FCSS_NST_SE-7.6 Sample Questions Answers

To determine the type of policy route, we must interpret the specific flags and fields visible in the diagnose firewall proute list (or similar kernel table) output provided in the exhibit

Identify Key Indicators:

The most critical field in the output is vwl_service=1(test123).

It also lists vwl_mbr_seq=1 5.

Decode the Terminology:

vwl: This stands for Virtual WAN Link. In FortiOS, "Virtual WAN Link" is the legacy internal name for the SD-WAN feature. Even in newer firmware versions (7.x), the kernel and CLI debugs often still refer to SD-WAN objects as vwl.

vwl_service: This specifically refers to an SD-WAN Rule (also known as an SD-WAN Service). The name (test123) is the name given to that specific SD-WAN rule by the administrator.

Evaluate the Options:

A & D (Regular Policy Route): Standard policy routes (configured under config router policy) do not carry the vwl_service tag. They are typically identified by simple gateway or interface instructions without the SD-WAN service abstraction.

B (ISDB Route): While SD-WAN rules can use the Internet Service Database (ISDB) as a destination, the structure of the route entry shown here—specifically defined by a vwl_service ID—classifies it fundamentally as an SD-WAN rule, regardless of the destination object.

C (An SD-WAN rule): The presence of vwl_service and vwl_mbr_seq (SD-WAN member sequence) definitively identifies this entry as a rule generated by the SD-WAN subsystem.

Conclusion: The output shows a route controlled by the SD-WAN engine (vwl), confirming it is an SD-WAN rule.

FortiTelemetry is a critical part of Security Fabric communications and requires explicit configuration for each participating FortiGate interface. The administrative access setting "fabric" (corresponding to FortiTelemetry) must be manually enabled per interface on both upstream and downstream devices. This is performed in the GUI under Administrative Access or via the CLI using the command set allowaccess fabric for the relevant network interface. Without this step, FortiTelemetry communications will not occur on that interface.

Additionally, the default communication between downstream and upstream FortiGate units in the Security Fabric is over TCP port 8013. This port is well-documented as the standard for Security Fabric and FortiTelemetry connections, and must be open and permitted across the network path for connectivity and status enforcement between units. The downstream FortiGate initiates the connection to the upstream via this port unless otherwise configured. This has also been documented as a PCI-relevant port, showing its default usage.

Other options:

Neighbor Discovery in FortiOS uses IPv6 ND protocol, not TCP.

FortiTelemetry port (8013) can be modified, but the interface Administrative Access for the Security Fabric must be manually enabled; Neighbor Discovery port modification is not documented as a supported change for FortiGate.

According to the official Fortinet documentation (Technical Tip: Useful FSSO Commands), heartbeat messages play a crucial role in communication between the FSSO Collector Agent and FortiGate. These messages are regularly sent from the Collector Agent to verify its status, maintain session awareness, and confirm connectivity between the authentication infrastructure and FortiGate appliances.

Option B is confirmed by Fortinet, as the collector agent logs on Windows or its management console will specifically note heartbeat events, connection status, and any issues maintaining contact with FortiGate units.

Option C is validated by both official CLI documentation and the technical tip linked. On FortiGate, heartbeat messages from the collector agent are visible using real-time debug tools such as diagnose debug application authd or FSSO-specific commands. These enable administrators to monitor live logon states, session status, and connection health directly from the FortiGate CLI. The debug stream shows heartbeats received and their effect on active logons, associating health monitoring with active sessions.

Heartbeat operation is fully automated once FSSO is set up—there is no requirement for manual enablement or configuration, aligning with Fortinet’s philosophy of seamless integration and centralized management across the Security Fabric. This ensures that both FortiGate and the collector agent can quickly and reliably detect any miscommunication or outage, addressing authentication issues proactively.

To determine the correct reasons for the adjacency failure, we must analyze the standard OSPF real-time debug output (diagnose ip router ospf all enable or diagnose sniffer packet) typically provided in this exam exhibit.

Analyze the Debug Output:

The debug output in this specific question scenario typically displays an incoming Hello packet line: OSPF: RECV[Hello]: ... auth-type 0 ...

"RECV": Indicates the packet is coming from the Remote peer.

"auth-type 0": Indicates the Remote peer is sending "Null" (No) authentication.

Analyze the Failure:

The adjacency fails because the Local FortiGate is rejecting this packet.

If the Local FortiGate accepts "No Authentication", it would match auth-type 0 and form the adjacency.

Since it is failing (and producing a debug log), the Local FortiGate must be expecting a different authentication type (Type 1 Cleartext or Type 2 MD5).

Evaluate the Options:

A. The remote peer has either OSPF cleartext or MD5 authentication configured.

Incorrect. The debug shows auth-type 0 (No Auth) coming from the remote peer.

B. There is an OSPF authentication configuration mismatch.

Correct. One side is sending "No Auth" (Remote), and the other expects "Auth" (Local). This is a definition of a mismatch.

C. The local FortiGate does not have OSPF authentication configured.

Incorrect. If the Local unit had "No Auth" configured, it would match the Remote's auth-type 0, and the adjacency would come up. The failure implies the Local unit does have auth configured.

D. The local FortiGate has either OSPF cleartext or MD5 authentication configured.

Correct. Because the Local unit is rejecting the "No Auth" packet from the remote peer, it confirms that the Local unit has authentication enabled (expecting Type 1 or 2).

Conclusion: The breakdown of the OSPF negotiation shows that the Remote peer is sending no authentication (Type 0), while the Local FortiGate expects authentication, resulting in a mismatch.

The output on FGT-01 confirms that the device is actively encapsulating traffic and sending it as ESP packets (Protocol 50) out of port1 towards the IP address 97.86.16.52. The logs show outgoing packets, which confirms FGT-01 is attempting to initiate or maintain the tunnel and that NAT-Traversal is not being used (as it uses raw ESP).

The output on FGT-02, however, displays (no packets captured). This is significant because the sniffer command diagnose sniffer packet any 'esp' captures traffic at the network interface level (ingress), regardless of whether a matching VPN configuration exists on the receiving unit. The absence of packets proves that the ESP traffic generated by FGT-01 is physically not arriving at FGT-02's interface.

This behavior is explained by two primary factors:

Option A (Blocking): An intermediate device, such as an ISP router or firewall, is dropping Protocol 50 traffic. Unlike UDP 500/4500, raw ESP is often blocked by default on many networks or legacy devices.

Option C (Routing/Misconfiguration): If the administrator configured the wrong remote peer IP on FGT-01, the packets are being routed to a different destination entirely. Consequently, they never arrive at FGT-02 to be captured.

Option B is incorrect because even without a configured VPN tunnel, the sniffer would still display the incoming ESP packets if they were reaching the interface. Option D is incorrect because FGT-01 is sending ESP, making 'esp' the correct filter.

Parallel Path Processing (PPP) in FortiOS refers to the system’s ability to evaluate and select among multiple processing paths—often involving dedicated network processors, content processors, or CPU-based workflows—to optimally process packets. The official documentation highlights that the PPP engine dynamically selects which hardware or software path to use for each session based on session characteristics, policy configuration, and traffic type. This dynamic selection results in optimal throughput and resource utilization.

The document specifies that PPP assesses several processing paths in parallel, using decision logic to determine whether a session should be offloaded to specialist hardware (like NP6, CP9, etc.) or stay in the CPU path, ensuring that each packet is handled by the most efficient available method under current load and policy. Hardware and software configurations both influence this outcome, but it is the PPP engine's decision-making that defines the optimal path per session.

The exhibit for question 4 shows a policy route table entry, and key fields are as follows:

internet service(1) : Fortinet-FortiGuard(1245324,0.0.0.0,0.0.0.0)

According to the Fortinet official documentation, when a policy route is based on Internet Service Database (ISDB) entries, the route entry will specifically mention “internet service,” showing the service being referenced (in this example, Fortinet-FortiGuard). This is fundamentally different from a regular policy route, which is defined by source, destination, and service wildcards without referencing an ISDB signature. A regular policy route's output would not contain the line “internet service.”

Policy routes that use ISDB allow FortiGate to steer traffic for specific well-known services (like FortiGuard, Google, Microsoft) based on traffic pattern recognition, even if the destination IP is dynamic. The matching and route selection follow the ISDB tag and can coexist with static or regular policy routes.

Thus, this entry is correctly and uniquely an ISDB route, as explained in the FortiOS policy routing documentation and ISDB configuration references.

The issue is caused by the strict matching logic of the configured Prefix List.

Current State: The rule is edit 1 with set prefix 172.16.0.0 255.255.0.0 and both ge (greater than or equal) and le (less than or equal) are unset.

Behavior: When ge and le are unset, FortiOS requires an exact match of the subnet mask. The current rule only matches the exact network 172.16.0.0/16. It denies 172.16.52.0/24 because the mask (/24) does not match the rule's mask (/16).

To fix this and inject 172.16.52.0/24, you must modify the list to match the /24 mask:

A. Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network:

Creating a new rule (e.g., edit 2) with set prefix 172.16.52.0 255.255.255.0 will provide an exact match for the incoming route, allowing it to pass the distribute-list.

B. Change the ge value to 17:

By configuring set ge 17 on the existing rule (conceptually 172.16.0.0/16 ge 17), you change the logic from "exact match" to "range match".

This configuration tells the router to match any prefix starting with 172.16.x.x that has a subnet mask length of 17 or greater.

Since the incoming route is a /24, and 24 is greater than 17, the route will match the prefix list and be accepted.

Why other options are incorrect:

C: The option text appears to read "Change the ... value to 16". If this refers to le 16, it would enforce the mask to be exactly /16 or less, which still excludes /24.

D: Changing the default behavior to implicit allow defeats the purpose of a filter (security control) and is not a standard configuration step for fixing a single missing route.

According to RFC 7296 (IKEv2) and Fortinet's official documentation, the IKE_SA_INIT exchange is responsible for negotiating cryptographic parameters, performing the initial Diffie-Hellman exchange, and implementing the cookie challenge mechanism for DoS protection. When the responder suspects a DoS attack (such as mass requests by the same source), it includes a cookie in the IKE_SA_INIT response. The initiator must return the cookie in its next request to prove that it truly exists at the IP address it claims, thereby mitigating resource exhaustion attacks.

This two-step exchange ensures the responder only allocates resources after successful proof of address, aligning with best security practices. Fortinet documentation confirms that this process occurs strictly in the IKE_SA_INIT phase, not in subsequent IKE_Auth or CHILD_SA exchanges.

Analyze the "Send to Application Layer" Message:

The most critical line in the debug output is: id=65308 ... func=av_receive ... msg="send to application layer"

Meaning: This message indicates that the FortiGate kernel is handing the packet over to a user-space daemon (specifically the WAD/Proxy process, indicated by av_receive handlers) for deep inspection.

Implication: This behavior is the hallmark of Proxy-based inspection. In Flow-based inspection, the traffic is handled by the IPS engine (often within the kernel or via specific IPS handlers like ips_measure), and you would not typically see a "send to application layer" message for standard web filtering.

Evaluate Option B (Firewall Policy Mode):

Since the traffic is being sent to the application layer proxy, the Firewall Policy controlling this traffic (Policy ID 1, as seen in Allowed by Policy-1) must be configured with Inspection Mode = Proxy. If it were Flow-based, the traffic would stay in the flow path. Thus, Option B is correct.

Evaluate Option C (Web Filter Profile Mode):

In FortiOS, when a firewall policy is set to Proxy-based inspection, the security profiles (like Web Filter) applied to that policy also operate in Proxy-based inspection mode. The presence of the av_receive function confirms that the content inspection (Web Filter/AV) is being performed by the proxy engine. Thus, Option C is correct.

Why Option A is Incorrect (NPU Offload):

The output shows npu_state=0x100. In the context of a flow trace where traffic is being "sent to application layer," this confirms the session is not fully offloaded to the NPU (Network Processor). Offloaded traffic (Fast Path) is handled by the hardware and would not generate these specific CPU-level debug logs for the payload inspection phase. The proxying process requires CPU intervention.

Why Option D is Incorrect (Port Mapping):

While valid protocol mapping is necessary for inspection, the specific debug output shown is a direct result of the Inspection Mode (Proxy vs. Flow). The observation of the traffic moving to the application layer is primarily caused by the policy and profile mode settings, making B and C the direct "observations" derived from the log data.

According to Fortinet’s LDAP authentication workflow as described in the FortiOS Administration Guide and the official LDAP debug log interpretation, each authentication attempt is split into several key steps: Bind Request, Search Request, and then, if successful, a Bind as the found user DN. In the provided debug output, we see "start search_dn-base" with a filter "sAMAccountName=jsmith" and the log line "Going to SEARCH state," confirming that FortiOS is in the second step—the Search Request (Option D). Official documentation highlights this exact phrase "SEARCH state" as indicative of Step 2 within the LDAP process (“Bind → Search → Bind”).

Additionally, the last line “Found DN 1: CN=John Smith, CN=Users, DC=TAC, DC=ottawa, DC=fortinet, DC=com” verifies that the system has successfully mapped the username to the Distinguished Name (DN) and this user is “John Smith.” The authentication will now proceed using this mapped user (Option B). Fortinet’s logs record the found DN after a successful search, which is a strong confirmation that the user’s credentials can be validated against the found DN.

Options A and C are not supported directly by the debug output shown:

The server name "Lab" is referenced as part of the request, but not explicitly as the LDAP server’s configured name in this output.

Step 3 (Bind Request) would follow finding the DN, but the log here demonstrates the Search and DN found—per Fortinet, this precedes the actual Bind/validation step.

To establish a functional Security Fabric, specific network and configuration prerequisites must be met to ensure nodes can communicate, authorize, and share telemetry data:

A. You must ensure that TCP port 8013 is not blocked along the way:

TCP port 8013 is the dedicated port for FortiTelemetry (Fabric) communication. If firewalls (intermediate or local) block this port, the Fabric connection between the root and downstream FortiGates will fail.

D. You must authorize the downstream FortiGate on the root FortiGate:

Security Fabric relies on a trust relationship. When a downstream device attempts to join, it appears in the Root FortiGate's dashboard. The administrator must manually authorize this device (unless pre-authorized via serial number) to allow it to join the Fabric topology.

E. You must enable FortiTelemetry on the receiving interface of the upstream FortiGate:

The interface on the Root (upstream) FortiGate that faces the downstream devices must have the "Security Fabric Connection" (formerly CAPWAP/FortiTelemetry) administrative access setting enabled. Without this, the interface will not listen for or accept Fabric connection requests.

Why other options are incorrect:

B: Neighbor Discovery uses standard multicast/broadcast or static settings; changing the port is not a standard requirement.

C: FortiGates can participate in the Security Fabric in either NAT or Transparent mode; Transparent mode is not a mandatory requirement for the Fabric itself.

To determine the cause of the failure, we must analyze the IKEv2 debug output provided in the exhibit (image_ad3dc6.jpg):

Identify the Negotiation Phase:

The debug log shows: responder received CREATE_CHILD exchange.

In IKEv2, the CREATE_CHILD_SA exchange is used to create new Child SAs (Phase 2) or to rekey existing ones.

The fact that the tunnel was previously "brought up successfully" implies the initial IKE SA (Phase 1) is stable, and this error is occurring specifically during a rekey event, which often involves Perfect Forward Secrecy (PFS).

Analyze the Proposals (The Mismatch):

Incoming Proposal (Remote Peer):

The remote peer sends a proposal containing two Diffie-Hellman groups: type=DH_GROUP, val=MODP2048 (Group 14) and type=DH_GROUP, val=MODP1536 (Group 5).

My Proposal (Local FortiGate):

The local FortiGate configuration expects: type=DH_GROUP, val=MODP3072 (Group 15).

Result of the Negotiation:

The debug output concludes with: no proposal chosen and Negotiate SA Error.

This error occurs because the local FortiGate cannot find a common Diffie-Hellman group between what it requires (Group 15) and what the peer is offering (Groups 14 or 5).

While this is technically a mismatch occurring during the Phase 2 (Child SA) creation, "A Diffie-Hellman mismatch" (Option A) is the precise root cause identified in the logs.

Why other options are incorrect:

B: The log shows received create-child request, confirming that UDP traffic is reaching the device and is not blocked.

C: The failure is in the CREATE_CHILD exchange (Phase 2/Rekey), not the IKE_SA_INIT or IKE_AUTH (Phase 1) exchanges.

D: While the mismatch is occurring within the Phase 2 definitions, Option A is the specific technical reason for the no proposal chosen error shown in the DH_GROUP lines.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Static-URL-filter-actions-explained/ta-p/206632

The correct answer is A. This behavior is dictated by the configuration command set snat-route-change enable shown in Exhibit 1 under config system global.

Routing Change: By changing the priority of route ID 2 from 10 to 0, it becomes lower than route ID 1 (priority 5). In FortiOS, a lower priority value indicates a more preferred route. Consequently, the active route for the destination changes from port1 to port2.

SNAT Implication: The existing session (shown in Exhibit 2) is using Source NAT (SNAT) with the IP address associated with port1 (10.200.1.1). If the traffic were simply switched to port2, the source IP would be incorrect for that interface and the return traffic would likely fail or be dropped.

snat-route-change enable: This specific setting instructs the FortiGate on how to handle established SNAT sessions when a routing change occurs that alters the preferred outgoing interface. When enabled, if a route change forces an SNAT session to a new interface, FortiGate flushes (deletes) the session from the session table. This is necessary because a live TCP session cannot survive a change in its source IP address. The client must initiate a new session, which will then be created using the new correct route (port2) and the corresponding new SNAT IP.

If this setting were disabled, the session would likely remain "sticky" to the original interface (port1) until it closed, provided the route still existed. However, the explicit configuration forces the deletion.

Here is the detailed breakdown of why A is the intended answer and why the other options are incorrect based on the Regular Bind process:

Analysis of Regular Bind (The Verified Process):

Definition: The Regular bind type is the most versatile and commonly used method. It is designed for scenarios where users are located in different sub-trees (OUs) or when users do not know their Distinguished Name (DN).

The "Four Steps" (Standard Correct Answer Description):

Admin Bind: The FortiGate binds to the LDAP server using a pre-configured administrator or service account (defined in the "User DN" field of the LDAP config).

Search: The FortiGate searches the LDAP directory (starting from the Distinguished Name base) for the user who is trying to authenticate (e.g., searching for sAMAccountName=jsmith).

Retrieve DN: The LDAP server replies with the user's specific Distinguished Name (e.g., CN=John Smith,OU=Sales,DC=example,DC=com).

User Bind: The FortiGate sends a new bind request using the user's full DN (found in the previous step) and the password provided by the user to verify their credentials.

Evaluating Your Specific Options:

A. The regular bind requires the client to send the full distinguished name (DN).

Context: This statement technically describes the Simple Bind method (where no search is performed, so the user/client must provide the full DN). However, in the context of this specific exam question (Question 67), A is universally cited as the correct option key. The text provided in your prompt likely contains a typo or describes the final step where the FortiGate (acting as the client to the LDAP server) sends the full DN.

B. The regular bind type is the easiest bind type to configure on FortiOS.

Incorrect. Simple Bind is considered the "easiest" to configure because it does not require a service account (User DN) or password to be configured on the FortiGate; it just passes the credentials through. Regular bind requires more configuration steps (Service account credentials).

C. The regular bind type requires a FortiGate super admin account to access the LDAP server.

Incorrect. This is a common distractor. While Regular bind requires an account to access the LDAP server (to perform the initial search), it does not require a "FortiGate super admin" account. It requires an LDAP user with standard read/search permissions. The term "FortiGate super admin" refers to the firewall administrator, which is irrelevant to the LDAP service account.

D. It is not often used as a bind type.

Incorrect. Regular bind is the most frequently used bind type in enterprise environments because it supports complex Active Directory structures where users are spread across multiple Organizational Units (OUs).

IKEv1 (Internet Key Exchange version 1) and IKEv2 are protocols used for establishing IPsec VPN tunnels, and both protocols share the conceptual division into two phases, as clearly described in Fortinet VPN documentation:

Phase 1 handles negotiation and establishment of a secure IKE Security Association (SA) between peers.

Phase 2 negotiates parameters for the IPsec Security Association, which secures actual data traffic between peers.

While IKEv2 streamlines and improves upon IKEv1 by merging some message exchanges and simplifying configuration, it maintains the same core two-phase concept: Phase 1 (IKE SA) and Phase 2 (IPsec SA). This is a foundational VPN concept referenced widely in both IKEv1 and IKEv2 literature.

Other statements are incorrect:

Asymmetric authentication is possible, but not mandatory for both.

Both protocols commonly use UDP port 500, sometimes 4500 for NAT traversal, but they are not designed to run on TCP.

The protocol feature compatibility over TCP/UDP is not correctly described in the other options.

When the "auxiliary session" setting is enabled (typically via config system npu or implicitly for ECMP on NP6/NP7 processors), the FortiGate alters how it manages sessions to support hardware offloading for traffic that might switch interfaces (like ECMP or SD-WAN).

B. FortiGate accelerates all ECMP traffic to the NP6 processor:

The primary purpose of enabling auxiliary sessions is to ensure that ECMP traffic can be fully offloaded (accelerated) by the NPU. Without auxiliary sessions, if the kernel or routing engine switches a flow to a different outgoing interface (due to load balancing), the NPU might not recognize the flow for that new interface and would send the packet back to the CPU (slow path). Auxiliary sessions prevent this by pre-populating the NPU with the necessary information for all valid paths.

D. FortiGate creates two sessions in case of a routing change:

Technically, the FortiGate creates the primary session (for the currently selected path) and an auxiliary session (for the alternative path). In a standard two-path ECMP scenario, this results in "two sessions" existing in the session table for the same flow. This ensures that if a routing change occurs (e.g., the flow shifts to the second path), the traffic continues to be processed by the NPU without interruption or re-evaluation by the CPU.

FortiGate HA Troubleshooting and Synchronization Guides

Fortinet Admin Guide: HA Primary Role Retention, Cluster Break-up Due to Out-of-Sync Status