Fortinet FCSS_NST_SE-7.6 Fortinet NSE 6 - Network Security 7.6 Support Engineer Exam Practice Test

The BGP debug output shows session information for peers, including state details. According to official Fortinet BGP documentation, if the session state with a peer does not show "Idle," "Active," or "Connect," but instead shows "Established," "Up," or related counters (e.g., messages sent/received or uptime), it indicates the session is operational. In this scenario, the peer 10.127.0.75 is the only one showing a positive indication of a live, established session. Other options like neighbor-range configuration, AS mismatch, or route-maps blocking prefixes are not supported by evidence provided in a simple BGP session state debug, nor does the output show errors relating to local or remote AS issues.

The correct interpretation comes from Fortinet's BGP troubleshooting guide, which outlines how to read session status and neighbor states in debug and summary outputs.

The exhibit for question 4 shows a policy route table entry, and key fields are as follows:

internet service(1) : Fortinet-FortiGuard(1245324,0.0.0.0,0.0.0.0)

According to the Fortinet official documentation, when a policy route is based on Internet Service Database (ISDB) entries, the route entry will specifically mention “internet service,” showing the service being referenced (in this example, Fortinet-FortiGuard). This is fundamentally different from a regular policy route, which is defined by source, destination, and service wildcards without referencing an ISDB signature. A regular policy route's output would not contain the line “internet service.”

Policy routes that use ISDB allow FortiGate to steer traffic for specific well-known services (like FortiGuard, Google, Microsoft) based on traffic pattern recognition, even if the destination IP is dynamic. The matching and route selection follow the ISDB tag and can coexist with static or regular policy routes.

Thus, this entry is correctly and uniquely an ISDB route, as explained in the FortiOS policy routing documentation and ISDB configuration references.

The get router info ospf database brief output on FGT-2 clearly indicates that Area 0.0.0.5 is configured as a [Stub] area.

In OSPF, a Stub Area is specifically designed to reduce the size of the Link State Database (LSDB) on internal routers. The primary behavior of a Stub area is that it does not accept Type 5 (AS External) LSAs.

FGT-3 is the ASBR (Autonomous System Border Router) and is importing static routes, which are generated as Type 5 LSAs in the OSPF domain.

FGT-1 acts as the ABR (Area Border Router). Because Area 0.0.0.5 is a Stub area, FGT-1 blocks these Type 5 LSAs from entering Area 0.0.0.5.

Consequently, FGT-2 will not receive the specific external routes advertised by FGT-3. Instead, the ABR (FGT-1) injects a default route (0.0.0.0/0) into the Stub area to allow connectivity to the external world, which is visible in the database output.

While the question text mentions FGT-3 not receiving routes, the definitive configuration shown in the exhibit is the Stub area setting, which directly corresponds to the blocking of Type 5 LSA propagation (Option A).

To understand why Type 5 LSAs (AS External LSAs) are missing from the Link-State Database (LSDB), we must look at how OSPF generates and propagates them:

A. There is no autonomous system border router (ASBR) in the network:

Reason: Type 5 LSAs are exclusively generated by an ASBR to advertise routes redistributed from other protocols (like Static, BGP, or RIP) into the OSPF domain. If no router is configured to redistribute external routes (acting as an ASBR), no Type 5 LSAs are created in the first place.

C. The local router is located in a stub area:

Reason: By definition, a Stub Area (and a Totally Stubby Area) prevents Type 5 LSAs from entering. The Area Border Router (ABR) connecting the stub area to the backbone filters out all Type 5 LSAs to reduce the size of the LSDB and routing table for routers inside that area. Instead, a default route is usually injected.

Why other options are incorrect:

B: While database filtering exists, standard prefix-list filtering typically affects the routing table (RIB) generation, not the underlying LSDB propagation of Type 5 LSAs, or it is less common than the architectural reasons (Stub/No ASBR).

D: IP Protocol 89 is the transport for OSPF itself. If this were blocked, the OSPF adjacency would not form at all, meaning the router would receive no LSAs (Type 1, 2, etc.), not specifically just Type 5.

To display debug output on FortiGate devices, you must always run both the application-specific debug command and the global debug enable command. The command diagnose debug application ike -1 sets up the detail level for the IKE daemon debug, but it does not display any debug output on its own. As described in the FortiOS CLI debugging manuals, the command diagnose debug enable activates debug output on the console, making all previously set debugs visible. This is especially important for VPN troubleshooting—without the enable command, no output appears even if there is VPN traffic.

The correct diagnostic sequence is:

diagnose debug application ike -1

diagnose debug enable

This procedure is found in every FortiOS CLI debug tutorial and troubleshooting workflow.

The command on this slide shows a summary of the statuses of all the OSPF neighbors. For each neighbor, it displays the adjacency state and if it is a DR, a BDR, or neither (DROther) Pagina 362 Enterprise_Firewall_7.2_Study. - Point-to-point networks contain only two peers, one at each end of a point-to-point link - Broadcast networks (multi-access) support more than two attached routers. They also support sending messages to multiple recipients (broadcasting). Pagina 365 Enterprise_Firewall_7.2_Study. In any multi-access network there is one DR and one BDR. Pagina 439 Network_Security_Support_Engineer_7.4_Study FULL/- This represents a point-to-point network

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate's subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

“Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.” This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

The partial output from diagnose hardware sysinfo memory provides details on system RAM allocation. According to Fortinet's technical documentation for memory troubleshooting and Linux memory management (which FortiOS is based on):

MemFree is the portion of physical memory not currently allocated to any running process or kernel function. Thus, 708880 kB is available and can be immediately used by user-space programs or system operations.

Inactive refers to pages in the memory cache that were previously in use for I/O or file system buffering but are now not actively referenced. These pages are retained in memory for quick access if needed again, but can be reclaimed for other memory operations if demand increases. The value 98908 kB here represents currently unused cache pages (inactive pages), ready for repurposing or deletion if the system requires more RAM.

Cached represents the total amount of system memory allocated to cache, which includes both active and inactive cache pages. It does not, by itself, represent I/O cache exclusively, nor does "inactive" mean memory “will never be used” as the kernel can re-purpose inactive pages on demand.

In the provided session table output, the following details justify the answers:

Policy ID Match: The line policy_id=1 directly confirms that this session was matched by Firewall Policy ID 1. According to Fortinet’s session table documentation, the policy_id field always references the policy that allowed this session, so this is a clear indicator.

Session Offloading: The presence of the strings npu_state, ips_offload, and notably the NPU info section such as offload=8/8, ips_offload=1/1 shows that this session has been offloaded to the Network Processor Unit (NPU). Fortinet technical documentation states that "offload" values greater than zero in both directions (and an NPU info section) affirm that NPU hardware processing (fast path) is handling this traffic, thus the session is not being handled in software only.

Other options:

VLAN Tagging (vlan=0x0000/0x0000): This means no VLAN tag is assigned to this session.

NP7: The actual NPU model handling the session isn’t exposed in this snippet–the offload parameters shown are generic and not specific to NP7 hardware, so it cannot be concluded from the session data.

Based on the Fortinet FCSS - Network Security 7.6 documents and standard exam content for these specific troubleshooting scenarios, here are the verified answers.

Questions no: 74

Verified Answer: A, C

Comprehensive and Detailed Explanation with all FCSS - Network Security 7.6 documents:

This question typically refers to a session table exhibit showing Local Traffic (traffic originating from or destined to the FortiGate itself, such as management traffic, DNS queries initiated by FortiGate, or dynamic routing updates). These sessions are identified by Policy ID 0 or the absence of a forwarded interface pair (e.g., local flag).

C. FortiGate either initiated the session or the session terminates at FortiGate:

This is the definition of Local Traffic. Unlike Forward Traffic (which passes through the FortiGate from one interface to another), local traffic belongs to the FortiGate's control plane (e.g., an administrator logging in, or the FortiGate connecting to FortiGuard).

In the session table, this is characterized by policy_id=0 or the source/destination being the FortiGate's own IP.

A. FortiGate is performing a security profile inspection using the CPU:

Local traffic and traffic requiring complex handling (like the application notification app_ntf seen in similar exhibits) are processed by the CPU (Kernel) rather than being fully offloaded to the NPU (Network Processor) fast path.

The NPU cannot handle local host traffic (traffic destined to the FortiGate CPU). Therefore, the CPU must process these packets.

Why other options are incorrect:

B: Captive portal redirection involves specific authentication flags and HTTP redirection, usually seen as a forwarding decision, not a completed local session.

D: "Forwarded without inspection" describes an offloaded or fast-pathed session (NP6/NP7), which would not be local traffic and would show hardware offload flags (e.g., np6_0).

The session output reveals a session with proto=1 (ICMP) and the origin and reply directions show address and NAT translations. Specifically, the hook=post dir=org act=snat shows that source NAT is performed for outgoing packets, where the source 10.1.10.10:40602 is translated to 10.200.5.1:8 (likely ICMP id 8, not a TCP/UDP port). The reply direction, hook=pre dir=reply act=dnat, indicates destination NAT for incoming packets: packets incoming for 10.200.5.1:60430 are destination-NATed to 10.1.10.10:40602. The gateway (gwy) is listed as 10.200.1.254/10.1.0.1, which for outgoing traffic means that return traffic is directed to the gateway (10.200.1.254), per the NAT policy. This is confirmed by the FortiOS Session Table Guide, which explains that the returned ICMP reply will be routed out to this NAT gateway. The session statistics and logical flow (SNAT out, matching DNAT in) reinforce that reply traffic to the initiator traverses via 10.200.1.254.

When the FortiGate enters Conserve Mode due to high memory pressure (specifically reaching the Extreme Threshold at 95% memory usage, or the Red Threshold for proxy traffic), the system prioritizes stability and preventing a system crash (kernel panic).

D. FortiGate begins dropping all new sessions to protect resources:

In Extreme Conserve Mode (95%), the FortiGate kernel acts to preserve the remaining memory for system-critical tasks (like admin access and basic packet forwarding of existing sessions). To achieve this, it drops all new session initiation requests regardless of the inspection type.

In Red Conserve Mode (88%), it specifically drops new sessions that require proxy-based inspection (as these consume the most memory), while often still allowing flow-based traffic.

Among the provided choices, "dropping new sessions" is the only standard protective mechanism FortiOS employs to stop memory usage from climbing further.

Why other options are incorrect:

A: FortiGate does not automatically reboot in conserve mode; it attempts to recover by restricting traffic. (Reboot is a last-resort crash, not a configured action).

B: Inspection modes (Proxy vs. Flow) are defined in firewall policies and cannot be dynamically switched by the system during runtime.

C: The system does not arbitrarily stop "non-essential processes" like logging or AV. Logging is critical for audit trails. While av-failopen can be configured to bypass scanning, the system typically defaults to "Fail-Close" (dropping traffic) rather than stopping the engines themselves.

To capture encrypted IPsec phase 2 (ESP) traffic between two FortiGate devices, the correct protocol filter to use is ip proto 50. According to the Fortinet official sniffing and debugging documentation, ESP (Encapsulating Security Payload) is used for encrypted phase 2 payload transfer and always uses IP protocol number 50. Running the command diagnose sniffer packet any 'ip proto 50' captures only ESP packets, which represent the encrypted traffic—whether originating or transiting the device.

If there is no NAT device between FortiGates, ESP is not encapsulated in UDP (thus not on UDP port 4500; if NAT-T were required, packets would be UDP-encapsulated, but the scenario explicitly says NAT is not in use). UDP port 500 is for IKE control (negotiation) traffic, and AH (Authentication Header, ip proto 51) is not used for encryption in standard IPsec phase 2 with ESP.

This matches the official CLI reference from Fortinet for VPN and traffic analysis.

**

To determine the behavior, we must analyze the memory thresholds and the current status shown in the exhibit:

Analyze the Thresholds (The Three States):

Green (Exit): 82% (Memory usage is safe).

Red (Enter Conserve Mode): 88% (Memory usage is high; action is required).

Extreme (Kernel Conserve Mode): 95% (Memory is critical; drastic action is required).

Determine the Current State:

Current Memory Used: 89%.

Since 89% is greater than the Red threshold (88%) but lower than the Extreme threshold (95%), the FortiGate is in Red Conserve Mode (User-space conserve mode), not Extreme mode.

Evaluate the Behavior in "Red" Mode:

In Red Conserve Mode, the FortiGate's primary goal is to prevent memory exhaustion while still processing traffic if possible.

Proxy-based inspection (handled by the WAD process) is memory-intensive because it buffers content. To save memory, the system stops accepting new sessions that require proxy-based inspection.

Flow-based inspection (handled by the IPS engine) streams data and consumes significantly less memory. Therefore, in Red mode, the system typically continues to allow and inspect flow-based sessions.

Option A correctly describes this split behavior: allowing flow-based (lighter) but blocking proxy-based (heavier).

Why other options are incorrect:

B: If memory increases another 6% (89% + 6% = 95%), the device hits the Extreme threshold. At 95%, the kernel begins dropping all new sessions to prevent a system crash. Thus, it will not continue to allow sessions.

C: This describes "Fail-Open" behavior (passing traffic without inspection). While configurable (set av-failopen pass), the default is usually "Fail-Close" (blocking). More importantly, the distinction between flow and proxy availability is the key architectural feature of Red mode.

D: Blocking all new sessions regardless of type is the behavior of Extreme Conserve Mode (95%). Since the device is only at 89%, this drastic measure is not yet active.

The Internet Key Exchange version 2 (IKEv2) protocol simplifies the negotiation process compared to IKEv1. It is defined by a specific sequence of message exchanges to establish a secure IPsec tunnel.

The correct chronological order of the IKEv2 exchanges is:

IKE_SA_INIT (Initial Exchange):

This is the first exchange. It negotiates the security parameters for the IKE Security Association (IKE SA), sends nonces, and performs the Diffie-Hellman key exchange. At the end of this exchange, the communication is encrypted, but the peers are not yet authenticated.

IKE_AUTH (Authentication Exchange):

This is the second exchange. It authenticates the previous messages, exchanges identities and certificates (if used), and establishes the first Child SA (the actual IPsec Security Association used for data traffic).

CREATE_CHILD_SA (Subsequent Exchanges):

This exchange occurs after the IKE SA and the initial Child SA are established. It is used to create additional Child SAs (for different traffic selectors) or to perform re-keying for the IKE SA or existing Child SAs.

Why other options are incorrect:

A & B: Incorrect because CREATE_CHILD_SA cannot happen before the SA is initialized (IKE_SA_INIT) and authenticated (IKE_AUTH).

D: Incorrect because IKE_AUTH cannot occur before IKE_SA_INIT.

Therefore, the protocol flow is IKE_SA_INIT $\rightarrow$ IKE_AUTH $\rightarrow$ CREATE_CHILD_SA.

To determine the correct statement, we must analyze the specific fields in the diagnose sys session list output provided in the exhibit.

Analyze Option A (The session is offloaded using NP7):

Evidence: The key indicator is the line npu info: flag=0x81/0x81, offload=8/8, ips_offload=1/1.

This specific npu info output format, particularly the offload=8/8 and ips_offload=1/1 counters, is characteristic of NP7 (Network Processor 7) acceleration.

Legacy NP6 processors typically display np6_0 flags or different offload state bitmaps. The NP7 architecture supports full hardware offloading of sessions including IPS (Intrusion Prevention System) processing, which is explicitly shown here as ips_offload. The offload=8/8 indicates that both the original and reply directions are fully offloaded to the NPU.

Analyze Option C (It is a TCP session from 10.9.31.117 to 10.1.0.3):

Evidence: The hook=post line shows the SNAT translation: 10.9.31.117:45388->200.8.57.5:443(10.1.0.3:45388).

Source: 10.9.31.117 (The client).

Destination: 200.8.57.5 (The external server on port 443).

NAT IP: 10.1.0.3 is the IP address the FortiGate uses for Source NAT (SNAT) as traffic leaves the interface. It is not the destination of the session.

Conclusion: This statement is False.

Analyze Option D (The session will expire in one second):

Evidence: The session info line displays expire=3599.

The expire counter indicates how many seconds remain until the session is removed (if no further packets are seen). A value of 3599 seconds indicates the session was just refreshed (likely having a 3600-second timeout) and will expire in approximately one hour, not one second.

Conclusion: This statement is False.

Analyze Option B (Return traffic to the initiator is sent to...):

While the gateway for reply traffic (gwy=.../10.9.31.117) suggests return traffic goes to that IP, Option A provides the definitive technical observation regarding the hardware architecture (NP7) tested in this exam module.