, Dynamic ARP Inspection (DAI) is tightly integrated with DHCP snooping to provide Layer 2 protection against ARP spoofing and man-in-the-middle attacks. DAI relies on the DHCP snooping binding table , which contains trusted IP-to-MAC-to-port mappings learned from legitimate DHCP transactions. Because of this dependency, the trust model for DAI is directly inherited from DHCP snooping.

According to the FortiSwitchOS 7.6 Administrator Guide, when a switch port is configured as trusted for DHCP snooping , that same port is automatically treated as trusted by DAI . No additional configuration is required. This implicit trust relationship exists because trusted DHCP snooping ports are assumed to be connected to legitimate infrastructure devices such as DHCP servers, routers, or upstream network devices that must be allowed to send valid ARP replies.

On untrusted ports, DAI inspects ARP packets and validates them against the DHCP snooping database. If an ARP packet does not match an existing binding, it is dropped. On trusted ports, ARP packets bypass DAI inspection to ensure normal network operation and to avoid blocking valid infrastructure traffic.

The other options are incorrect. There is no separate CLI command required to trust a port for DAI (Option A). IP Source Guard (Option C) is another Layer 2 security feature that also depends on DHCP snooping but is not required to establish DAI trust. Static MAC learning (Option D) is unrelated to DAI trust behavior.

Therefore, once a port is configured as trusted for DHCP snooping, DAI implicitly trusts the port , making Option B the correct and fully verified answer based on FortiSwitchOS 7.6 documentation.

From the exhibit and the details given about the routes not installed in the FIB:

These two routes have a higher administrative distance value available to the destination networks (Option A) : Administrative distance is a measure used by routers to select the best path when there are two or more different routes to the same destination from two different routing protocols. A higher administrative distance means that the route is considered less trustworthy, thus not selected for the FIB unless the more preferred routes fail.

These two routes will become primary, if the best routes are removed (Option B) : In routing, if the currently installed routes (which are considered the best due to reasons like lower administrative distance) are removed or become unavailable, the next best routes based on administrative distance will be used. This behavior ensures redundancy and maintains network connectivity in diverse scenarios.

The FortiLink authorization process is an integral part of setting up FortiSwitch to be managed by FortiGate. The correct statements regarding the FortiLink authorization process are:

C. A FortiLink frame is sent by FortiGate to FortiSwitch to complete the authorization. This is a part of the FortiLink protocol, where FortiGate communicates with the connected FortiSwitch to establish management and control. This frame initiates the configuration and management process, allowing FortiGate to effectively control the switch.

D. FortiLink authorization sets the FortiSwitch management mode to FortiLink. Once authorized, the management mode of FortiSwitch is set to FortiLink, indicating that it is being managed via a FortiLink connection from a FortiGate appliance. This changes the operational mode of the switch to be under the control of the FortiGate for centralized management and policy application.

"The tool is a Python script that converts the supported settings in a FortiSwitch standalone configuration file to the equivalent FortiOS settings for a managed switch." Reference: FortiSwitch 7.2 Study Guide, page 349

According to the FortiSwitchOS 7.6 Administration Guide and the FortiSwitch 7.6 Study Guide , Internet Group Management Protocol (IGMP) snooping is a Layer 2 mechanism that allows a switch to "listen" to IGMP conversations between hosts and routers to maintain a map of which ports require specific multicast streams. When IGMP snooping is enabled, the switch populates a Multicast Layer 2 Forwarding Table (as shown in the exhibit), which ensures that multicast traffic is only forwarded to ports where a receiver has explicitly requested it (e.g., PC1 on port1).

When IGMP snooping is disabled , the switch no longer maintains this granular forwarding table. By default, a Layer 2 switch that is not performing IGMP snooping treats multicast traffic as if it were broadcast traffic . Consequently, instead of being intelligently forwarded only to the interested receiver (PC1), the multicast traffic for group 225.1.2.3 will be flooded to all ports within the same VLAN (VLAN 10). This means PC2, even if it has not joined the group, will receive the multicast packets at the physical layer, leading to unnecessary bandwidth consumption and increased CPU load on unintended recipients.

The documentation explicitly states that disabling IGMP snooping reverts the switch to a "flood-all" behavior for multicast frames within the broadcast domain. Option A is incorrect because the host (PC1) remains a member of the group; only the switch's forwarding logic changes. Option B is incorrect as the switch may still see the messages but will not act on them to prune ports. Option D is incorrect as disabling the feature removes the prune/stop mechanism, causing traffic to flow everywhere rather than stopping.

In a hierarchical network model, the role of a device functioning simultaneously as both the distribution and core is most accurately described as "FortiGate managing FortiSwitch (B)." In this setup, FortiGate acts as the central unit managing multiple FortiSwitch units, thereby functioning both as a distribution layer—handling traffic between network segments—and as a core layer—managing traffic within the network on a broader scale. This setup is typical in medium-sized networks where a single device is capable enough to handle both roles effectively.

According to the FortiSwitchOS 7.6 Administration Guide and the FortiSwitch 7.6 Study Guide , Private VLANs (PVLANs) provide a mechanism to partition a regular VLAN (the Primary VLAN) into sub-VLANs to control Layer 2 traffic flow within the same broadcast domain.

In a multi-tenant environment requiring strict security, an Isolated VLAN (Option C) is the correct choice to prevent lateral communication between servers. The documentation specifies that ports within an Isolated VLAN are completely blocked from communicating with any other ports in the same Isolated VLAN or any Community VLANs. This effectively eliminates the risk of "east-west" traffic or lateral movement between tenant servers, even if they reside in the same physical switch and logical subnet.

However, the architecture of PVLANs ensures that these isolated ports can still communicate with Promiscuous ports . In this scenario, the shared FortiGate firewall would be connected to a Promiscuous port within the Primary VLAN (Option D) . This allows all tenant servers in the Isolated VLAN to send and receive traffic to the FortiGate for internet access and centralized security filtering, while remaining invisible to one another at the hardware layer.

Community VLANs (Option B) would be inappropriate for this specific requirement because ports within a Community VLAN can communicate with each other, which violates the requirement for complete isolation between all servers. Therefore, the combination of an Isolated VLAN for the servers and a Promiscuous port for the firewall is the standard design for multi-tenant isolation in FortiSwitchOS 7.6.

Layer 2 flooding caused by Ethernet frames with all bytes in the destination MAC address set to FF refers to broadcast frames. Here’s why:

Broadcast Ethernet Frame (A):

Address Specification: In Ethernet networking, a broadcast frame has a destination MAC address of FF:FF:FF:FF:FF:FF , which instructs network devices to forward the frame to all devices within the broadcast domain.

Network Behavior: This causes Layer 2 flooding as the frame is sent to all ports in the VLAN, except the originating port, ensuring that the broadcast reaches all network segments.

Other Frame Types:

Unicast (B) targets a single device.

Multicast (C) targets a group of devices.

Anycast (D) is not used in Ethernet but rather in IP-based routing to route to the nearest of multiple destinations, typically in internet addressing.

FortiSwitchOS 7.6 provides two primary mechanisms for packet capture: the sniffer command and the sniffer profile . While both are used for traffic analysis and troubleshooting, the FortiSwitchOS 7.6 Administrator Guide clearly identifies a key advantage of using a sniffer profile over the CLI-based sniffer command.

According to the documentation (Page 438), a sniffer profile allows administrators to capture packets from all switch ports simultaneously , without being constrained to a single interface or requiring repeated command execution. This capability makes sniffer profiles particularly effective for broad troubleshooting scenarios, such as identifying intermittent issues, unknown traffic sources, or network-wide anomalies across multiple ports and VLANs.

In contrast, the diagnose sniffer packet command is executed manually and typically focuses on a specific interface or traffic flow, requiring administrators to explicitly define capture parameters each time. This makes it less efficient when comprehensive visibility across the switch is required.

Sniffer profiles are also designed to be persistent and reusable , meaning they can remain configured and enabled as needed without continuous CLI interaction. This is especially beneficial in production environments where consistent monitoring across all ports is necessary while minimizing administrative overhead.

The other answer choices are incorrect because sniffer profiles do not eliminate the need for ACLs or port mirroring, do not inherently filter traffic automatically, and do not provide SSL/TLS decryption, which is outside the functional scope of FortiSwitch.

Therefore, based on FortiSwitchOS 7.6 Administrator Guide (Page 438), the correct and fully verified answer is A. It allows packet capture on all switch ports without limitations.

The native VLAN is implicitly part of the allowed VLAN on the port (C) : On a managed FortiSwitch port, the native VLAN, which is the VLAN assigned to untagged traffic, is implicitly included in the list of allowed VLANs. This means it does not need to be explicitly specified when configuring VLAN settings on the port. This configuration simplifies VLAN management and ensures that untagged traffic is handled correctly without additional configuration steps.

According to the FortiSwitchOS 7.6 Administration Guide and the FortiSwitch 7.6 Study Guide , the Routing Monitor provides a comprehensive view of the Routing Information Base (RIB), which includes all routes learned via static configuration or dynamic protocols (OSPF, BGP, etc.). However, not every route present in the RIB is active for traffic forwarding. The switch must select the "best" path for any given destination to be installed into the Forwarding Information Base (FIB) .

The provided exhibit shows a routing table with multiple sources for the same destination. Specifically, there is a Static default route ($0.0.0.0/0$) with an administrative distance of 220, and an OSPF default route ($0.0.0.0/0$) with an administrative distance of 110. In FortiSwitchOS routing logic, when multiple routes to the exact same destination exist, the system compares their Administrative Distance (AD) . The route with the lowest AD is considered the most "preferred" or "trustworthy".

In this case, the OSPF route ($AD 110$) is more preferred than the Static route ($AD 220$). Consequently, the OSPF route is marked with a green checkmark in the FIB column, while the Static route—despite being "Available" in the RIB—is excluded from the FIB. The same logic applies to the $10.0.100.0/30$ subnet, where the Connected route is preferred over the OSPF learned route for the same destination. Therefore, the status reflects standard route selection behavior where less-preferred routes remain in the RIB as backups but are not used for active forwarding.

According to the FortiSwitchOS 7.6 Administration Guide and the FortiSwitch 7.6 Study Guide , understanding how VLANs are processed on a switch port is fundamental to network segmentation. A FortiSwitch port behaves differently depending on whether traffic is entering (ingress) or leaving (egress) the interface.

First, you can assign only one native VLAN on a port (Option C) . The Native VLAN (often called the PVID or Port VLAN ID) is the default internal ID assigned to any untagged frames arriving at the port. In a managed environment, this is typically set via the FortiGate's switch controller. By design, a single physical interface can only belong to one primary broadcast domain for untagged ingress traffic to ensure there is no ambiguity in the switch's internal forwarding logic.

Second, the untagged VLAN setting applies to egress traffic only (Option B) . While the "Allowed VLANs" list defines which tagged traffic can pass through the port, the "Untagged VLANs" list specifies which of those VLAN tags should be removed by the switch before the frame is transmitted out of the physical port. This is crucial for connecting devices that do not support 802.1Q tagging, such as standard PCs or printers.

Regarding the incorrect options: Option A is incorrect because the "Untagged" list does not define ingress rules; ingress is governed by the Native VLAN for untagged packets and the Allowed list for tagged packets. Option D is incorrect because, in a managed FortiLink environment, all VLAN assignments should be performed through the FortiGate's Switch Controller to ensure centralized management and consistency.

The STP (Spanning Tree Protocol) discarding state on port1 of Core-2, after Core-1 and Access-1 are managed and authorized by FortiGate-1, is likely due to the lack of an MCLAG (Multi-Chassis Link Aggregation Group) configuration between Core-1 and Core-2. In typical network configurations involving STP and MCLAG, the absence of MCLAG can lead to STP blocking one of the redundant paths to prevent loops, which is a critical function of STP. Port1 on Core-2 being in a discarding state suggests that it has been identified as providing a redundant path that could potentially create a network loop, hence STP has placed this port in a blocking (discarding) state to maintain a loop-free topology.

A FortiLink interface must be enabled on FortiGate (A) : To manage a FortiSwitch stack, a dedicated FortiLink interface on the FortiGate is required. This interface is used to manage the communication between FortiGate and the FortiSwitch stack, enabling centralized control and configuration of the switches directly from the FortiGate.

The switch controller feature must be enabled on FortiGate (B) : Enabling the switch controller feature on FortiGate allows it to manage connected FortiSwitch units. This feature provides tools and interfaces on the FortiGate for overseeing FortiSwitch configurations, monitoring switch status, and managing network policies across the stack.

According to the FortiSwitchOS 7.6 Administration Guide and the FortiLink 7.6 Study Guide , DHCP snooping is a security feature that prevents rogue DHCP servers from distributing incorrect IP addresses on a network. Once enabled for a specific VLAN, the switch differentiates between trusted and untrusted ports to regulate DHCP traffic.

Trusted Ports and DHCP Replies (Option A): In a managed FortiSwitch environment, all ports are untrusted by default . To allow a DHCP server (such as a FortiGate or an external server) to provide IP addresses, the administrator must explicitly set the connecting port as trusted . DHCP snooping validates incoming packets; it allows DHCP server messages (such as DHCPOFFER and DHCPACK) only on these trusted ports. Any DHCP server reply arriving on an untrusted port is identified as coming from a potentially rogue source and is discarded by the switch.

Option 82 Data Insertion (Option C): FortiSwitch supports DHCP Option 82 (also known as the Relay Information Option), which provides additional security by appending location-specific information (such as the Circuit ID and Remote ID) to DHCP request packets . When DHCP snooping is active, the switch can be configured to insert this data into client requests as they enter untrusted ports. This allows the upstream DHCP server to identify the specific physical port or VLAN from which the request originated, even if the server is located in a different subnet.

Regarding the incorrect options: Option B is false as DHCP snooping only inspects and filters DHCP-specific traffic, not general unicast data. Option D is incorrect because DHCP requests (client-to-server) are generally permitted on all ports to ensure clients can find a server, though some configurations allow dropping requests from untrusted sources if they do not meet specific security criteria.

When a FortiSwitch is converted from standalone (local) management mode to FortiGate-managed mode using FortiLink , FortiSwitchOS follows a well-defined and protective transition process. According to the FortiSwitchOS 7.6 Administrator Guide, the switch does not merge its existing standalone configuration with FortiLink-managed settings, nor does FortiGate import or preserve the active configuration for reuse.

Instead, when the management mode change occurs, the FortiSwitch saves the current standalone configuration internally and then resets its operational configuration to the default FortiLink configuration . This default configuration is required so the switch can correctly establish FortiLink control-plane communication with the FortiGate, including CAPWAP-based management, VLAN 4094 usage, and dynamic policy provisioning.

Once the FortiSwitch is under FortiGate management, all configuration is controlled centrally by the FortiGate , including VLANs, port policies, security features, and firmware management. The previously saved standalone configuration is retained only as a backup reference on the switch and is not actively used unless the switch is later reverted back to standalone mode.

This behavior ensures configuration consistency, prevents conflicts between local and centralized policies, and aligns the switch with the FortiGate-centric Security Fabric architecture . It also avoids unpredictable results that could occur if legacy standalone settings were merged with FortiLink-managed profiles.

The other options are incorrect because FortiSwitch does not register with FortiSwitch Cloud automatically, does not merge configurations, and FortiGate does not back up the standalone configuration during onboarding.

Therefore, the correct and fully documented answer is C. FortiSwitch saves the standalone configuration and changes to the default FortiLink configuration.

According to the FortiSwitchOS 7.6 Administration Guide and the FortiSwitch 7.6 Study Guide , Multichassis Link Aggregation (MCLAG) and standard Link Aggregation Groups (LAG) are designed to provide link-level and node-level redundancy while presenting a simplified logical view to the Spanning Tree Protocol (STP).

In the provided topology:

Logical Switch View (Option D): Switch 1 and Switch 2 are configured as MCLAG peers connected via an Inter-Chassis Link (ICL). From the perspective of downstream devices and STP, these two physical switches act as a single logical entity. This prevents STP from seeing a loop between the two switches and the downstream Switch 3, as the redundant physical paths are bundled into a single logical MCLAG trunk.

Logical Interface View (Option B): The exhibit shows Switch 4 connected to Switch 3 via two physical links bundled into a LAG , and Switch 3 connected to the MCLAG peers via split links. In both cases, STP treats the aggregated physical links as a single logical interface . Because the multiple physical paths are managed by the Link Aggregation Control Protocol (LACP) as one trunk, STP does not block individual ports to prevent loops; instead, it sees one high-bandwidth path.

Regarding the incorrect options: Option A is false because Switch 3 is an MCLAG client , not a peer in the group. Option C is incorrect because Switch 3 and Switch 4 are separate physical and logical nodes; they are not seen as a single client entity by the core.

Time synchronization between FortiGate and its managed FortiSwitch devices is essential for several reasons:

A. FortiSwitch does not retain its time after a reboot, which gets reset after each reboot. This characteristic of FortiSwitch underlines the importance of time synchronization with FortiGate. Since FortiSwitch loses its time settings upon reboot, synchronizing with FortiGate ensures that its system clock is accurate, which is vital for logging, troubleshooting, and security timestamping.

C. FortiSwitch cannot complete the DTLS handshake used in the CAPWAP tunnel. Accurate time synchronization is crucial for security protocols such as DTLS, which rely on timestamped certificates for establishing a secure connection. If the time on FortiSwitch is not synchronized with FortiGate, the DTLS handshake used in the CAPWAP tunnel for secure communication may fail due to time discrepancies, impacting the management and operation of the switch.

In a FortiGate-managed switching deployment using FortiLink , FortiSwitch devices rely on their internal interface to establish management connectivity with the FortiGate. According to the FortiSwitchOS 7.6 Administrator Guide, when a FortiSwitch operates in FortiLink mode, the internal interface must obtain an IP address dynamically via DHCP from the FortiGate over the FortiLink interface. This IP address is required for control-plane communication, including CAPWAP-based management messaging.

From the exhibit, FortiGate successfully manages Core-1 and Core-2 , while Access-1 remains offline. The FortiGate diagnostic output explicitly reports that it cannot detect Access-1 at the FortiLink interface , even though CAPWAP is enabled and the switch is in FortiLink mode. This eliminates CAPWAP configuration (Option B) as the root cause.

Examining the FortiSwitch Access-1 CLI output reveals the key issue:

The internal interface is configured with mode: static and an IP address of 0.0.0.0 .

This configuration prevents Access-1 from obtaining a valid FortiLink management IP address, which is mandatory for FortiGate discovery and authorization. In contrast, FortiSwitch devices managed by FortiGate must have their internal interface set to DHCP , allowing the FortiGate to automatically assign an address from the FortiLink subnet.

Assigning a static IP (Option A) is not recommended or required in FortiLink-managed mode, NTP configuration (Option D) has no impact on discovery, and CAPWAP is already enabled as shown in the FortiGate output.

Therefore, the initial and required corrective action is to set the Access-1 internal interface mode to DHCP , making Option C the correct and fully verified answer based on FortiOS 7.6 and FortiSwitchOS 7.6 documentation.

"MSTP is based on RSTP", so the same port role election and the same root bridge selection. Reference: FortiSwitch 7.2 Study Guide, page 187

According to the FortiOS 7.6 Study Guide and the FortiSwitch 7.6 FortiLink Guide , the health and stability of the control plane between a FortiGate and a managed FortiSwitch are maintained through a continuous keepalive mechanism. Once a FortiSwitch is authorized and transitions to the FL_STATE_READY state (as shown in the debug output in the exhibit), the devices must ensure the management tunnel remains active.

The primary mechanism for this is the FortiLink heartbeat . The documentation specifies that a managed FortiSwitch sends heartbeat messages to the FortiGate every few seconds over the FortiLink interface. The FortiGate, acting as the controller, must acknowledge these heartbeats to confirm that the switch is still reachable and responding to management commands. If the FortiGate fails to receive a certain number of consecutive heartbeats, it will consider the switch "offline" in the GUI, even if physical link lights remain green.

Checking for these heartbeat exchanges is a critical troubleshooting step to verify that the CAPWAP (Control and Provisioning of Wireless Access Points) based management tunnel is functioning correctly without intermittent drops. Option A is incorrect as port disabling is a configuration choice, not a health check. Option C is incorrect because firmware updates are manual or scheduled, not automatic upon authorization. Option D is a logging function that relies on a healthy management tunnel but is not a direct measure of the FortiLink's operational health.

According to the FortiSwitchOS 7.6 Administration Guide and the FortiSwitch 7.6 Study Guide , Remote Switched Port Analyzer (RSPAN) is a method used to monitor traffic across a network of switches by carrying mirrored traffic over a specific RSPAN VLAN. Because RSPAN floods mirrored traffic to all ports that are members of that specific VLAN across the intermediate switches (Switch B, etc.) until it reaches the destination port, it is critical to manage how that traffic is isolated.

The documentation explicitly states that the best practice is to use a dedicated VLAN assigned only to monitoring devices (Option B) . When a VLAN is designated for RSPAN, the switch disables MAC address learning on that VLAN to ensure that the mirrored traffic—which contains the source and destination MAC addresses of the original conversation—does not interfere with the switch's normal MAC address table entries for those devices. 2

Using a VLAN that already carries regular data traffic (Option A) would result in a massive amount of duplicate traffic being flooded to normal production hosts, leading to network congestion and potential security risks. Similarly, using a dynamic VLAN that includes all ports (Option C) would cause the mirrored traffic to be broadcast to every port in the switch fabric, significantly degrading performance. Finally, using the RSPAN VLAN as a native VLAN (Option D) is not recommended because native VLANs typically handle untagged traffic, whereas RSPAN requires consistent tagging to ensure the mirrored packets stay within the isolated monitoring domain across trunk links. Therefore, creating a unique, dedicated VLAN that is used exclusively for the transport of mirrored traffic is the architectural standard for FortiSwitch RSPAN deployments.