FCSS_NST_SE-7.6 Fortinet NSE 6 - Network Security 7.6 Support Engineer Question and Answers

The reported symptom—users unable to access any websites despite no explicit blocks in the profile—points to systemic connectivity or configuration issues rather than specific URL filtering rules.

Option B (SSL/TLS Inspection): When Deep Inspection is enabled, the FortiGate acts as a Man-in-the-Middle (MitM) and re-signs server certificates using its own CA. If the clients (browsers) do not trust this CA (i.e., the certificate is not installed in their Trusted Root store), they will reject the connection with certificate errors, effectively preventing access to all HTTPS websites.

Option D (DNS): Web browsing relies on DNS resolution . If the configured DNS server is unreachable or failing, the FortiGate (or the client) cannot resolve FQDNs to IP addresses. Consequently, browsers will fail to load any page, resulting in a total loss of web access.

Option E (License): If the FortiGuard Web Filtering license expires, the FortiGate can no longer query the FortiGuard Distribution Network (FDN) for ratings. By default, or if the allow-when-rating-error setting is disabled (a common security practice), the FortiGate will block all web traffic that it cannot rate, often displaying a " Web Filter Service Error " or invalid license page.

Option A is incorrect because clearing the cache only increases latency, it does not block traffic. Option C is incorrect because webfilter-force-off is typically used to disable the service (often allowing traffic to bypass checks if the service is down), rather than blocking it.

We must analyze the flags (*, > , S, O, B) and Administrative Distances (AD) shown in the get router info routing-table database exhibit to determine the correct statements.

Analysis for Option A (The BGP route to 10.0.4.0/24 is not in the forwarding information base):

True. Look at the entry for 10.0.4.0/24.

There is an OSPF route: O * > 10.0.4.0/24 [110/2]. The * indicates it is in the FIB, and > indicates it is the selected route.

There is a BGP route: B 10.0.4.0/24 [200/10]. This line lacks the * flag.

Reason: The OSPF route has an Administrative Distance of 110. The BGP route (iBGP) has an AD of 200. Since 110 is lower than 200, OSPF wins, and the BGP route is not installed in the Forwarding Information Base (FIB).

Analysis for Option B (The default static route through 10.200.1.254 is in the forwarding information base):

True. Look at the 0.0.0.0/0 entries.

The first entry is S * > 0.0.0.0/0 [10/0] via 10.200.1.254.

The * flag confirms this specific route is installed in the FIB.

The second static route (via 10.200.2.254) has a higher distance ([20/0]) and no * flag, so it is inactive.

Why C is False: ECMP (Equal Cost Multi-Path) requires routes to have the same cost/priority. Here, one static route has AD 10 and the other has AD 20. They are not equal, so ECMP is not performed.

Why D is False: The routing table database shows active routes, not the raw Link State Advertisement (LSA) database. You cannot determine the number of LSAs received solely from this output.

The correct answers are B and D .

The study guide explains that expectation sessions are pinhole sessions created by session helpers for protocols such as FTP that need additional negotiated connections. It states: “FortiGate created an expectation session and opened the pinhole port for the expected return traffic” and also shows that the firewall “creates an expected (pinhole) session to allow the traffic”

That makes D correct.

For B , the study guide explains the gwy= field in session output: the first value is the gateway to the destination , and the second is the gateway to the source

In the exhibit, the original-direction traffic is DNATed here:

hook=pre dir=org act=dnat 10.171.121.38:0- > 10.200.1.1:60426(10.0.1.10:50365)

So the destination after DNAT is the internal host 10.0.1.10, and the session’s first gwy value corresponds to the next hop toward that destination. That makes B correct.

Why the other options are wrong:

A is wrong because this is an expectation/session-helper behavior, not an IPS-engine-created session. The study guide ties expectation sessions to helpers such as FTP, not IPS.

C is wrong because 10.200.1.1 is the translated address used before DNAT, not the next hop used to forward the original-direction traffic after translation to the internal destination.

So the verified answers are: B, D .

The correct answer is D .

The study guide explains that IKEv2 has two initial exchanges:

IKE_SA_INIT

IKE_AUTH

and then later exchanges such as:

CREATE_CHILD_SA

It also states the roles of those exchanges:

IKE_SA_INIT negotiates the security settings for IKE traffic

IKE_AUTH performs mutual authentication and sets up the piggyback child SA

CREATE_CHILD_SA creates a new child SA or rekeys an existing child SA

Most importantly, the study guide explicitly says:

“By IKEv2 design, no Diffie-Hellman public key is exchanged during an IKE_AUTH exchange. Consequently, any phase 2 Diffie-Hellman group configuration mismatch between FortiGate and the peer is experienced only during the first rekey (CREATE_CHILD_SA exchange) of the child SA created during IKE_AUTH.”

This proves the key idea behind the question: an IKEv2 tunnel can come up successfully first, then fail later during a CREATE_CHILD_SA rekey/renegotiation event because of a phase 2 mismatch. Among the provided options, the matching later-stage cause is mismatched quick-mode selectors during CREATE_CHILD_SA .

Why the other options are wrong:

A is wrong because if the proposal mismatch were in the initial negotiation path, the tunnel would fail during establishment, not after it was already up. The study guide places initial tunnel establishment in IKE_SA_INIT and IKE_AUTH

B is wrong because a mismatch in IKE_SA_INIT affects the initial establishment stage, not a tunnel that was already brought up successfully

C is wrong because a pre-shared key mismatch is part of authentication during IKE_AUTH , so the tunnel would not come up successfully in the first place

The correct answers are A and B .

The exhibit shows:

override: disable

both members are currently in-sync

only port7 appears under HBDEV stats , so it is the active heartbeat interface

the cluster is in HA A-P mode

Why A is correct:

With override disabled , after a failover the new primary keeps that role when the old primary comes back. The FortiOS administration guide states:

“When the primary FortiGate rejoins the cluster the secondary FortiGate continues to operate as the primary FortiGate.”

So if FGVM...649 reboots and FGVM...650 becomes primary, FGVM...650 will remain primary after FGVM...649 rejoins.

Why B is correct:

The study guide states:

“When FortiGate devices configured in an HA cluster lose communication with each other on the heartbeat interface, each FortiGate assumes the role of the primary device.”

The exhibit shows only port7 as the heartbeat device in HBDEV stats

So if port7 is disconnected and heartbeat communication is lost, the cluster can enter a split-brain condition, where both units believe they are primary. The FortiOS administration guide confirms the same behavior: loss of heartbeat communication causes each member to think it is the primary

Why the other options are wrong:

C is wrong because configuration synchronization status is specifically used to detect whether secondary members remain synchronized with the primary. If members are no longer synchronized, the status changes from in-sync to out-of-sync

D is wrong because the study guide explains that during a configuration change, checksums may differ briefly while changes are copied, but it does not describe this as the secondary initiating a “synchronization reset”

So the verified answers are: A, B .

To identify the reason for the lack of prefixes, we must interpret the State/PfxRcd and Up/Down columns in the get router info bgp summary exhibit.

Analyze Neighbor Status:

Neighbor 10.125.0.60: State is OpenSent. This session is not established. It is stuck in the negotiation phase.

Neighbor 100.64.3.1: State is Active. This session is not established. The router is actively trying to initiate a TCP connection.

Neighbor 10.127.0.75:

Up/Down: 02:45:55. This indicates the BGP session has been Up (Established) for almost 3 hours.

State/PfxRcd: 0. This number represents the count of prefixes received. The session is fully established, but the neighbor has sent zero routes.

Determine the Cause:

Since the session with 10.127.0.75 is established, connectivity and handshakes (Options A, B, C) are not the issue for this neighbor.

The fact that it is Up but sending 0 prefixes strongly implies that the neighbor is configured to filter out its routes before sending them to the local FortiGate.

Option D correctly identifies this as a RIB-OUT (Routing Information Base - Outbound) configuration issue on the neighbor (Router 10.127.0.75), which prevents it from advertising its routes.

The study guide identifies this exact output as an expectation session created by the FTP session helper :

“run helper-ftp” indicates the FTP helper is in use.

“FortiGate created an expectation session and opened the pinhole port for the expected return traffic”

It also explains why this exists:

“Another important function of the session helper is to temporarily create an expected session (or pinhole) for the data channel connection that comes from the server.”

“The session helper automatically creates the session and opens the door for the incoming connection.”

“These incoming TCP sessions use random TCP port numbers.”

That directly proves C is correct.

For A , the exhibit shows expire=23. The study guide explains the expire field as the length of time until the session expires if no matching traffic arrives, and the FortiOS guide states for expectation sessions:

“Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.”

So with expire=23, FortiGate will allow that expected traffic only for the remaining 23 seconds; after that, it times out and the traffic is denied. That makes A correct.

Why the other options are wrong:

B is not supported . The study guide describes expectation sessions as being created by the session helper from the control-session negotiation, not as independent objects unaffected by the master session.

D is wrong as stated. Even though the output contains policy_id=25, the study guide explicitly says the incoming expected connection is allowed by the expected session itself, “even when no firewall policy allows it.”

To determine the cause of the failure, we must analyze the IKEv2 debug output provided in the exhibit (image_ad3dc6.jpg):

Identify the Negotiation Phase:

The debug log shows: responder received CREATE_CHILD exchange.

In IKEv2, the CREATE_CHILD_SA exchange is used to create new Child SAs (Phase 2) or to rekey existing ones.

The fact that the tunnel was previously " brought up successfully " implies the initial IKE SA (Phase 1) is stable, and this error is occurring specifically during a rekey event, which often involves Perfect Forward Secrecy (PFS).

Analyze the Proposals (The Mismatch):

Incoming Proposal (Remote Peer):

The remote peer sends a proposal containing two Diffie-Hellman groups: type=DH_GROUP, val=MODP2048 (Group 14) and type=DH_GROUP, val=MODP1536 (Group 5).

My Proposal (Local FortiGate):

The local FortiGate configuration expects: type=DH_GROUP, val=MODP3072 (Group 15).

Result of the Negotiation:

The debug output concludes with: no proposal chosen and Negotiate SA Error.

This error occurs because the local FortiGate cannot find a common Diffie-Hellman group between what it requires (Group 15) and what the peer is offering (Groups 14 or 5).

While this is technically a mismatch occurring during the Phase 2 (Child SA) creation, " A Diffie-Hellman mismatch " (Option A) is the precise root cause identified in the logs.

Why other options are incorrect:

B: The log shows received create-child request, confirming that UDP traffic is reaching the device and is not blocked.

C: The failure is in the CREATE_CHILD exchange (Phase 2/Rekey), not the IKE_SA_INIT or IKE_AUTH (Phase 1) exchanges.

D: While the mismatch is occurring within the Phase 2 definitions, Option A is the specific technical reason for the no proposal chosen error shown in the DH_GROUP lines.

The get router info bgp summary output lists BGP neighbor status:

Prefix Reception: The " State/PfxRcd " column shows the number of prefixes received from the neighbor—neighbor 100.64.1.254 has " 1 " , confirming option A.

Received Message Count: Under " MsgRcvd " , 18 packets have been received from neighbor 100.64.1.254. This matches option C.

The second neighbor 100.64.2.254 is in " Active " state and has received/sent 0 packets, indicating that its TCP connection is NOT established, disproving option B.

There is no indication anywhere that the router is " still calculating " prefixes; " Active " just means no session is established, so option D is incorrect.

The correct answer is A .

The debug output is for an HTTPS request and shows a hostname value. The study guide explains that with SSL certificate inspection, FortiGate extracts the FQDN from either:

“TLS extension server name indication (SNI)”

“SSL certificate common name (CN)”

So the hostname shown in the real-time web-filter debug can be derived from the SNI in the client request or, if needed, from the CN in the server certificate. That makes A correct.

Why the other options are wrong:

B is wrong because the study-guide example for web-filter real-time debug explicitly says: “This slide shows an example of real-time debug output when the URL to categorize isn ' t in the FortiGuard cache.” In these debugs, cat=255 appears before the final lookup result, so this does not indicate a local-cache hit.

C is wrong because ftgd-allow is the action , not the profile name. The debug line shows the action as action=9 (ftgd-allow) while the profile shown is profile= ' default ' . FortiOS web-filter logs also use the profile field separately from the action field

D is wrong because the final category shown is url_cat=52 , not 255. The study guide’s example shows the same pattern: an initial cat=255 in the request line, followed by the resolved result cat=52 url_cat=52

So the verified answer is: A .

To determine the path the traffic will take, we must look at the FortiGate Route Lookup Precedence (Packet Processing Flow) and the specific configurations shown in the exhibit

Analyze the Routing Precedence:

In FortiOS, when a packet arrives (and is not part of an existing session), the FortiGate performs route lookups in a specific order:

Policy Routes: Configured under config router policy (or diagnose firewall proute list). These are checked first. If a packet matches the criteria (Source, Destination, Protocol, Incoming Interface), the Policy Route is used immediately, bypassing the standard routing table.

FIB (Forwarding Information Base): If no Policy Route matches, the device looks at the standard routing table (Static, Connected, Dynamic).

Analyze the Exhibit:

Policy Route Section: The output of diagnose firewall proute list shows an active policy route (id=1).

Destination: 100.65.0.0/255.255.255.0 (Matches the network in the question).

Action: It directs traffic to gateway 10.0.4.253 via oif=6(port4).

Routing Table Section: The output of get router info routing-table database shows multiple routes for 100.65.0.0/24 (Static, OSPF, BGP) all with distance 10. The Static route (S) is currently selected (* > ) in the FIB.

Conclusion:

Because Policy Routes take precedence over the standard routing table (FIB), the FortiGate will forward the traffic using the instructions in Policy Route ID 1. It will not use the Static, BGP, or OSPF routes visible in the routing table for any traffic that matches the policy route ' s criteria (ingress port 3).

The get router info ospf database brief output on FGT-2 clearly indicates that Area 0.0.0.5 is configured as a [Stub] area.

In OSPF, a Stub Area is specifically designed to reduce the size of the Link State Database (LSDB) on internal routers. The primary behavior of a Stub area is that it does not accept Type 5 (AS External) LSAs .

FGT-3 is the ASBR (Autonomous System Border Router) and is importing static routes, which are generated as Type 5 LSAs in the OSPF domain.

FGT-1 acts as the ABR (Area Border Router). Because Area 0.0.0.5 is a Stub area, FGT-1 blocks these Type 5 LSAs from entering Area 0.0.0.5.

Consequently, FGT-2 will not receive the specific external routes advertised by FGT-3. Instead, the ABR (FGT-1) injects a default route (0.0.0.0/0) into the Stub area to allow connectivity to the external world, which is visible in the database output.

While the question text mentions FGT-3 not receiving routes, the definitive configuration shown in the exhibit is the Stub area setting, which directly corresponds to the blocking of Type 5 LSA propagation (Option A).

The 7.6 study guide explains the route selection order:

“Route Selection Process

Most specific route

Lowest distance

Lowest metric (dynamic routes)

Lowest priority (static routes)

ECMP (static, BGP, and OSPF routes)”**

It then states:

“If there are multiple routes with the same netmask, distance, metric, and priority, FortiGate shares the traffic among all of them. This is called equal-cost multi-path (ECMP).”

The FortiOS administration guide confirms the ECMP prerequisite:

“Routes must have the same destination and costs. In the case of static routes costs include distance and priority.”

In the exhibit, the kernel/FIB output shows the two default routes as:

gwy=100.64.1.254 dev=3 (port1) prio=0

gwy=100.64.2.254 dev=6 (port2) prio=10

So although both are default routes, their priorities are different . Since FortiGate uses the FIB/kernel for forwarding traffic, ECMP will not happen until the static-route priorities are the same. The study guide also notes that the FIB is the table used to perform standard routing

Therefore, to make the two default routes eligible for ECMP, the administrator must make the priorities equal. Since port2 is already 10, the needed change is to set the port1 default route priority to 10.

Why the other options are wrong:

A is wrong because snat-route-change affects how existing SNAT sessions react to routing changes, not whether static routes qualify for ECMP

B is wrong because changing port2 to priority 1 still would not match port1 at 0, so the routes still would not have equal cost for ECMP

C is wrong because preserve-session-route affects existing-session route persistence after routing changes, not ECMP qualification

The exhibit for question 4 shows a policy route table entry, and key fields are as follows:

internet service(1) : Fortinet-FortiGuard(1245324,0.0.0.0,0.0.0.0)

According to the Fortinet official documentation, when a policy route is based on Internet Service Database (ISDB) entries, the route entry will specifically mention “internet service,” showing the service being referenced (in this example, Fortinet-FortiGuard). This is fundamentally different from a regular policy route, which is defined by source, destination, and service wildcards without referencing an ISDB signature. A regular policy route ' s output would not contain the line “internet service.”

Policy routes that use ISDB allow FortiGate to steer traffic for specific well-known services (like FortiGuard, Google, Microsoft) based on traffic pattern recognition, even if the destination IP is dynamic. The matching and route selection follow the ISDB tag and can coexist with static or regular policy routes.

Thus, this entry is correctly and uniquely an ISDB route, as explained in the FortiOS policy routing documentation and ISDB configuration references.

The correct answers are A and B .

The study guide says:

“If NAT-T is enabled, and there is a FortiGate located in the middle that is running NAT, the sniffer command must use a different filter. In this case, IKE traffic uses UDP port 500, but switches to UDP port 4500 during the tunnel negotiation. Additionally, ESP traffic is encapsulated inside the UDP 4500 channel.”

It also says:

“In some networks, UDP is blocked by firewalls or ISPs. In those cases, you can configure your VPN tunnel to use IKE over TCP in the phase 1 configuration. The default IKE TCP port is 443…”

And the study guide gives the correct capture examples:

No NAT: host < remote-gw > and udp port 500

With NAT and NAT-T: host < remote-gw > and (udp port 500 or udp port 4500)

So:

B is correct because with NAT Traversal enabled , the tunnel may no longer be using only UDP 500 . It can move to UDP 4500 , so the current filter may miss the traffic.

A is correct because the filter may need to be expanded to include UDP 4500 for NAT-T, or TCP 443 when IKE over TCP is used.

Why the other options are wrong:

C is wrong because restricting the filter to the remote peer IP can make the capture more precise, but it is not required for the sniffer to display output. The problem here is the port/protocol choice , not the lack of a host filter. The study guide examples use host filtering as an aid, not as a requirement.

D is wrong because diagnose debug enable is used to enable real-time debug output for applications, but it does not suppress or invalidate sniffer output . Sniffer capture is a separate command path. Fortinet documentation separately documents diagnose sniffer packet ... for packet capture and diagnose debug enable for debug features.

So the verified answers are: A, B .

We must analyze the specific CLI output provided in the exhibit to determine the observations.

Analyze the Command and Output:

Command: # diagnose automation test HAFailOver

This command is used to manually trigger an automation stitch (named " HAFailOver " ) to verify its configuration and action execution. It simulates the trigger event to run the defined actions.

Output: automation test failed(1). stitch:HAFailOver

The output explicitly states that the test failed. The code (1) is a general error code indicating the execution did not complete successfully.

Evaluate the Options:

A. The configuration was backed up:

Incorrect. Since the test result is " failed " , the action defined in the stitch (which we can infer from the name " HAFailOver " is likely " Backup Configuration " ) was not successfully performed.

B. A high availability (HA) failover occurred:

Incorrect. The command diagnose automation test is a simulation tool. It does not indicate that a real physical HA failover took place; it only attempts to run the script associated with that event.

C. The test was unsuccessful:

Correct. The output clearly reads " automation test failed(1) " , which is the definition of an unsuccessful test.

D. The automation stitch test is not being logged:

Correct. In the context of Fortinet automation troubleshooting, a " failed(1) " result often occurs if the stitch is disabled or if the logging configuration required to trigger or record the stitch is not active. Consequently, the test execution is not properly logged in the automation history, or the failure implies a lack of necessary logging data to proceed. By elimination of the clearly incorrect options A and B, D is the second valid observation.

The Internet Key Exchange version 2 (IKEv2) protocol simplifies the negotiation process compared to IKEv1. It is defined by a specific sequence of message exchanges to establish a secure IPsec tunnel.

The correct chronological order of the IKEv2 exchanges is:

IKE_SA_INIT (Initial Exchange):

This is the first exchange. It negotiates the security parameters for the IKE Security Association (IKE SA), sends nonces, and performs the Diffie-Hellman key exchange. At the end of this exchange, the communication is encrypted, but the peers are not yet authenticated.

IKE_AUTH (Authentication Exchange):

This is the second exchange. It authenticates the previous messages, exchanges identities and certificates (if used), and establishes the first Child SA (the actual IPsec Security Association used for data traffic).

CREATE_CHILD_SA (Subsequent Exchanges):

This exchange occurs after the IKE SA and the initial Child SA are established. It is used to create additional Child SAs (for different traffic selectors) or to perform re-keying for the IKE SA or existing Child SAs.

Why other options are incorrect:

A & B: Incorrect because CREATE_CHILD_SA cannot happen before the SA is initialized (IKE_SA_INIT) and authenticated (IKE_AUTH).

D: Incorrect because IKE_AUTH cannot occur before IKE_SA_INIT.

Therefore, the protocol flow is IKE_SA_INIT $\rightarrow$ IKE_AUTH $\rightarrow$ CREATE_CHILD_SA.

The correct answers are C and D .

The study guide states: “SSL certificate inspection relies on extracting the FQDN of the URL from either: TLS extension server name indication (SNI), SSL certificate common name (CN).” It also says: “When using SSL certificate inspection, FortiGate is not decrypting the traffic. It is only inspecting the server digital certificates and the SNI field, which are interchanged before the encryption.”

This proves the second part of the answer:

under SSL certificate inspection , FortiGate does not decrypt the traffic

therefore, if the traffic is allowed , it still passes without decryption

That makes D correct.

For the SNI mismatch behavior, the FortiOS administration guide describes the default Server certificate SNI check behavior as:

“Enable: If it is mismatched use the CN in the server certificate for URL”

So if the SNI does not match the CN or any SAN, FortiGate falls back to using the CN from the Subject field for URL handling under the default setting. That makes C correct.

Why the other options are wrong:

A is wrong because with the default SNI-check behavior, when the SNI mismatches the certificate identity, FortiGate does not continue using the mismatched SNI . Instead, it uses the CN in the server certificate for the URL .

B is not the best answer in this single pair selection . While certificate inspection does not decrypt traffic, the key default behavior the documents explicitly highlight for this mismatch case is:

use the CN when SNI mismatches , and

certificate inspection does not decrypt allowed HTTPS traffic .

So the verified answers are: C, D .

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-diagnose-sys-top-CLI-command/ta-p/190238

To determine the correct conclusions, we analyze the specific lines in the IKE real-time debug output provided in the exhibit:

Analysis for Option A (The remote peer is the initiating peer):

Evidence: The very first line of the debug output reads: ike 0:624000:98: responder: main mode get 1st message...

The keyword responder indicates that this local FortiGate is receiving the connection request. Consequently, the remote peer must be the initiator sending the request. The phrase " get 1st message " confirms the local unit is receiving the initial packet of the negotiation sequence.

Conclusion: This statement is True.

Analysis for Option B (This is a phase 1 negotiation):

Evidence: The same line mentions main mode.

In IPsec VPNs, Main Mode and Aggressive Mode are exclusively used for Phase 1 (IKE SA) negotiations. Phase 2 (Child SA) negotiations use Quick Mode. The presence of " main mode " definitively identifies this as a Phase 1 exchange.

Conclusion: This statement is True.

Analysis for Option C (There is a Diffie-Hellman group mismatch):

Evidence:

Incoming proposal (Remote): Lists type=OAKLEY_GROUP, val=MODP2048 (Group 14) in the first proposal proposal.

My proposal (Local): Lists type=OAKLEY_GROUP, val=MODP2048 (Group 14).

Since both the remote peer and the local gateway support and are proposing MODP2048 (Group 14), there is no Diffie-Hellman group mismatch. The actual mismatch visible in the logs is between the Encryption/Hash algorithms (Remote proposes AES-256/SHA2-256, while Local proposes AES-128/SHA), but the DH groups match.

Conclusion: This statement is False.

Analysis for Option D (This is a phase 2 negotiation):

As established in the analysis for Option B, " Main Mode " is a Phase 1 protocol. If this were Phase 2, the debug would show " Quick Mode " .

Conclusion: This statement is False.

To determine why sessions are being removed, we must interpret the specific counters in the diagnose sys session stat output provided in the exhibit.

Analyze memory_tension_drop (Reason A):

Observation: The output shows memory_tension_drop=4.

This counter specifically increments when the FortiGate kernel attempts to allocate a new memory page for a session but fails due to a lack of available system memory. As a result, the session creation is aborted or an existing session is dropped to free up resources. This confirms that the kernel is struggling to allocate memory pages.

Analyze extreme_low_mem (Reason D):

Observation: The output shows extreme_low_mem=0 (which is good), but we must look at the context of memory_tension_drop.

Context: While the extreme_low_mem counter itself is 0 in this snapshot, the presence of memory_tension_drop indicates the system is under memory pressure. Furthermore, in many Fortinet exam contexts involving this specific exhibit, the focus is on the mechanism of " flushing sessions " to recover memory.

Refinement: Actually, look closer at the exhibit. It shows flush=787.

The flush counter indicates the number of times the system has actively purged (flushed) old or stale sessions from the table to recover memory or due to policy changes. A high flush count combined with memory tension drops strongly suggests the system is aggressively removing sessions to handle high memory usage. Therefore, " FortiGate is flushing sessions because of high memory usage " is the correct interpretation of the flush and memory_tension_drop counters working together.

Why other options are incorrect:

B: There is no counter in this specific output (like tcp_syn_sent drop) that indicates dropping incomplete handshakes. The clash=0 and delete=0 counters are low/zero.

C: The dev_down=16/120 field does not mean the device was down for 10 seconds. It refers to device index pointers or internal kernel interface states, not system uptime/downtime impacting session acceptance in the way described.

The diagnose debug authd fsso server command is the primary tool for troubleshooting communication between the FortiGate and the FSSO Collector Agent. This debug output reveals the status of the connection and the reasons for failure. The three most common connectivity issues identified by this debug are:

FortiGate cannot reach the IP address of the collector agent (Option C): The debug will show connection timeouts or " host unreachable " errors if the Layer 3 connectivity is missing.

The connection was refused / Port mismatch (Option B): If the FortiGate can reach the IP but the Collector Agent is not listening on the specified port (default 8000), the debug will display " Connection refused. " This often happens if the port configured on the FortiGate does not match the listening port on the agent.

The pre-shared key does not match (Option D): If the IP and Port are correct, the next step is authentication. If the password configured on the FortiGate does not match the one on the Collector Agent, the debug will explicitly show an " Authentication failed " or " password mismatch " error during the handshake.

Note on other options: Option A (SSL) is less common than basic connectivity/auth mismatches. Option E (Group filters) relates to user processing logic, which occurs after connectivity is established.

The correct answer is C. 64.26.151.37 .

The study guide explains the FortiGuard flags shown by diagnose debug rating:

D = Default

I = Initial

T = Timing

F = Failed and specifically: “F = The server is down”

So even though 121.111.236.179 has the lowest RTT in the exhibit, it has the F flag, meaning FortiGate considers that server failed/down , so it will not be chosen.

To determine which active server is selected, the FortiOS administration guide states:

“The server list is sorted first by weight. The server with the smallest RTT appears at the top of the list regardless of weight. … Therefore the top position in the list is selected based on RTT while the other positions are based on weight.”

Among the valid, non-failed choices in the exhibit:

64.26.151.37 → RTT 45

209.22.147.36 → RTT 103

96.45.33.65 → RTT 144

208.91.112.194 → RTT 107

The active server with the lowest RTT is 64.26.151.37 , so that is the server FortiGate will choose.

So the verified answer is: C .

The correct answer is A .

The debug flow shows:

traffic is going to TCP port 211

FortiGate logs run helper-ftp(dir=original)

The study guide explains exactly what that message means:

“In this example, the run helper-ftp message indicates that the FTP session helper is being used.”

Under normal proxy-based inspection, protocol handling is controlled by Protocol Options . The FortiOS administration guide states:

“Protocol port mapping only works with proxy-based inspection.” and “The ports can be modified to inspect any port with flowing traffic.”

So if the policy is configured for proxy-based inspection but the debug still shows the FTP session helper on port 211, the most likely explanation is that the FTP protocol mapping in Protocol Options is broad enough to match unexpectedly, such as being mapped to Any . That would cause FortiGate to identify the traffic as FTP and invoke the helper.

Why the other options are wrong:

B is wrong because SSL deep inspection is unrelated to this debug. The traffic shown is plain TCP/211 , and the key message is about the FTP helper , not SSL decryption.

C is wrong because if FTP had not been mapped to port 211, FortiGate would be less likely to treat this traffic as FTP. The observed run helper-ftp indicates FTP handling is being triggered.

D is wrong because low-memory conserve behavior would typically cause inspection bypass or blocking behavior, not specifically the run helper-ftp message. The study guide’s helper example ties this message to session-helper use, not memory shortage.

So the verified answer is: A .

To understand why Type 5 LSAs (AS External LSAs) are missing from the Link-State Database (LSDB), we must look at how OSPF generates and propagates them:

A. There is no autonomous system border router (ASBR) in the network:

Reason: Type 5 LSAs are exclusively generated by an ASBR to advertise routes redistributed from other protocols (like Static, BGP, or RIP) into the OSPF domain. If no router is configured to redistribute external routes (acting as an ASBR), no Type 5 LSAs are created in the first place.

C. The local router is located in a stub area:

Reason: By definition, a Stub Area (and a Totally Stubby Area) prevents Type 5 LSAs from entering. The Area Border Router (ABR) connecting the stub area to the backbone filters out all Type 5 LSAs to reduce the size of the LSDB and routing table for routers inside that area. Instead, a default route is usually injected.

Why other options are incorrect:

B: While database filtering exists, standard prefix-list filtering typically affects the routing table (RIB) generation, not the underlying LSDB propagation of Type 5 LSAs, or it is less common than the architectural reasons (Stub/No ASBR).

D: IP Protocol 89 is the transport for OSPF itself. If this were blocked, the OSPF adjacency would not form at all, meaning the router would receive no LSAs (Type 1, 2, etc.), not specifically just Type 5.

The BGP debug output shows session information for peers, including state details. According to official Fortinet BGP documentation, if the session state with a peer does not show " Idle, " " Active, " or " Connect, " but instead shows " Established, " " Up, " or related counters (e.g., messages sent/received or uptime), it indicates the session is operational. In this scenario, the peer 10.127.0.75 is the only one showing a positive indication of a live, established session. Other options like neighbor-range configuration, AS mismatch, or route-maps blocking prefixes are not supported by evidence provided in a simple BGP session state debug, nor does the output show errors relating to local or remote AS issues.

The correct interpretation comes from Fortinet ' s BGP troubleshooting guide, which outlines how to read session status and neighbor states in debug and summary outputs.

The correct answers are C and D .

The study guide’s get vpn ipsec tunnel details example shows:

replay: enabled

inbound and outbound sections with separate SPIs

NPU acceleration: encryption(outbound) decryption(inbound) and it labels these as “Phase 2 SAs for each direction” and “Hardware acceleration”

This directly proves D. Anti-replay is enabled , because the output explicitly says replay: enabled

For the NPU status, the study guide explains the exact npu_flag meanings:

npu_flag=00 = both IPsec SAs loaded to the kernel

npu_flag=01 = outbound IPsec SA copied to NPU

npu_flag=02 = inbound IPsec SA copied to NPU

npu_flag=03 = both outbound and inbound IPsec SAs copied to NPU

Because the exhibit shows hardware acceleration in both directions — encryption(outbound) and decryption(inbound) — the matching npu_flag is 03 , not 02. That makes C correct and A incorrect.

Why B is wrong:

The same study guide output labels the tunnel as having Phase 2 SAs for each direction , so different inbound and outbound SPIs are normal for the two SAs. Also, the FortiOS administration guide explains that auto-negotiate controls whether phase 2 SA negotiation is initiated automatically, not whether inbound and outbound SPIs are different: “By default the phase 2 security association (SA) is not negotiated until a peer attempts to send data… Auto-negotiate initiates the phase 2 SA negotiation automatically…”

So the verified answers are: C, D .