FCSS_LED_AR-7.6 Fortinet NSE 6 - LAN Edge 7.6 Architect Question and Answers

In this scenario:

FortiGate + FortiAnalyzer are part of theSecurity Fabric

AnAutomation Stitchis configured:

Trigger:Compromised Host – High(IOC from FortiAnalyzer)

Action:Quarantine on FortiSwitch + FortiAP

A test device10.0.2.1visits a malicious website.

FortiAnalyzer logs show the event, butFortiGate does NOT quarantine the device.

This means theautomation did not receive an IOC trigger, OR theFabric did not classify it as a compromise.

Let's evaluate each answer option.

✅C. The malicious website is not recognized as an indicator of compromise (IOC) by FortiAnalyzer.

✔Correct.

For FortiGate to quarantine a device:

FortiAnalyzer must classify the event as aCompromised Host → High / Medium / Critical

FortiAnalyzer must generate anIOC event

FortiGate must receive that IOC through the Fabric

Even though the FAZ log shows:

Action = blocked

Category = Malicious Websites

→ That doesNOTautomatically mean an IOC was generated.

A blocked website event isnot always an IOCunless:

It is included in theIOC database

FAZ’sAnalytics / UTM / IOCengine marks it as a compromise

Thus, if FAZ only logs a “Malicious Website” event butdoes not classify it as an IOC,

The FortiOS documentation explicitly states that a CSR used for certificate signing must contain accurate and valid fields, especially:

Common Name (CN)

Organization (O)

Country (C)

Public key parameters

According to the FortiGate certificate section:

Incorrect CSR field information can cause the CA to reject the request.

Reasons include:

The CA validates identity and organizational information.

Missing or malformed data invalidates PKI requirements.

The CSR is not corrected automatically by the CA.

Therefore:

✔A is correct.

Options B–D contradict PKI principles:

B is false: CAs do not issue certificates with mismatched identity fields for public trust.

C is false: CSR fields are not only for internal use; they define certificate identity.

D is false: CAs do not auto-correct CSR fields.

Context: You’re troubleshootingSyslog-based SSOonFortiAuthenticator:

Devices (typically firewalls, WLAN controllers, VPN gateways) sendsyslog messagescontaining usernames, IPs, login/logout events.

FortiAuthenticator parses those logs usingSyslog SSO rulesand injects logon sessions intoFSSOfor FortiGate.

When users are not mapping correctly, you need to see:

Did the syslog message arrive?

Which matching rule (if any) caught it?

What username and IP were extracted?

Why was a message ignored or rejected?

FortiAuthenticator has a dedicated debug area for this:

Debug logs → Single Sign-On → Syslog SSO

This view shows:

Raw syslog lines received

Thematching ruleapplied (or “no match”)

Parsed fields (username, IP, group)

Any parsing errors

This is exactly the tool designed totroubleshoot and diagnose Syslog SSO issues.

Why the other options are not the best for this issue

A. Debug logs > Remote Servers > Syslog Viewer

Lets you see syslog traffic in general, but doesnotshow how SSO rules are applied or why they fail. Good for connectivity checks, not SSO logic.

B. Parsing Test Tool

Useful totestpatterns and rules manually by pasting sample log lines, but it doesn’t show live traffic or running SSO sessions.

C. Debug logs > SSO Sessions page

Shows existing SSO sessions (who is logged in), but notwhya particular syslog message did not create a session.

When FortiAuthenticator is used as anFSSO agentbased onsyslog, it must:

Parse incoming syslog messagesfrom devices (firewalls, WLAN controllers, VPN concentrators, etc.).

Extract identity fieldssuch as:

Username

IP address

Login/logout event indicators

Syslogmatching ruleson FortiAuthenticator define:

Which syslog messages are relevant (by facility, message pattern, or regex).

How to capture specific fields (username, IP, group, event type).

FortiAuthenticator then uses this parsed data toinject logon sessions into FSSO, so FortiGate can apply identity-based policies.

Thus, the role of syslog matching rules is exactly as described inC.

A: Group mapping is handled separately via directory groups / FSSO config, not directly by matching rules.

B: Enforcement of authentication policies is done on FortiGate, not directly by the matching rules.

D: While irrelevant logs can be ignored via rules, the primary purpose isparsing and extraction, not generic filtering.

From the exhibits and text:

FortiGate →RADIUS→ FortiAuthenticator

FortiAuthenticator →LDAP→ Windows AD

diagnose test authserver radius ... papsucceeds

diagnose test authserver radius ... mschap2fails

This behavior matches a classic limitation documented in FortiOS:

When usingLDAPas the back-end, the RADIUS server must usePAP. CHAP/MS-CHAPv2 arenot supportedwith plain LDAP because the server cannot validate the challenge–response without access to password hashes.

In the Remote LDAP server config on FortiAuthenticator, the option“Windows Active Directory Domain Authentication” is disabled.When this feature isenabled, FortiAuthenticator can talk to AD usingKerberos/NTLMinstead of a simple LDAP bind, whichdoes support MS-CHAPv2for incoming RADIUS authentications.

So to allow MS-CHAPv2 all the way from FortiGate to AD, you must:

Keep FortiGate using RADIUS with MS-CHAPv2 → FortiAuthenticator

EnableWindows Active Directory Domain Authenticationso FortiAuthenticator can properly validate MS-CHAPv2 against AD.

Why the other options are wrong:

A. Change to CHAP– CHAP still cannot be validated over LDAP; docs say LDAP back-ends must usePAP.

C. Manually add users to local DB– That would allow local-DB auth but does not fix MS-CHAPv2 against AD.

D. Use RADIUS attributes on FortiGate– Attributes do not influence the EAP inner method; they don’t fix MS-CHAPv2 failures.

Therefore the configuration change that can realistically fix the MS-CHAPv2 problem isenabling Windows Active Directory Domain Authentication on FortiAuthenticator (B).

Goal: enforce captive portal authentication overHTTPSfor guests.

On FortiGate/FortiAuthenticator captive portal setups:

HTTP redirectis used so that when a guest browses to any HTTP site, their request is redirected to theportal URL.

Theportal URLitself must beHTTPSif you want a secure login page.

FortiOS captive portal and firewall authentication guidelines recommend:

EnablingHTTP redirectso unauthenticated HTTP traffic is transparently sent to the portal.

Configuring theportal URL with HTTPS, often referencing a certificate on FortiGate or FortiAuthenticator.

Therefore:

A. Enable HTTP redirect in the user authentication settings.✔This ensures unauthenticated HTTP requests are redirected to the (now HTTPS) portal.

D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator.✔This makes the login itself secure (TLS-protected).

Incorrect:

B– You don’t need a new SSID; the same SSID can use HTTPS portal.

C– Disabling HTTP admin access on the SSID doesn’t control the captive portal scheme; HTTPS enforcement is done by the portal configuration and redirect, not by admin-access flags.

When a device’sMAC address is quarantinedon a FortiSwitch (via FortiLink NAC, fabric automation, or manual quarantine), FortiSwitch enforces quarantine using thequarantine VLAN, also called theaccess VLANinside FortiSwitch NAC operations.

FortiSwitch behavior is defined in LAN Edge documentation:

Quarantined devices are moved into an"access VLAN" reserved for isolation.

This VLAN isstatically defined on the FortiGate NAC policy, and switch ports dynamically reassign the quarantined MAC into that VLAN.

All egress traffic from the quarantined MAC is forced into this VLAN, preventing access to the production network.

Thus, the correct description is:

✔Traffic is sent to an access VLAN.

Options B, C, and D are incorrect because:

Quarantine doesnotreassign to native VLAN.

It doesnotsend untagged traffic arbitrarily.

It doesnotforward traffic to allowed VLANs

When a FortiGate is deployed usingZero Touch Provisioning (ZTP)or auto-discovery:

FortiGate retrieves theFortiManager IP address(from DHCP Option 240, FortiCloud/ZTNA provisioning, or manual set).

The next step isnot UI authorizationor DHCP changes—it immediately attempts to form aFGFM (FortiGate–FortiManager) tunnel.

The FGFM protocol usesTCP port 541to establish a secure management channel.

FortiManager will still require manual authorization of the deviceinside FortiManager, but this occursafterthe tunnel is established.

Therefore, the first automatic action after retrieving the FMG address iscreating the secure FGFM tunnel on TCP/541.

FortiGate and FortiSwitchmust share synchronized timewhen operating in FortiLink mode.

Documented reasons in FortiOS:

Accurate time synchronization is required for logs, authentication events, and fabric correlations.

Why it’s critical:

802.1X EAP and RADIUS timestamp validation

NAC policy enforcement timestamps

Certificate validation

Log correlation in Security Fabric / FortiAnalyzer

Incorrect options:

A: Firmware synchronization does NOT require NTP.

B: Switch-to-switch communication does not depend on NTP.

D: Standalone mode is unrelated to time sync.