Fortinet FCSS_NST_SE-7.6 Fortinet NSE 6 - Network Security 7.6 Support Engineer Exam Practice Test

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-polling/ta-p/214349

From the snippet we can see that FortiGate (via the fssod daemon) is directly detecting the user logon rather than relying on a separate “collector” or “DC agent.” This indicates agentless polling—FortiGate polls the DC’s event logs over TCP 445 to discover logons. So: - FSSO is using agentless polling mode to detect logon events - In agentless mode, FortiGate will periodically poll the same IP (the DC) on port 445 to see if the user is still logged on

The session output reveals a session with proto=1 (ICMP) and the origin and reply directions show address and NAT translations. Specifically, the hook=post dir=org act=snat shows that source NAT is performed for outgoing packets, where the source 10.1.10.10:40602 is translated to 10.200.5.1:8 (likely ICMP id 8, not a TCP/UDP port). The reply direction, hook=pre dir=reply act=dnat, indicates destination NAT for incoming packets: packets incoming for 10.200.5.1:60430 are destination-NATed to 10.1.10.10:40602. The gateway (gwy) is listed as 10.200.1.254/10.1.0.1, which for outgoing traffic means that return traffic is directed to the gateway (10.200.1.254), per the NAT policy. This is confirmed by the FortiOS Session Table Guide, which explains that the returned ICMP reply will be routed out to this NAT gateway. The session statistics and logical flow (SNAT out, matching DNAT in) reinforce that reply traffic to the initiator traverses via 10.200.1.254.

The correct answer is B. Assertion dump .

The study guide states: “SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP as part of the authentication process.”

The same study guide page for real-time SAML troubleshooting shows the section labeled **** Assertion Dump **** , and inside that assertion it displays the actual user attributes, such as:

< saml:Attribute Name= " username " >

< saml:Attribute Name= " groups " >

It also explicitly marks this part as “Attributes sent by IdP”

Why the other options are wrong:

A. Bindings HTTP post is incorrect because bindings define how SAML messages are transported , not the section that contains the attributes. The study guide says: “Bindings: Define how SAML protocol messages are transmitted over different communication channels.”

C. Authentication request is incorrect because that is built by the SP and sent toward the IdP, not where the IdP’s user attributes are shown. The study guide’s flow says the SP “Builds auth request” and the IdP later “Builds auth response.”

D. Authentication response is broader than the exact section being asked. The exact section in the study guide where the IdP-provided attributes are shown is the Assertion dump .

So the verified answer is: B .

The correct answer is D. Assertion dump .

The study guide states that: “SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP as part of the authentication process.”

It also shows the real-time SAML debug output under “ ** Assertion Dump ****”**, where the SAML attributes appear inside the assertion, such as:

< saml:Attribute Name= " username " >

< saml:Attribute Name= " groups " >

The same study-guide page explicitly labels this area as “Attributes sent by IdP”

So, although the IdP sends an authentication response overall, the actual section that contains the SAML attributes is the Assertion dump

The 7.6 study guide explains the route selection order:

“Route Selection Process

Most specific route

Lowest distance

Lowest metric (dynamic routes)

Lowest priority (static routes)

ECMP (static, BGP, and OSPF routes)”**

It then states:

“If there are multiple routes with the same netmask, distance, metric, and priority, FortiGate shares the traffic among all of them. This is called equal-cost multi-path (ECMP).”

The FortiOS administration guide confirms the ECMP prerequisite:

“Routes must have the same destination and costs. In the case of static routes costs include distance and priority.”

In the exhibit, the kernel/FIB output shows the two default routes as:

gwy=100.64.1.254 dev=3 (port1) prio=0

gwy=100.64.2.254 dev=6 (port2) prio=10

So although both are default routes, their priorities are different . Since FortiGate uses the FIB/kernel for forwarding traffic, ECMP will not happen until the static-route priorities are the same. The study guide also notes that the FIB is the table used to perform standard routing

Therefore, to make the two default routes eligible for ECMP, the administrator must make the priorities equal. Since port2 is already 10, the needed change is to set the port1 default route priority to 10.

Why the other options are wrong:

A is wrong because snat-route-change affects how existing SNAT sessions react to routing changes, not whether static routes qualify for ECMP

B is wrong because changing port2 to priority 1 still would not match port1 at 0, so the routes still would not have equal cost for ECMP

C is wrong because preserve-session-route affects existing-session route persistence after routing changes, not ECMP qualification

The BGP debug output shows session information for peers, including state details. According to official Fortinet BGP documentation, if the session state with a peer does not show " Idle, " " Active, " or " Connect, " but instead shows " Established, " " Up, " or related counters (e.g., messages sent/received or uptime), it indicates the session is operational. In this scenario, the peer 10.127.0.75 is the only one showing a positive indication of a live, established session. Other options like neighbor-range configuration, AS mismatch, or route-maps blocking prefixes are not supported by evidence provided in a simple BGP session state debug, nor does the output show errors relating to local or remote AS issues.

The correct interpretation comes from Fortinet ' s BGP troubleshooting guide, which outlines how to read session status and neighbor states in debug and summary outputs.

The command on this slide shows a summary of the statuses of all the OSPF neighbors. For each neighbor, it displays the adjacency state and if it is a DR, a BDR, or neither (DROther) Pagina 362 Enterprise_Firewall_7.2_Study. - Point-to-point networks contain only two peers, one at each end of a point-to-point link - Broadcast networks (multi-access) support more than two attached routers. They also support sending messages to multiple recipients (broadcasting). Pagina 365 Enterprise_Firewall_7.2_Study. In any multi-access network there is one DR and one BDR. Pagina 439 Network_Security_Support_Engineer_7.4_Study FULL/- This represents a point-to-point network

The issue is caused by the strict matching logic of the configured Prefix List.

Current State: The rule is edit 1 with set prefix 172.16.0.0 255.255.0.0 and both ge (greater than or equal) and le (less than or equal) are unset.

Behavior: When ge and le are unset, FortiOS requires an exact match of the subnet mask. The current rule only matches the exact network 172.16.0.0/16. It denies 172.16.52.0/24 because the mask (/24) does not match the rule ' s mask (/16).

To fix this and inject 172.16.52.0/24, you must modify the list to match the /24 mask:

A. Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network:

Creating a new rule (e.g., edit 2) with set prefix 172.16.52.0 255.255.255.0 will provide an exact match for the incoming route, allowing it to pass the distribute-list.

B. Change the ge value to 17:

By configuring set ge 17 on the existing rule (conceptually 172.16.0.0/16 ge 17), you change the logic from " exact match " to " range match " .

This configuration tells the router to match any prefix starting with 172.16.x.x that has a subnet mask length of 17 or greater.

Since the incoming route is a /24, and 24 is greater than 17, the route will match the prefix list and be accepted.

Why other options are incorrect:

C: The option text appears to read " Change the ... value to 16 " . If this refers to le 16, it would enforce the mask to be exactly /16 or less, which still excludes /24.

D: Changing the default behavior to implicit allow defeats the purpose of a filter (security control) and is not a standard configuration step for fixing a single missing route.

The 8.8.8.8/32 route is visible in the OSPF database on FGT-B but not installed into the routing table—the most likely explanation is that FGT-B is filtering it from being installed.

FortiOS Admin Guide: Static Routing, SNAT Route Change Feature

The correct answer is A .

The study guide explicitly explains the diagnose debug rating table and says that for each server IP, the output shows “The round trip delay”

That means the RTT value represents the time it takes for FortiGate to send a request and receive the reply from that FortiGuard server.

The FortiOS administration guide also confirms this by stating:

“Each server is probed for Round Trip Time (RTT) every two minutes.”

Why the other options are wrong:

B is wrong because packet loss is shown separately by Curr Lost and Total Lost , while RTT is the round-trip delay

C is wrong because license-validation behavior is indicated by flags such as I = Initial , not by the RTT value itself

D is wrong because the documents do not say RTT starts at a fixed value of 10; it is measured dynamically as round-trip delay

So the verified answer is: A .

For Option A:In Fortinet BGP (and standard BGP), when a prefix is displayed with an " i " (lowercase i) in the Path column, it represents an internal prefix that originated from the local router, typically configured via the BGP " network " command. In the exhibit, the prefix 10.20.30.0/24 is listed with a Path value of i, indicating it was injected into BGP by the local router using the network statement, not via redistribution from another routing protocol. The same logic applies to i as documented: " Origin code ' i ' means the route was injected via the network command. "

For Option D:The get router info bgp network output is a summary table displaying both local and received BGP routes. It lists all known routes to the BGP process, whether received from peers or originated locally. The exhibit shows all BGP prefixes known to the local router, matching the official admin guide’s description of this command’s output.

Explanation for B and C:

The phrase “legacy route advertisement” is not formalized in BGP documentation or Fortinet’s admin guide; the output uses standard BGP mechanics.

If a route was redistributed into BGP from another routing protocol, the Path field would display a " ? " (question mark) for incomplete (redistributed) origin. Here the /24 route has " i " so it is NOT a redistribution.

The exhibit shows a FortiGate configuration under config system fortiguard related to web filtering and FortiGuard options. There is a line:

set webfilter-force-off enable

According to official Fortinet documentation, the " webfilter-force-off " option, when enabled, causes the FortiGate to bypass web filtering for all traffic—even if a web filter profile is applied to a policy. This override is typically used for troubleshooting or performance reasons and is documented as an explicit bypass feature.

If an administrator wants to enforce web filtering inspection, this setting must be disabled. The correct way to restore web filtering functionality is to run:

set webfilter-force-off disable

Once done, traffic passing through policies with web filter profiles will be inspected and filtered as per configuration. Other settings such as timeout or cache TTL do not bypass web filtering; they only affect operational nuances.

The reported symptom—users unable to access any websites despite no explicit blocks in the profile—points to systemic connectivity or configuration issues rather than specific URL filtering rules.

Option B (SSL/TLS Inspection): When Deep Inspection is enabled, the FortiGate acts as a Man-in-the-Middle (MitM) and re-signs server certificates using its own CA. If the clients (browsers) do not trust this CA (i.e., the certificate is not installed in their Trusted Root store), they will reject the connection with certificate errors, effectively preventing access to all HTTPS websites.

Option D (DNS): Web browsing relies on DNS resolution . If the configured DNS server is unreachable or failing, the FortiGate (or the client) cannot resolve FQDNs to IP addresses. Consequently, browsers will fail to load any page, resulting in a total loss of web access.

Option E (License): If the FortiGuard Web Filtering license expires, the FortiGate can no longer query the FortiGuard Distribution Network (FDN) for ratings. By default, or if the allow-when-rating-error setting is disabled (a common security practice), the FortiGate will block all web traffic that it cannot rate, often displaying a " Web Filter Service Error " or invalid license page.

Option A is incorrect because clearing the cache only increases latency, it does not block traffic. Option C is incorrect because webfilter-force-off is typically used to disable the service (often allowing traffic to bypass checks if the service is down), rather than blocking it.

The correct answers are A and D .

The debug output shows:

Sent RADIUS req to server ' RadiusServer ' : IP=172.25.188.164 ... user= " student " using CHAP

Result for radius svr ' RadiusServer ' 172.25.188.164(0) is 0

Sending result 0 for req 2

The study guide explains that in RADIUS real-time debug, FortiGate shows the IP address of the RADIUS server it is querying. In the example, it says FortiGate “creates an access request to the RADIUS server at IP address 10.0.13.130” and shows the line Sent radius req to server ... IP=10.0.13.130

So in your exhibit, the queried server is clearly 172.25.188.164 , which makes A correct.

The study guide also states:

“The message fnbamd_comm_send_result-Sending result 0 indicates that the authentication was successful and that FortiGate received the Access-Accept message.”

Since your exhibit also ends with Sending result 0 , that makes D correct.

Why the other options are wrong:

B is wrong because result 0 means authentication successful , not failed

C is wrong because the debug explicitly shows using CHAP , and the study guide lists supported RADIUS schemes as CHAP, PAP, MS-CHAP, and MS-CHAPv2

E is wrong because the study guide says two-factor authentication would involve an Access-Challenge response: “If two-factor authentication is enabled on the server, the response is an Access-Challenge message” Your exhibit shows successful result 0 / Access-Accept , not a challenge.

So the verified answers are: A, D .

The output of the diagnose sys session list command provides the critical evidence needed to determine the behavior during a failover:

Session Synchronization (synced):

The most important indicator in the exhibit is the synced flag located in the state= line (state=may_dirty synced none app_ntf).

In FortiOS HA (High Availability), the synced flag confirms that this specific session has been successfully synchronized from the primary device to the secondary (backup) device.

Session synchronization (Session Pickup) ensures that if the primary unit fails, the secondary unit already has the session in its table and can resume traffic processing immediately.

TCP State (proto_state=01):

The output shows proto=6 (TCP) and proto_state=01.

In the FortiGate session table, proto_state=01 for TCP indicates that the session is in the ESTABLISHED state (post-three-way handshake).

This invalidates Option B, which claims the TCP session is not fully established.

Failover Outcome:

Because the session is ESTABLISHED and SYNCED, the secondary device will seamlessly take over the session upon primary failure.

The traffic continues to flow through the new primary without requiring the user/client to restart the connection. This is the primary function of HA Session Pickup.

Why other options are incorrect:

A: While the output shows app_ntf (Application Control notification) and may_dirty, the presence of the synced flag overrides this concern regarding failover. If the session type were not supported for failover (e.g., certain proxy sessions in older versions), it would not be marked as synced. Since it is synced, it persists.

B: As noted, proto_state=01 means established, not " not fully established " .

D: While the kernel updates routing tables, the purpose of syncing the session is to preserve the state so it does not need to be re-evaluated as a new packet would, preventing traffic drops.

The correct answer is A . This behavior is dictated by the configuration command set snat-route-change enable shown in Exhibit 1 under config system global.

Routing Change: By changing the priority of route ID 2 from 10 to 0, it becomes lower than route ID 1 (priority 5). In FortiOS, a lower priority value indicates a more preferred route. Consequently, the active route for the destination changes from port1 to port2 .

SNAT Implication: The existing session (shown in Exhibit 2) is using Source NAT (SNAT) with the IP address associated with port1 (10.200.1.1). If the traffic were simply switched to port2 , the source IP would be incorrect for that interface and the return traffic would likely fail or be dropped.

snat-route-change enable: This specific setting instructs the FortiGate on how to handle established SNAT sessions when a routing change occurs that alters the preferred outgoing interface. When enabled, if a route change forces an SNAT session to a new interface, FortiGate flushes (deletes) the session from the session table. This is necessary because a live TCP session cannot survive a change in its source IP address. The client must initiate a new session, which will then be created using the new correct route (port2) and the corresponding new SNAT IP.

If this setting were disabled, the session would likely remain " sticky " to the original interface (port1) until it closed, provided the route still existed. However, the explicit configuration forces the deletion.

The exhibit shows:

memory conserve mode: on

memory used: 2706 MB 89% of total RAM

memory used threshold red: 2675 MB 88% of total RAM

memory used + freeable threshold extreme: 2887 MB 95% of total RAM

The study guide states that the default thresholds are:

Extreme = 95%

Red = 88%

Green = 82%

So this FortiGate is in conserve mode because memory usage is 89% , which is above the red threshold (88%) , but it has not yet reached the extreme threshold (95%) .

The study guide then explains exactly what happens during conserve mode:

“For traffic that requires proxy-based inspection (and if memory usage has not exceeded the extreme threshold):

config system global

set av-failopen [off | pass | one-shot]

pass (default): All new sessions pass without inspection”

It also says:

“The av-failopen setting also applies to flow-based antivirus inspection.”

And the same page adds:

“If memory usage exceeds the extreme threshold, all new sessions that require inspection (flow-based or proxy-based) are blocked.”

Therefore, with default settings and with memory usage below the extreme threshold , FortiGate is allowing new sessions that require inspection, but bypassing inspection . That matches C .

Why the other options are wrong:

A is wrong because the default behavior is not to block proxy-based inspected sessions; the default is pass , meaning they pass without inspection

B is wrong because if memory rises another 6% , it reaches 95% , which is the extreme threshold . At that point, the study guide says all new sessions that require inspection are blocked

D is wrong because FortiGate blocks all new inspected sessions only when memory usage exceeds the extreme threshold , and the exhibit shows it is currently at 89% , not 95%

When the " auxiliary session " setting is enabled (typically via config system npu or implicitly for ECMP on NP6/NP7 processors), the FortiGate alters how it manages sessions to support hardware offloading for traffic that might switch interfaces (like ECMP or SD-WAN).

B. FortiGate accelerates all ECMP traffic to the NP6 processor:

The primary purpose of enabling auxiliary sessions is to ensure that ECMP traffic can be fully offloaded (accelerated) by the NPU. Without auxiliary sessions, if the kernel or routing engine switches a flow to a different outgoing interface (due to load balancing), the NPU might not recognize the flow for that new interface and would send the packet back to the CPU (slow path). Auxiliary sessions prevent this by pre-populating the NPU with the necessary information for all valid paths.

D. FortiGate creates two sessions in case of a routing change:

Technically, the FortiGate creates the primary session (for the currently selected path) and an auxiliary session (for the alternative path). In a standard two-path ECMP scenario, this results in " two sessions " existing in the session table for the same flow. This ensures that if a routing change occurs (e.g., the flow shifts to the second path), the traffic continues to be processed by the NPU without interruption or re-evaluation by the CPU.

The key point is that the two VPNs are dynamic dialup IPsec tunnels on the same interface and both are using IKEv1 main mode . In this design, FortiGate cannot reliably distinguish which dialup phase1 to match before phase 1 completes.

The uploaded Network Security Support Engineer 7.6 Study Guide shows that XAuth happens only after phase 1 is already established:

“The IKE real-time debug shows, after phase 1, the exchange of extended authentication (XAuth) packets… You can also see the CFG_REPLY, showing the XAuth user and group name.”

That means the user group is learned too late to be used for selecting the correct phase1 definition. So the fix must be applied to the phase1 matching method itself , not to XAuth.

The FortiOS administration guide gives the exact rule for this scenario:

“When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address.”

The correct answer is C .

The exhibit shows:

562 in ESTABLISHED state

27 in CLOSE state

memory_tension_drop=0

ephemeral=0/131072

According to the study guide, for TCP sessions: “The protocol state in the session table is a two-digit number. For TCP, the first number (from left to right) is related to the server-side state and is 0 when the session is not subject to any inspection (flow or proxy)… The second digit is the client-side state.” The same page also shows that value 1 = ESTABLISHED

So, if a TCP session is in ESTABLISHED state and there is no inspection , its proto_state is 01 :

first digit 0 = no inspection

second digit 1 = ESTABLISHED

That makes C correct. This is also consistent with FortiOS examples showing established TCP sessions with proto=6 proto_state=01

Why the other options are wrong:

A is wrong because the field that indicates sessions dropped due to low free memory is memory_tension_drop, and in the exhibit it is 0 , not 113. The study guide states: “If there is a lack of free memory, the kernel deletes the oldest sessions. The command shown on this slide displays the number of sessions the kernel deleted because of this mechanism.” So 113 is the clash value, not memory-tension drops.

B is wrong because ephemeral=0/131072 does not mean 131072 ephemeral sessions were recorded. The study guide explains that FortiGate “sets a hard limit on the maximum number of ephemeral sessions that can exist at the same time in the session table.” Therefore:

0 = current ephemeral sessions

131072 = maximum allowed ephemeral sessions for that model/context

D is wrong because the study guide says the temporary retention for possible out-of-order packets happens in state value 5 (TIME_WAIT) : “When a session is closed by both the sender and receiver, FortiGate keeps that session in the session table for a few seconds, to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the state value 5.” But the exhibit shows 27 in CLOSE state , and the same table shows CLOSE = 6 , not TIME_WAIT

So the verified answer is C .

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate ' s subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

“Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.” This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

The correct answer is B .

In the exhibit:

Neighbor 100.64.1.254 shows State/PfxRcd = 1 , which means the session is established and the local FortiGate has received 1 prefix

Neighbor 100.64.2.254 shows State/PfxRcd = Active

The study guide explains the BGP states exactly:

Connect : Waiting for a successful three-way TCP connection

Active : Unable to establish the TCP session

OpenSent : Waiting for an OPEN message from the peer

OpenConfirm : Waiting for the keepalive message from the peer

Established : Peers have successfully exchanged OPEN and keepalive messages

It also explains how to read the State/PfxRcd column:

“If the state is not established, this column displays the BGP state. If the state is established, this column displays the number of prefixes that the local FortiGate received from that neighbor.”

Therefore, because neighbor 100.64.2.254 is in Active state, the correct conclusion is that the BGP adjacency cannot form because the TCP session could not be established .

Why the other options are wrong:

A is wrong because BGP can establish adjacencies with multiple neighbors independently; one established neighbor does not block another

C is wrong because BGP adjacency is not established based on neighbor “priority”; the output shows adjacency is established because the session completed and prefixes were exchanged

D is wrong because having two neighbors in the same remote AS is valid in BGP and does not prevent adjacency formation

So the verified answer is: B .

The correct answer is C. 64.26.151.37 .

The study guide explains the FortiGuard flags shown by diagnose debug rating:

D = Default

I = Initial

T = Timing

F = Failed and specifically: “F = The server is down”

So even though 121.111.236.179 has the lowest RTT in the exhibit, it has the F flag, meaning FortiGate considers that server failed/down , so it will not be chosen.

To determine which active server is selected, the FortiOS administration guide states:

“The server list is sorted first by weight. The server with the smallest RTT appears at the top of the list regardless of weight. … Therefore the top position in the list is selected based on RTT while the other positions are based on weight.”

Among the valid, non-failed choices in the exhibit:

64.26.151.37 → RTT 45

209.22.147.36 → RTT 103

96.45.33.65 → RTT 144

208.91.112.194 → RTT 107

The active server with the lowest RTT is 64.26.151.37 , so that is the server FortiGate will choose.

So the verified answer is: C .

Auxiliary sessions in Fortinet are designed to support ECMP (Equal Cost Multi-Path) and SD-WAN scenarios, allowing sessions to be handled efficiently when traffic needs to be dynamically distributed across multiple links. With the auxiliary session setting enabled, FortiGate creates additional session table entries for each possible path in ECMP or SD-WAN—meaning that if the routing path changes (such as a link failover), a new session can be immediately activated and offloaded to the NP6 network processor for acceleration, ensuring minimal disruption. This greatly benefits high-throughput deployments.

Official documentation specifies that when auxiliary sessions are enabled, FortiGate doesn’t just rely on dynamically creating new sessions after a routing event, it proactively creates sessions for all potential paths. This means that in the event of a route change, two sessions exist and the traffic is quickly re-routed and offloaded, maximizing performance and reliability. Without this feature, multiple paths cannot be efficiently offloaded, and routing changes trigger a single session update, reducing failover performance.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Static-URL-filter-actions-explained/ta-p/206632

FortiTelemetry is a critical part of Security Fabric communications and requires explicit configuration for each participating FortiGate interface. The administrative access setting " fabric " (corresponding to FortiTelemetry) must be manually enabled per interface on both upstream and downstream devices. This is performed in the GUI under Administrative Access or via the CLI using the command set allowaccess fabric for the relevant network interface. Without this step, FortiTelemetry communications will not occur on that interface.

Additionally, the default communication between downstream and upstream FortiGate units in the Security Fabric is over TCP port 8013. This port is well-documented as the standard for Security Fabric and FortiTelemetry connections, and must be open and permitted across the network path for connectivity and status enforcement between units. The downstream FortiGate initiates the connection to the upstream via this port unless otherwise configured. This has also been documented as a PCI-relevant port, showing its default usage.

Other options:

Neighbor Discovery in FortiOS uses IPv6 ND protocol, not TCP.

FortiTelemetry port (8013) can be modified, but the interface Administrative Access for the Security Fabric must be manually enabled; Neighbor Discovery port modification is not documented as a supported change for FortiGate.

The correct answers are A and B .

For UDP , the study guide states this directly: “For UDP, the session state can have only two values: 00 when traffic is only one way, and 01 when traffic is two ways. For ICMP, the protocol state is always 00.”

That makes B correct and D incorrect.

For TCP , the study guide explains that the protocol state is a two-digit number, where the first digit is the server-side state and the second digit is the client-side state . It also states that the first digit is 0 when the session is not subject to any inspection , and the TCP state table shows that value 1 = ESTABLISHED

So, for a normal non-proxied/non-inspected TCP session, proto_state=01 means the TCP session is in the ESTABLISHED state. An established TCP session means the three-way handshake has completed, which requires traffic in both directions. That is why A is correct.

The study guide also says: “proto_state=11 means that the TCP three-way handshake for both server-side and client-side is completed (ESTABLISHED).”

This confirms that TCP state value 1 represents an established state.

Why C is not selected: the study guide defines value 5 as TIME_WAIT and says: “When a session is closed by both the sender and receiver, FortiGate keeps that session in the session table for a few seconds… This is the state value 5.”

So proto_state=05 represents a closing/closed TCP session in TIME_WAIT , not the normal bidirectional state the question is testing.

Therefore, the verified answers are A and B .

According to the official Fortinet documentation (Technical Tip: Useful FSSO Commands), heartbeat messages play a crucial role in communication between the FSSO Collector Agent and FortiGate. These messages are regularly sent from the Collector Agent to verify its status, maintain session awareness, and confirm connectivity between the authentication infrastructure and FortiGate appliances.

Option B is confirmed by Fortinet, as the collector agent logs on Windows or its management console will specifically note heartbeat events, connection status, and any issues maintaining contact with FortiGate units.

Option C is validated by both official CLI documentation and the technical tip linked. On FortiGate, heartbeat messages from the collector agent are visible using real-time debug tools such as diagnose debug application authd or FSSO-specific commands. These enable administrators to monitor live logon states, session status, and connection health directly from the FortiGate CLI. The debug stream shows heartbeats received and their effect on active logons, associating health monitoring with active sessions.

Heartbeat operation is fully automated once FSSO is set up—there is no requirement for manual enablement or configuration, aligning with Fortinet’s philosophy of seamless integration and centralized management across the Security Fabric. This ensures that both FortiGate and the collector agent can quickly and reliably detect any miscommunication or outage, addressing authentication issues proactively.

The correct answers are A and B .

The Network Security Support Engineer 7.6 Study Guide states under OSPF Troubleshooting :

“Follow these steps to troubleshoot an OSPF problem between two peers:

Check that the local router can reach the remote peer. IP addresses must be in the same subnet and have the same subnet mask.

Ensure that IP protocol 89 is not blocked.

Hello and dead intervals must match.

The OSPF router ID for each peer must be unique. Duplicate router IDs are not allowed.

Do the MTUs match?

If authentication is enabled, the type and password must match on both sides.”**

The same page also summarizes the troubleshooting tips as:

“Do peers have an IP address within the same subnet?”

“Is IP protocol 89 blocked?”

This directly confirms:

A is correct

B is correct

Why the other options are wrong:

C is wrong because TCP port 179 is used by BGP , not OSPF. OSPF uses IP protocol 89 , as the study guide explicitly notes

D is wrong because the study guide’s OSPF adjacency troubleshooting checklist does not require an active static route to the peer. OSPF neighbors form adjacency on directly reachable networks, and the guide instead focuses on same subnet, protocol 89, intervals, router ID, MTU, and authentication matching

So the verified answers are: A, B .

To identify the reason for the lack of prefixes, we must interpret the State/PfxRcd and Up/Down columns in the get router info bgp summary exhibit.

Analyze Neighbor Status:

Neighbor 10.125.0.60: State is OpenSent. This session is not established. It is stuck in the negotiation phase.

Neighbor 100.64.3.1: State is Active. This session is not established. The router is actively trying to initiate a TCP connection.

Neighbor 10.127.0.75:

Up/Down: 02:45:55. This indicates the BGP session has been Up (Established) for almost 3 hours.

State/PfxRcd: 0. This number represents the count of prefixes received. The session is fully established, but the neighbor has sent zero routes.

Determine the Cause:

Since the session with 10.127.0.75 is established, connectivity and handshakes (Options A, B, C) are not the issue for this neighbor.

The fact that it is Up but sending 0 prefixes strongly implies that the neighbor is configured to filter out its routes before sending them to the local FortiGate.

Option D correctly identifies this as a RIB-OUT (Routing Information Base - Outbound) configuration issue on the neighbor (Router 10.127.0.75), which prevents it from advertising its routes.