FCSS_NST_SE-7.6 Fortinet NSE 6 - Network Security 7.6 Support Engineer Questions and Answers

The correct answer is A .

The study guide explains the IKEv2 exchange order very clearly:

“The initial exchanges are: IKE_SA_INIT and IKE_AUTH.”

“Create_Child_SA exchange: Creates a new child SA or rekeys an existing child SA.”

It also states:

“After successful IKE_SA_INIT and IKE_AUTH exchanges, the CHILD_SA exchange takes place. In this exchange, the peers negotiate the CHILD_SA and the traffic selectors — traffic selector responder (TSr) and traffic selector initiator (TSi).”

That is why A is correct: if the tunnel was initially brought up successfully , then the initial exchanges already succeeded. A later problem during CREATE_CHILD_SA , especially with traffic selectors/phase 2 selectors , can cause the tunnel to fail during rekey or child-SA renegotiation.

Why the other options are wrong:

B is wrong because proposal mismatch for the IKE SA is handled during IKE_SA_INIT , not after the tunnel is already up. The study guide says IKE_SA_INIT negotiates the security settings to protect the IKE traffic

C is wrong because a pre-shared key mismatch is part of authentication and would prevent successful initial establishment during IKE_AUTH . The study guide shows that after IKE_AUTH, “authentication succeeded” and “established IKE SA” when it works

D is wrong because a Diffie-Hellman mismatch belongs to IKE_SA_INIT , which happens before the tunnel comes up. The study guide also states: “By IKEv2 design, no Diffie-Hellman public key is exchanged during an IKE_AUTH exchange.”

So the verified answer is: A .

The correct answers are C, D, and E .

The study guide lists the exact OSPF adjacency requirements :

“Interfaces of peers are the same type and in the same OSPF area”

“Each peer has a unique router ID”

“OSPF authentication, if enabled, is successful”

These map directly to:

C. OSPF interface network types match

D. Authentication settings match

E. OSPF router IDs are unique

The same study-guide slide also states other requirements such as:

peers’ primary IPs must be in the same subnet with the same mask

hello and dead intervals must match

OSPF MTUs must match

Why the other options are wrong:

A is wrong because link cost matching is not listed as an adjacency requirement . OSPF cost affects path selection, not whether adjacency can form.

B is wrong because interface priority does not need to be unique . Priority is used for DR/BDR election, where the highest priority wins, and ties are broken by router ID.

So the verified answers are: C, D, E .

The exhibit shows:

memory conserve mode: on

memory used: 2706 MB 89% of total RAM

memory used threshold red: 2675 MB 88% of total RAM

memory used + freeable threshold extreme: 2887 MB 95% of total RAM

The study guide states that the default thresholds are:

Extreme = 95%

Red = 88%

Green = 82%

So this FortiGate is in conserve mode because memory usage is 89% , which is above the red threshold (88%) , but it has not yet reached the extreme threshold (95%) .

The study guide then explains exactly what happens during conserve mode:

“For traffic that requires proxy-based inspection (and if memory usage has not exceeded the extreme threshold):

config system global

set av-failopen [off | pass | one-shot]

pass (default): All new sessions pass without inspection”

It also says:

“The av-failopen setting also applies to flow-based antivirus inspection.”

And the same page adds:

“If memory usage exceeds the extreme threshold, all new sessions that require inspection (flow-based or proxy-based) are blocked.”

Therefore, with default settings and with memory usage below the extreme threshold , FortiGate is allowing new sessions that require inspection, but bypassing inspection . That matches C .

Why the other options are wrong:

A is wrong because the default behavior is not to block proxy-based inspected sessions; the default is pass , meaning they pass without inspection

B is wrong because if memory rises another 6% , it reaches 95% , which is the extreme threshold . At that point, the study guide says all new sessions that require inspection are blocked

D is wrong because FortiGate blocks all new inspected sessions only when memory usage exceeds the extreme threshold , and the exhibit shows it is currently at 89% , not 95%

The correct answer is B. Assertion dump .

The study guide states: “SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP as part of the authentication process.”

The same study guide page for real-time SAML troubleshooting shows the section labeled **** Assertion Dump **** , and inside that assertion it displays the actual user attributes, such as:

< saml:Attribute Name= " username " >

< saml:Attribute Name= " groups " >

It also explicitly marks this part as “Attributes sent by IdP”

Why the other options are wrong:

A. Bindings HTTP post is incorrect because bindings define how SAML messages are transported , not the section that contains the attributes. The study guide says: “Bindings: Define how SAML protocol messages are transmitted over different communication channels.”

C. Authentication request is incorrect because that is built by the SP and sent toward the IdP, not where the IdP’s user attributes are shown. The study guide’s flow says the SP “Builds auth request” and the IdP later “Builds auth response.”

D. Authentication response is broader than the exact section being asked. The exact section in the study guide where the IdP-provided attributes are shown is the Assertion dump .

So the verified answer is: B .

The correct answer is B .

In the exhibit:

Neighbor 100.64.1.254 shows State/PfxRcd = 1 , which means the session is established and the local FortiGate has received 1 prefix

Neighbor 100.64.2.254 shows State/PfxRcd = Active

The study guide explains the BGP states exactly:

Connect : Waiting for a successful three-way TCP connection

Active : Unable to establish the TCP session

OpenSent : Waiting for an OPEN message from the peer

OpenConfirm : Waiting for the keepalive message from the peer

Established : Peers have successfully exchanged OPEN and keepalive messages

It also explains how to read the State/PfxRcd column:

“If the state is not established, this column displays the BGP state. If the state is established, this column displays the number of prefixes that the local FortiGate received from that neighbor.”

Therefore, because neighbor 100.64.2.254 is in Active state, the correct conclusion is that the BGP adjacency cannot form because the TCP session could not be established .

Why the other options are wrong:

A is wrong because BGP can establish adjacencies with multiple neighbors independently; one established neighbor does not block another

C is wrong because BGP adjacency is not established based on neighbor “priority”; the output shows adjacency is established because the session completed and prefixes were exchanged

D is wrong because having two neighbors in the same remote AS is valid in BGP and does not prevent adjacency formation

So the verified answer is: B .

The correct answer is A . This behavior is dictated by the configuration command set snat-route-change enable shown in Exhibit 1 under config system global.

Routing Change: By changing the priority of route ID 2 from 10 to 0, it becomes lower than route ID 1 (priority 5). In FortiOS, a lower priority value indicates a more preferred route. Consequently, the active route for the destination changes from port1 to port2 .

SNAT Implication: The existing session (shown in Exhibit 2) is using Source NAT (SNAT) with the IP address associated with port1 (10.200.1.1). If the traffic were simply switched to port2 , the source IP would be incorrect for that interface and the return traffic would likely fail or be dropped.

snat-route-change enable: This specific setting instructs the FortiGate on how to handle established SNAT sessions when a routing change occurs that alters the preferred outgoing interface. When enabled, if a route change forces an SNAT session to a new interface, FortiGate flushes (deletes) the session from the session table. This is necessary because a live TCP session cannot survive a change in its source IP address. The client must initiate a new session, which will then be created using the new correct route (port2) and the corresponding new SNAT IP.

If this setting were disabled, the session would likely remain " sticky " to the original interface (port1) until it closed, provided the route still existed. However, the explicit configuration forces the deletion.

In the provided session table output, the following details justify the answers:

Policy ID Match: The line policy_id=1 directly confirms that this session was matched by Firewall Policy ID 1. According to Fortinet’s session table documentation, the policy_id field always references the policy that allowed this session, so this is a clear indicator.

Session Offloading: The presence of the strings npu_state, ips_offload, and notably the NPU info section such as offload=8/8, ips_offload=1/1 shows that this session has been offloaded to the Network Processor Unit (NPU). Fortinet technical documentation states that " offload " values greater than zero in both directions (and an NPU info section) affirm that NPU hardware processing (fast path) is handling this traffic, thus the session is not being handled in software only.

Other options:

VLAN Tagging (vlan=0x0000/0x0000): This means no VLAN tag is assigned to this session.

NP7: The actual NPU model handling the session isn’t exposed in this snippet–the offload parameters shown are generic and not specific to NP7 hardware, so it cannot be concluded from the session data.

The correct answer is B .

The study guide explicitly states: “IKE version 2 does not interoperate with IKE version 1, but they share enough of the header format that both versions can unambiguously operate over the same UDP port.”

That directly proves B .

Why the other options are wrong:

A is wrong because the study guide shows authentication methods as Asymmetric for IKEv2 and Symmetric for IKEv1

C is wrong because the study guide does not say they use the same TCP port; instead, it specifically says they can operate over the same UDP port

D is wrong because the study guide states: “IKEv2 does not use the concept of phase 1 or phase 2” , even though FortiOS CLI/GUI still uses those terms for configuration purposes

The correct answers are C and D .

The study guide states: “SSL certificate inspection relies on extracting the FQDN of the URL from either: TLS extension server name indication (SNI), SSL certificate common name (CN).” It also says: “When using SSL certificate inspection, FortiGate is not decrypting the traffic. It is only inspecting the server digital certificates and the SNI field, which are interchanged before the encryption.”

This proves the second part of the answer:

under SSL certificate inspection , FortiGate does not decrypt the traffic

therefore, if the traffic is allowed , it still passes without decryption

That makes D correct.

For the SNI mismatch behavior, the FortiOS administration guide describes the default Server certificate SNI check behavior as:

“Enable: If it is mismatched use the CN in the server certificate for URL”

So if the SNI does not match the CN or any SAN, FortiGate falls back to using the CN from the Subject field for URL handling under the default setting. That makes C correct.

Why the other options are wrong:

A is wrong because with the default SNI-check behavior, when the SNI mismatches the certificate identity, FortiGate does not continue using the mismatched SNI . Instead, it uses the CN in the server certificate for the URL .

B is not the best answer in this single pair selection . While certificate inspection does not decrypt traffic, the key default behavior the documents explicitly highlight for this mismatch case is:

use the CN when SNI mismatches , and

certificate inspection does not decrypt allowed HTTPS traffic .

So the verified answers are: C, D .

For Option A:In Fortinet BGP (and standard BGP), when a prefix is displayed with an " i " (lowercase i) in the Path column, it represents an internal prefix that originated from the local router, typically configured via the BGP " network " command. In the exhibit, the prefix 10.20.30.0/24 is listed with a Path value of i, indicating it was injected into BGP by the local router using the network statement, not via redistribution from another routing protocol. The same logic applies to i as documented: " Origin code ' i ' means the route was injected via the network command. "

For Option D:The get router info bgp network output is a summary table displaying both local and received BGP routes. It lists all known routes to the BGP process, whether received from peers or originated locally. The exhibit shows all BGP prefixes known to the local router, matching the official admin guide’s description of this command’s output.

Explanation for B and C:

The phrase “legacy route advertisement” is not formalized in BGP documentation or Fortinet’s admin guide; the output uses standard BGP mechanics.

If a route was redistributed into BGP from another routing protocol, the Path field would display a " ? " (question mark) for incomplete (redistributed) origin. Here the /24 route has " i " so it is NOT a redistribution.

To capture encrypted IPsec phase 2 (ESP) traffic between two FortiGate devices, the correct protocol filter to use is ip proto 50. According to the Fortinet official sniffing and debugging documentation, ESP (Encapsulating Security Payload) is used for encrypted phase 2 payload transfer and always uses IP protocol number 50. Running the command diagnose sniffer packet any ' ip proto 50 '  captures only ESP packets, which represent the encrypted traffic—whether originating or transiting the device.

If there is no NAT device between FortiGates, ESP is not encapsulated in UDP (thus not on UDP port 4500; if NAT-T were required, packets would be UDP-encapsulated, but the scenario explicitly says NAT is not in use). UDP port 500 is for IKE control (negotiation) traffic, and AH (Authentication Header, ip proto 51) is not used for encryption in standard IPsec phase 2 with ESP.

This matches the official CLI reference from Fortinet for VPN and traffic analysis.

**

The exhibit shows these key lines:

handle_req-Rcvd auth req ... for jsmith in Lab

start_search_dn-base: ' DC=TAC,DC=ottawa,DC=fortinet,DC=com ' filter:sAMAccountName=jsmith

get_all_dn-Found DN 1:CN=John Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

The study guide explicitly shows the same LDAP real-time debug pattern and says the request line includes the LDAP server object name:

handle_req-Rcvd auth req ... for jsmith in Lab ...

That supports A : Lab is the configured LDAP server name being used for this authentication request.

For the LDAP flow stage, the study guide states:

“An fnbamd_ldap_build_dn_search_req-base message indicates that FortiGate is performing step two: searching for the user in the LDAP tree.” It also says that if the LDAP server finds the user, the output shows the user’s full DN.

That matches the exhibit’s start_search_dn-base ... filter:sAMAccountName=jsmith and Found DN ... CN=John Smith... lines, so D is correct.

Why the other options are wrong:

B is wrong because the exhibit shows FortiOS has found the user DN CN=John Smith,..., but that does not mean the user is already authenticating with that DN in this step. The study guide says this DN is discovered in step 2 , and only in step 3 does FortiGate bind using the user DN.

C is wrong because the exhibit is showing step 2 (Search Request) , not step 3 (Bind Request) . The study guide separates these steps clearly and shows step 3 with fnbamd_ldap_build_userbind_req-Trying DN ... and __ldap_build_bind_req-Binding to ' CN=John Smith,... '

The exhibit displays the output from the diagnose debug rating command on a FortiGate device. This command is used to display information about FortiGuard Web Filtering or other security-related queries performed by FortiGate to FortiGuard servers. Official Fortinet documentation outlines the meaning of each field in the server list. The FortiGate maintains a list of available FortiGuard servers, selecting the optimal server based on factors such as weight, round-trip time (RTT), and regional settings.

The very first entry in the server list after " Server List " is the server FortiGate initially uses, prioritized by factors such as proximity and RTT. Here, 64.26.151.37 is listed first, and the FortiGuard-requests value confirms that this server handled the highest number of requests.

The IPs, weights, and lost/failed counters are monitored for server performance and selection over time. FortiGate ' s default operational logic is to try the first entry for contract validation and use the next in the list if the first is unavailable or has high latency or packet loss.

There is no direct correlation between the Weight and the number of FortiGuard-requests. The servers with higher or lower weights may still handle different request volumes based on availability and performance.

The TZ (time zone) value ' s sign (positive or negative) does not affect server preference; it is informational, showing the server ' s location relative to UTC, not a rating metric.

DNS query results for FortiGuard servers are not shown here, and the provided servers are not returned in DNS query order.

This command and interpretation are detailed in the FortiOS Administration Guide’s section describing FortiGuard server selection and contract validation processes.

The correct answers are C and D .

For D , the session output shows proto=6, which means TCP, and proto_state=01. The study guide explains that for TCP sessions, “the first number (from left to right) is related to the server-side state and is 0 when the session is not subject to any inspection (flow or proxy). … The second digit is the client-side state.” It also shows that value 1 = ESTABLISHED

So proto_state=01 means:

first digit 0 = no inspection

second digit 1 = ESTABLISHED

That confirms the TCP session has been successfully established.

For C , the study guide section “Session for an Authenticated User” states: “Any session for traffic coming from an authenticated user contains the authed flag. Additionally, the username is added to the session information.”

In the exhibit, the session contains user=User1 and an authentication state flag (authd), which indicates the session is associated with an authenticated user.

Why the other options are wrong:

A is wrong because the session did match a firewall policy . The study guide says the session output includes “The ID of the matching policy” In the exhibit, the session shows policy_id=1 , so a firewall policy was matched.

B is wrong because the study guide explains the gwy field as:

first value = gateway to destination

second value = gateway to source The exhibit shows gwy=10.1.0.254/10.1.10.1, so:

gateway to destination = 10.1.0.254

gateway to source = 10.1.10.1

So the verified answers are: C, D .

We must analyze the flags (*, > , S, O, B) and Administrative Distances (AD) shown in the get router info routing-table database exhibit to determine the correct statements.

Analysis for Option A (The BGP route to 10.0.4.0/24 is not in the forwarding information base):

True. Look at the entry for 10.0.4.0/24.

There is an OSPF route: O * > 10.0.4.0/24 [110/2]. The * indicates it is in the FIB, and > indicates it is the selected route.

There is a BGP route: B 10.0.4.0/24 [200/10]. This line lacks the * flag.

Reason: The OSPF route has an Administrative Distance of 110. The BGP route (iBGP) has an AD of 200. Since 110 is lower than 200, OSPF wins, and the BGP route is not installed in the Forwarding Information Base (FIB).

Analysis for Option B (The default static route through 10.200.1.254 is in the forwarding information base):

True. Look at the 0.0.0.0/0 entries.

The first entry is S * > 0.0.0.0/0 [10/0] via 10.200.1.254.

The * flag confirms this specific route is installed in the FIB.

The second static route (via 10.200.2.254) has a higher distance ([20/0]) and no * flag, so it is inactive.

Why C is False: ECMP (Equal Cost Multi-Path) requires routes to have the same cost/priority. Here, one static route has AD 10 and the other has AD 20. They are not equal, so ECMP is not performed.

Why D is False: The routing table database shows active routes, not the raw Link State Advertisement (LSA) database. You cannot determine the number of LSAs received solely from this output.

The exhibit includes these key debug lines:

start_search_dn-base: ' DC=TAC,DC=ottawa,DC=fortinet,DC=com ' filter:sAMAccountName=jsmith

get_all_dn-Found DN 1:CN=John Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

The study guide explains that in regular bind , LDAP authentication has four steps , and that during step 2 , FortiGate searches the LDAP tree to find the user’s DN:

“During the second step, FortiGate does a search query in the LDAP database to find the user’s location—in other words, the user’s DN. If the user is found, the server replies with the user’s DN.”

It also states for the real-time debug of step 2:

“An fnbamd_ldap_build_dn_search_req-base message indicates that FortiGate is performing step two: searching for the user in the LDAP tree. This message includes the base branch (distinguished name setting) and the name of the attribute used to locate the user... If the LDAP server finds the user, the output shows the user’s full DN.”

That directly proves:

D is correct because the debug is showing step 2: Search Request

A is correct because the base DN and found DN are under DC=TAC,DC=ottawa,DC=fortinet,DC=com, which corresponds to the LDAP domain/tree root TAC.ottawa.fortinet.com

Why the other options are wrong:

B is wrong because binding with the user’s credentials is step 3 , not the step shown here. The study guide says: “Step 3 – Bind user credentials” and shows that this happens later with fnbamd_ldap_build_userbind_req / __ldap_build_bind_req-Binding to ' CN=John Smith... '

C is wrong because collecting user group information is step 4 , not the step shown in the exhibit. The study guide says: “The last step is to get the user group information” and shows step 4 with Attr query / memberOf search

According to the official Fortinet documentation (Technical Tip: Useful FSSO Commands), heartbeat messages play a crucial role in communication between the FSSO Collector Agent and FortiGate. These messages are regularly sent from the Collector Agent to verify its status, maintain session awareness, and confirm connectivity between the authentication infrastructure and FortiGate appliances.

Option B is confirmed by Fortinet, as the collector agent logs on Windows or its management console will specifically note heartbeat events, connection status, and any issues maintaining contact with FortiGate units.

Option C is validated by both official CLI documentation and the technical tip linked. On FortiGate, heartbeat messages from the collector agent are visible using real-time debug tools such as diagnose debug application authd or FSSO-specific commands. These enable administrators to monitor live logon states, session status, and connection health directly from the FortiGate CLI. The debug stream shows heartbeats received and their effect on active logons, associating health monitoring with active sessions.

Heartbeat operation is fully automated once FSSO is set up—there is no requirement for manual enablement or configuration, aligning with Fortinet’s philosophy of seamless integration and centralized management across the Security Fabric. This ensures that both FortiGate and the collector agent can quickly and reliably detect any miscommunication or outage, addressing authentication issues proactively.

The key point is that the two VPNs are dynamic dialup IPsec tunnels on the same interface and both are using IKEv1 main mode . In this design, FortiGate cannot reliably distinguish which dialup phase1 to match before phase 1 completes.

The uploaded Network Security Support Engineer 7.6 Study Guide shows that XAuth happens only after phase 1 is already established:

“The IKE real-time debug shows, after phase 1, the exchange of extended authentication (XAuth) packets… You can also see the CFG_REPLY, showing the XAuth user and group name.”

That means the user group is learned too late to be used for selecting the correct phase1 definition. So the fix must be applied to the phase1 matching method itself , not to XAuth.

The FortiOS administration guide gives the exact rule for this scenario:

“When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address.”

The 7.6 study guide explains the route selection order:

“Route Selection Process

Most specific route

Lowest distance

Lowest metric (dynamic routes)

Lowest priority (static routes)

ECMP (static, BGP, and OSPF routes)”**

It then states:

“If there are multiple routes with the same netmask, distance, metric, and priority, FortiGate shares the traffic among all of them. This is called equal-cost multi-path (ECMP).”

The FortiOS administration guide confirms the ECMP prerequisite:

“Routes must have the same destination and costs. In the case of static routes costs include distance and priority.”

In the exhibit, the kernel/FIB output shows the two default routes as:

gwy=100.64.1.254 dev=3 (port1) prio=0

gwy=100.64.2.254 dev=6 (port2) prio=10

So although both are default routes, their priorities are different . Since FortiGate uses the FIB/kernel for forwarding traffic, ECMP will not happen until the static-route priorities are the same. The study guide also notes that the FIB is the table used to perform standard routing

Therefore, to make the two default routes eligible for ECMP, the administrator must make the priorities equal. Since port2 is already 10, the needed change is to set the port1 default route priority to 10.

Why the other options are wrong:

A is wrong because snat-route-change affects how existing SNAT sessions react to routing changes, not whether static routes qualify for ECMP

B is wrong because changing port2 to priority 1 still would not match port1 at 0, so the routes still would not have equal cost for ECMP

C is wrong because preserve-session-route affects existing-session route persistence after routing changes, not ECMP qualification

The Internet Key Exchange version 2 (IKEv2) protocol simplifies the negotiation process compared to IKEv1. It is defined by a specific sequence of message exchanges to establish a secure IPsec tunnel.

The correct chronological order of the IKEv2 exchanges is:

IKE_SA_INIT (Initial Exchange):

This is the first exchange. It negotiates the security parameters for the IKE Security Association (IKE SA), sends nonces, and performs the Diffie-Hellman key exchange. At the end of this exchange, the communication is encrypted, but the peers are not yet authenticated.

IKE_AUTH (Authentication Exchange):

This is the second exchange. It authenticates the previous messages, exchanges identities and certificates (if used), and establishes the first Child SA (the actual IPsec Security Association used for data traffic).

CREATE_CHILD_SA (Subsequent Exchanges):

This exchange occurs after the IKE SA and the initial Child SA are established. It is used to create additional Child SAs (for different traffic selectors) or to perform re-keying for the IKE SA or existing Child SAs.

Why other options are incorrect:

A & B: Incorrect because CREATE_CHILD_SA cannot happen before the SA is initialized (IKE_SA_INIT) and authenticated (IKE_AUTH).

D: Incorrect because IKE_AUTH cannot occur before IKE_SA_INIT.

Therefore, the protocol flow is IKE_SA_INIT $\rightarrow$ IKE_AUTH $\rightarrow$ CREATE_CHILD_SA.

The correct answers are A and D .

The debug output shows:

Sent RADIUS req to server ' RadiusServer ' : IP=172.25.188.164 ... user= " student " using CHAP

Result for radius svr ' RadiusServer ' 172.25.188.164(0) is 0

Sending result 0 for req 2

The study guide explains that in RADIUS real-time debug, FortiGate shows the IP address of the RADIUS server it is querying. In the example, it says FortiGate “creates an access request to the RADIUS server at IP address 10.0.13.130” and shows the line Sent radius req to server ... IP=10.0.13.130

So in your exhibit, the queried server is clearly 172.25.188.164 , which makes A correct.

The study guide also states:

“The message fnbamd_comm_send_result-Sending result 0 indicates that the authentication was successful and that FortiGate received the Access-Accept message.”

Since your exhibit also ends with Sending result 0 , that makes D correct.

Why the other options are wrong:

B is wrong because result 0 means authentication successful , not failed

C is wrong because the debug explicitly shows using CHAP , and the study guide lists supported RADIUS schemes as CHAP, PAP, MS-CHAP, and MS-CHAPv2

E is wrong because the study guide says two-factor authentication would involve an Access-Challenge response: “If two-factor authentication is enabled on the server, the response is an Access-Challenge message” Your exhibit shows successful result 0 / Access-Accept , not a challenge.

So the verified answers are: A, D .

The correct answers are A and D .

The Network Security Support Engineer 7.6 Study Guide explains that automation stitches consist of a trigger and one or more actions , and that they can detect events such as high CPU and conserve mode across the Security Fabric

The FortiOS administration guide then gives the exact practical example for A :

“Automation stitches can be created to run a CLI script and send an email message when memory or CPU usage exceeds specified thresholds.”

It also shows examples where the email body contains the script output using:

%%results%%

That directly confirms A .

For D , the FortiOS administration guide states:

“The URI and HTTP body can use parameters from logs or previous action results.”

It also explains the execution model:

“The stitch Action execution can be set to either Sequential or Parallel. In sequential execution actions will execute one after another with a delay (if specified). … In parallel execution all actions will execute immediately when the stitch is triggered.”

A concrete example shows a second action using the output of the first action:

“This string for the body text includes the results from the preceding CLI script action.” with

Body=%%results%%...

That confirms D .

Why the other options are wrong:

B is wrong because automation stitches can be triggered by IPS events, but the documentation does not describe them as modifying packet headers or payloads. Instead, they perform actions such as email, CLI script, webhook, quarantine, and similar automated responses

C is wrong because delay is associated with sequential execution, not parallel execution. The guide explicitly says: “A delay can be added before an action if Sequential action execution is used.”

So the verified answers are: A, D .

The output on FGT-01 confirms that the device is actively encapsulating traffic and sending it as ESP packets (Protocol 50) out of port1 towards the IP address 97.86.16.52. The logs show outgoing packets, which confirms FGT-01 is attempting to initiate or maintain the tunnel and that NAT-Traversal is not being used (as it uses raw ESP).

The output on FGT-02 , however, displays (no packets captured). This is significant because the sniffer command diagnose sniffer packet any ' esp ' captures traffic at the network interface level (ingress), regardless of whether a matching VPN configuration exists on the receiving unit. The absence of packets proves that the ESP traffic generated by FGT-01 is physically not arriving at FGT-02 ' s interface.

This behavior is explained by two primary factors:

Option A (Blocking): An intermediate device, such as an ISP router or firewall, is dropping Protocol 50 traffic. Unlike UDP 500/4500, raw ESP is often blocked by default on many networks or legacy devices.

Option C (Routing/Misconfiguration): If the administrator configured the wrong remote peer IP on FGT-01 , the packets are being routed to a different destination entirely. Consequently, they never arrive at FGT-02 to be captured.

Option B is incorrect because even without a configured VPN tunnel, the sniffer would still display the incoming ESP packets if they were reaching the interface. Option D is incorrect because FGT-01 is sending ESP, making ' esp ' the correct filter.

The correct answers are B and D .

The study guide explains that expectation sessions are pinhole sessions created by session helpers for protocols such as FTP that need additional negotiated connections. It states: “FortiGate created an expectation session and opened the pinhole port for the expected return traffic” and also shows that the firewall “creates an expected (pinhole) session to allow the traffic”

That makes D correct.

For B , the study guide explains the gwy= field in session output: the first value is the gateway to the destination , and the second is the gateway to the source

In the exhibit, the original-direction traffic is DNATed here:

hook=pre dir=org act=dnat 10.171.121.38:0- > 10.200.1.1:60426(10.0.1.10:50365)

So the destination after DNAT is the internal host 10.0.1.10, and the session’s first gwy value corresponds to the next hop toward that destination. That makes B correct.

Why the other options are wrong:

A is wrong because this is an expectation/session-helper behavior, not an IPS-engine-created session. The study guide ties expectation sessions to helpers such as FTP, not IPS.

C is wrong because 10.200.1.1 is the translated address used before DNAT, not the next hop used to forward the original-direction traffic after translation to the internal destination.

So the verified answers are: B, D .

The correct answers are B and D .

The study guide explains that in the SP Login Dump section, FortiGate is acting as the service provider (SP) , and that you should read these fields:

“The IdP SSO URL, from the setting idp-single-sign-on-url in the FortiGate configuration”

“The SP SSO URL, from the setting single-sign-on-url in the FortiGate configuration”

“The IdP Entity ID, from the setting id-entity-id in the FortiGate configuration”

“The SP Entity ID, from the setting entity-id setting in the FortiGate configuration”

In the exhibit:

Destination= " https://10.1.10.2/saml-idp/nst/login/ " → this is the IdP SSO URL

< lasso:RemoteProviderID > http://10.1.10.2/samlidp/nst/metadata/ < /lasso:RemoteProviderID > → this is the IdP Entity ID

AssertionConsumerServiceURL= " https://10.1.10.254:1003/remote/saml/login/ " → this is the SP SSO URL

< saml:Issuer > https://10.1.10.254:1003/remote/saml/metadata/ < /saml:Issuer > → this is the SP Entity ID

The same study-guide example shows this exact mapping pattern, where:

Destination points to the IdP

AssertionConsumerServiceURL and Issuer point to the SP

Therefore:

10.1.10.2 is the IdP → D

10.1.10.254 is the SP → B

So the verified answers are: B, D .

To display debug output on FortiGate devices, you must always run both the application-specific debug command and the global debug enable command. The command diagnose debug application ike -1 sets up the detail level for the IKE daemon debug, but it does not display any debug output on its own. As described in the FortiOS CLI debugging manuals, the command diagnose debug enable activates debug output on the console, making all previously set debugs visible. This is especially important for VPN troubleshooting—without the enable command, no output appears even if there is VPN traffic.

The correct diagnostic sequence is:

diagnose debug application ike -1

diagnose debug enable

This procedure is found in every FortiOS CLI debug tutorial and troubleshooting workflow.

Parallel Path Processing (PPP) in FortiOS refers to the system’s ability to evaluate and select among multiple processing paths—often involving dedicated network processors, content processors, or CPU-based workflows—to optimally process packets. The official documentation highlights that the PPP engine dynamically selects which hardware or software path to use for each session based on session characteristics, policy configuration, and traffic type. This dynamic selection results in optimal throughput and resource utilization.

The document specifies that PPP assesses several processing paths in parallel, using decision logic to determine whether a session should be offloaded to specialist hardware (like NP6, CP9, etc.) or stay in the CPU path, ensuring that each packet is handled by the most efficient available method under current load and policy. Hardware and software configurations both influence this outcome, but it is the PPP engine ' s decision-making that defines the optimal path per session.

The diagnose debug authd fsso server command is the primary tool for troubleshooting communication between the FortiGate and the FSSO Collector Agent. This debug output reveals the status of the connection and the reasons for failure. The three most common connectivity issues identified by this debug are:

FortiGate cannot reach the IP address of the collector agent (Option C): The debug will show connection timeouts or " host unreachable " errors if the Layer 3 connectivity is missing.

The connection was refused / Port mismatch (Option B): If the FortiGate can reach the IP but the Collector Agent is not listening on the specified port (default 8000), the debug will display " Connection refused. " This often happens if the port configured on the FortiGate does not match the listening port on the agent.

The pre-shared key does not match (Option D): If the IP and Port are correct, the next step is authentication. If the password configured on the FortiGate does not match the one on the Collector Agent, the debug will explicitly show an " Authentication failed " or " password mismatch " error during the handshake.

Note on other options: Option A (SSL) is less common than basic connectivity/auth mismatches. Option E (Group filters) relates to user processing logic, which occurs after connectivity is established.

The correct answers are A and C .

The study guide describes this exact asymmetric ICMP scenario. It states:

“The server sends an echo request to the PC through port2 of the local router, effectively bypassing FortiGate. When it receives the echo request, the PC responds with an echo reply through its default gateway, 10.1.0.2, which is port1 on FortiGate. Because there is no existing session, the echo reply is dropped. All subsequent echo replies are blocked.”

That means the current problem exists because:

the ICMP request bypasses FortiGate

the ICMP reply goes through FortiGate

FortiGate has no matching session , so it drops the reply

The study guide then shows the exact corrective option:

“Allowing asymmetric routing:”

config system settings

set asymroute enable

end

It further explains:

“After the packet passes through the FortiGate CPU, FortiGate forwards the packet using the FIB, even though there are no session matches. FortiGate forwards all subsequent echo replies using the FIB.”

So A is correct.

The other valid fix is to make the traffic symmetric by changing the laptop’s default gateway so the reply no longer goes through FortiGate. In the exhibit, the alternate gateway is 10.1.0.254 , which is the local router on the same subnet. If the laptop uses 10.1.0.254 instead of 10.1.0.2, the ICMP echo reply follows the same bypass path as the echo request, so the server receives it without involving FortiGate session validation. This makes C correct.

Why the other options are wrong:

B is wrong because this is not an RPF problem. The study guide explains RPF as a reverse path lookup used to validate whether a packet arrived on a legitimate interface, mainly for spoofing protection. The issue in this scenario is a missing session due to asymmetric routing , not a strict-versus-feasible RPF failure

D is wrong because FortiGate already has the specific route 10.4.0.0/24 through port3 in the routing table shown in the exhibit, so adding a default static route to port3 is unnecessary and not the reason the echo reply is being dropped

So the verified answers are: A, C .