FCSS_LED_AR-7.6 Fortinet NSE 6 - LAN Edge 7.6 Architect Questions and Answers

WithAD machine authenticationvia FortiAuthenticator:

When a machine successfully authenticates, FortiAuthenticator records:

Machine account / identity

MAC addressof the device

Associated IP and session info

To handle sleep/hibernation:

FortiAuthenticator keeps acache of authenticated MAC addressesfor a configured timeout.

When the device wakes up and sends traffic again, FortiAuthenticator/FSSO can still treat it as authenticated as long as its MAC is in cache, so access is maintained without forcing a full machine re-auth immediately.

This matches optionD.

A(guest VLAN) is not the standard behavior here.

B(WoL) is unrelated.

C(IP-based) would break as IPs can change; MAC-based caching is what’s used.

Let’s verify each protocol:

C. FortiGate uses the FortiLink protocol to establish communication with FortiSwitch.✔

FortiLink is themanagement and control protocol, encapsulated over:

LLDPfor discovery

CAPWAP (UDP/5246–5247)for control channel

DHB (Device Handshake Bus)inside CAPWAP frames

Thus,FortiLink is required.

D. CAPWAP is used to establish the control channel between FortiSwitch and FortiGate.✔

Although CAPWAP is commonly associated with FortiAP, FortiSwitchalso uses CAPWAPinternally when managed by FortiGate.

This is documented in:

FortiSwitch Administration Guide

LAN Edge deployment guide

SoD is correct.

B. UHTTPS is used by FortiGate to securely manage and configure FortiSwitch devices.✔

FortiLink session actually uses:

Encrypted CAPWAP (over DTLS)

UHTTPS (port 4433)for secure configuration exchanges

This protocol is mandatory for:

Switch configuration synchronization

Firmware upgrade

NAC data exchange

VLAN provisioning

ThereforeUHTTPS is indeed one of the key protocols.

Why the incorrect options are wrong:

A. SNMP can be used by FortiGate to manage FortiSwitch.✖

FortiGate doesnotuse SNMP to manage FortiSwitch.

SNMP is for monitoring by external systems, not for FortiLink control.

E. IGMP is required for management.✖

IGMP is a multicast protocol, irrelevant for FortiGate–FortiSwitch management.

Observed behavior:

Devices in the VLANcan ping FortiGate→ gateway reachability OK.

FortiGatecan ping devicesin that VLAN → return path OK.

Inter-VLAN routingworks → FortiGate’s L3 and policies are fine.

Devices in the same VLAN cannot ping each other→ problem is on theL2 switching plane, not L3.

On FortiSwitch (managed by FortiGate), there is a feature calledAccess VLAN(sometimes described in NAC/dynamic segmentation context):

WhenAccess VLANis enabled on a VLAN, the switchdoes not perform normal L2 forwardingbetween hosts in that VLAN.

Instead, all traffic from endpoints in that VLAN isforced upstream to FortiGate, as if every frame were destined for the gateway.

This is used for designs where you wantall intra-VLAN traffic inspected by the firewall, implementing micro-segmentation.

Resulting behavior:

Host → FortiGate: works (frames are forwarded to FortiGate).

FortiGate → Host: works (routed back).

Host A → Host B (same VLAN):

Frame from A goes to FortiGate.

FortiGate seessource and destination in same subnet; depending on policy, it may drop or not have a policy allowing that traffic.

Even if allowed, certain designs still break pure L2 expectations.

In the exam scenario, the key point is:

IfAccess VLAN is enabled,local L2 communication within that VLAN is disabled, so hosts in the same VLAN cannot communicate directly.

That perfectly explains:

Same VLAN hosts can’t ping each other

But they can both reach FortiGate and beyond

Why the other options are less likely / incorrect

B. FortiSwitch MAC address table is missing entries

If MAC table were empty/bad,nothingin that VLAN would work properly, including pinging FortiGate.

C. FortiGate ARP table is missing entries

Then FortiGate couldn’t ping the devices either; but it can.

D. Native VLAN misconfigured on ports

That would affect connectivity to FortiGate too, not only host-to-host.

The DHCP configuration shows:

set vci-match enable

set vci-string "FortiSwitch" "FortiExtender"

What this means

VCI = Vendor Class Identifier (DHCP option 60)

When vci-match is enabled, the DHCP server will only respond to DHCP requests from clients whose VCI string matches the configured vendor identifiers.

FortiSwitch and FortiExtender both send DHCP option 60 with:

"FortiSwitch"

"FortiExtender"

This is used in FortiLink deployments so only these devices receive IP addresses on the FortiLink network.

Therefore:

C. To connect, devices must match the VCI string; otherwise, they will not receive an IP address.

✔Correct.

This perfectly matches FortiGate FortiLink DHCP behavior.

Summary of incorrect options

A — Ignore FortiSwitch/FortiExtender

❌Opposite behavior.

B — Restrict based on hostname

❌VCI does NOT check hostname.

D — Reserve IPs

❌No reservation occurs; it's filtering, not reserving.

In FortiLink NAC for LAN Edge:

When a device first connects, it is placed into theonboarding VLAN.

NAC policies then classify the device (by MAC, OS, user, EMS tag, etc.).

If a NAC policy matches, the device may be moved to anaccess VLANorquarantine VLAN.

Ifno NAC policy matches, the device simplystays in the onboarding VLAN.

FortiOS / LAN Edge documentation describes the onboarding VLAN as thedefault VLAN for unknown or unclassified devices, until NAC policy evaluation moves them elsewhere.

When FortiAPs connect to FortiGate overIPsec tunnels, this is treated similarly to WAN/MPLS deployments.

In these scenarios, FortiGate must know that CAPWAP must traverse anon-L2transport.

FortiAP profiles include:

set mpls-connection enable

This setting is required so that:

FortiGate can encapsulate CAPWAP inside the transport tunnel

Remote FortiAPs can establish CAPWAP even when behind routed/IPsec networks

Without this option, the FortiGate detects the AP butcannot bring CAPWAP UP, leaving the AP in “discovered/unauthorized” or “offline” state.

Why others are wrong

A. Static route→ Discovery already succeeds, so routing is not the issue.

C. Reduce MTU→ Sometimes useful for IPsec, but not required for CAPWAP establishment.

D. Firmware upgrade→ Firmware mismatch would show “Managed (upgrade required),” not CAPWAP tunnel failure.

Therefore,set mpls-connection enableis the required fix.

FortiLink NACis the NAC (Network Access Control) engine built into FortiGate when it manages FortiSwitch devices.

It performs:

✔Automated device onboarding

Automatically detects new devices connecting to switches.

Uses MAC, vendor, DHCP fingerprinting, or IoT database to classify devices.

No manual VLAN assignment required.

✔Security posture verification

Works with FortiClient EMS, ZTNA tags, IoT detection.

Applies policies based on:

Device type

User role

Endpoint compliance

IoT vulnerability status

✔Dynamic VLAN assignment

Automatically moves devices into proper VLANs, quarantine networks, or guest zones.

✔Integration with LAN Edge & Zero Trust

Uses FortiGate + FortiSwitch + FortiAP to enforce zero-trust access.

This matches the LAN Edge 7.6 Architect explanation of FortiLink NAC.

❌Why other answers are wrong

A. Extend security policies across FortiGate firewalls

Not NAC. That refers to Security Fabric or SD-WAN.

C. Apply manual firewall rules

FortiLink NAC is specifically designed toautomateaccess control.

D. Manually place devices in VLANs

NAC eliminates manual VLAN assignment — it is dynamic.

On FortiLink, FortiGate’s built-in DHCP server is what gives FortiSwitch its IP so it can come under management. For automatic FortiSwitch onboarding, the DHCP server is usually set with:

set vci-match enable

set vci-string "FortiSwitch" "FortiExtender"

In the exhibit, the DHCP server for fortilink has:

set vci-match enable

set vci-string "FortiExtender"

Because theVCI string doesn’t include “FortiSwitch”, DHCP offers are only sent to clients whose Vendor Class Identifier matchesFortiExtender. The FortiSwitch never receives an IP, so it staysOffline.

OptionBis wrong: member "port4" matches the physical cabling in the topology.

OptionCis fine: FortiLink can be anaggregateinterface, not only physical.

OptionA(ip-managed-by-fortiipam) is unrelated; FortiIPAM isn’t required here.

FortiLink device detection relies on FortiGate'sDevice IdentificationandIoT Detectioncapabilities to classify devices connected to FortiSwitch ports.

To enabledevice identificationandvulnerability detectionfor IoT/endpoint devices in LAN Edge deployments, FortiGate must subscribe to the correct FortiGuard services.

1. Required FortiGuard License for Device Identification (IoT Detection)

The FortiOS documentation clearly states:

“IoT detection service… requires anAttack Surface Security Rating service licenseto download the IoT signature package.”

Additionally:

“The following settings are required for IoT device detection:

A validAttack Surface Security Rating service licenseto download the IoT signature package.”

This service provides:

IoT signature package

IoT device classification

Device behavior profiling

This makesAttack Surface Securitymandatory for FortiLink device detection.

2. Required FortiGuard License for Device Vulnerability Detection

FortiOS further clarifies that IoT vulnerabilities require theIoT Detection license, which is included under the same Attack Surface service entitlement:

“To detect IoT vulnerabilities the FortiGate must have a validIoT Definitions license…”

The IoT Definitions license comeswith the Attack Surface Security Rating serviceand is used for:

Scanning connected devices

Identifying IoT/endpoint vulnerabilities

Reporting vulnerability severity

Enabling NAC-based remediation (VLAN steering, port isolation)

In LAN Edge Architect, this license combination is emphasized as a foundational requirement for:

FortiSwitch NAC

FortiLink device profiling

Automated quarantine actions

IoT device classification

Vulnerability-based segmentation

3. Why the Correct Answer Is Option D

OptionDlists:

✔FortiGuard Attack Surface Security

✔FortiGuard IoT Detection

These are exactly the services required per FortiOS 7.4.1:

Attack Surface Security Rating→ provides IoT signature package + vulnerability data

IoT Detection (Definitions)→ enables actual device-type and vulnerability identification

Together they powerFortiLink Device DetectionandIoT Vulnerability Detection, which are essential LAN Edge security functions.

4. Why Other Options Are Incorrect

A. Vulnerability Management + Endpoint Protection

Not used for FortiLink device detection; Endpoint detection relies on IoT service, not FortiClient.

B. Threat Intelligence + IoT Detection

Threat Intelligence (ThreatIntel DB) is used for FAZ IOC, not LAN Edge device detection.

C. Threat Intelligence + Endpoint Protection

Same issue—does not provide IoT device classification or vulnerability scanning.

LAN Edge 7.6 Architect Context Summary

In LAN Edge designs:

FortiGate acts as the controller for FortiSwitch via FortiLink.

Device detection is done at the FortiGate level using NAC/IoT signature capabilities.

Vulnerability detection enables dynamic segmentation decisions (e.g., move device to quarantine VLAN).

To support this, two licenses aremandatory:

Attack Surface Security(includes Security Rating + IoT Detection DB)

IoT Detection(part of the same entitlement, but explicitly required for vulnerability detection)

Thus the verified answer aligns perfectly with LAN Edge operational requirements and Fortinet documentation.