FCSS_NST_SE-7.6 Fortinet NSE 6 - Network Security 7.6 Support Engineer Questions and Answers

The correct answer is B. Assertion dump .

The study guide states: “SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP as part of the authentication process.”

The same study guide page for real-time SAML troubleshooting shows the section labeled **** Assertion Dump **** , and inside that assertion it displays the actual user attributes, such as:

< saml:Attribute Name= " username " >

< saml:Attribute Name= " groups " >

It also explicitly marks this part as “Attributes sent by IdP”

Why the other options are wrong:

A. Bindings HTTP post is incorrect because bindings define how SAML messages are transported , not the section that contains the attributes. The study guide says: “Bindings: Define how SAML protocol messages are transmitted over different communication channels.”

C. Authentication request is incorrect because that is built by the SP and sent toward the IdP, not where the IdP’s user attributes are shown. The study guide’s flow says the SP “Builds auth request” and the IdP later “Builds auth response.”

D. Authentication response is broader than the exact section being asked. The exact section in the study guide where the IdP-provided attributes are shown is the Assertion dump .

So the verified answer is: B .

The correct answers are A and D .

The study guide states:

“Application layer test commands do not display information in real time. They display statistics and configuration information about a feature or process. You can also use some of these commands to restart a process or execute a change in its operation.”

This directly proves:

A is correct because they can display statistics and configuration information

D is correct because some of them can restart a process/application

Why the other options are wrong:

B is wrong because the study guide explicitly says application-layer test commands do not display information in real time . Real-time output is done with diagnose debug application ... commands instead.

C is wrong because diagnose debug console enable is related to debug output behavior, not a requirement for application-layer test commands to display output. The study guide does not describe test commands that way.

====

To solve this high CPU usage scenario involving the ipsengine, we must understand the specific functions of the diagnose test application ipsmonitor commands shown in the troubleshooting steps.

Analyze the Situation:

Exhibit: The diagnose sys top output shows the ipsengine process is in a run state (R) consuming 99% CPU.

Previous Action: The administrator already ran diagnose test application ipsmonitor 5.

Result: The CPU usage did not drop.

Understand the Commands:

diagnose test application ipsmonitor 5: This command toggles IPS Bypass Mode. When enabled, the IPS engine lets traffic pass through without inspection.

Implication: If the CPU was high due to traffic volume, enabling bypass would drop the CPU load immediately.

Failure: Since the CPU remained at 99% after bypass, the ipsengine process is likely frozen, stuck, or in an internal infinite loop unrelated to the current traffic flow. The process itself is the problem, not the traffic volume.

Evaluate the Solution (Option B):

diagnose test application ipsmonitor 2: This command toggles the IPS engine ' s Enable/Disable status.

Because the engine is stuck (bypass failed to relieve pressure), the " Immediate action " required is to stop or restart the process entirely.

Running option 2 effectively disables/kills the stuck IPS engine instance, which will immediately drop the CPU usage to near zero. (It can then be toggled again to restart it).

Why other options are incorrect:

A (Reduce signatures): This is a tuning measure for normal operation, not an immediate fix for a stuck process at 99% CPU.

C (Disable IPS on policies): This is a configuration change that takes time and requires a commit; it is not the most immediate diagnostic tool available.

D (Bypass all IPS engines): This describes the action of command 5 (Bypass), which the prompt explicitly states was already performed and failed.

For Option A:In Fortinet BGP (and standard BGP), when a prefix is displayed with an " i " (lowercase i) in the Path column, it represents an internal prefix that originated from the local router, typically configured via the BGP " network " command. In the exhibit, the prefix 10.20.30.0/24 is listed with a Path value of i, indicating it was injected into BGP by the local router using the network statement, not via redistribution from another routing protocol. The same logic applies to i as documented: " Origin code ' i ' means the route was injected via the network command. "

For Option D:The get router info bgp network output is a summary table displaying both local and received BGP routes. It lists all known routes to the BGP process, whether received from peers or originated locally. The exhibit shows all BGP prefixes known to the local router, matching the official admin guide’s description of this command’s output.

Explanation for B and C:

The phrase “legacy route advertisement” is not formalized in BGP documentation or Fortinet’s admin guide; the output uses standard BGP mechanics.

If a route was redistributed into BGP from another routing protocol, the Path field would display a " ? " (question mark) for incomplete (redistributed) origin. Here the /24 route has " i " so it is NOT a redistribution.

The correct answer is D. IKE_AUTH .

The study guide explicitly states:

“IKE_Auth exchange:

• Performs the mutual authentication of two IKE endpoints.

• Configures settings like IP/mask, DNS, and so on.

• Sets up the piggyback of a child SA. Negotiates IP flow and security settings for the IPsec SA.”

It also says:

“By default, a piggyback child (IPsec) SA is negotiated along with the IKEv2 SA during IKE_AUTH. If additional IPsec SAs are needed … they are negotiated during subsequent CREATE_CHILD_SA exchanges.”

Why the other options are wrong:

A. IKE_SA_INIT is incorrect because this exchange negotiates the security settings to protect the IKE traffic, not the first CHILD_SA.

B. INFORMATIONAL is incorrect because it is used to convey control messages between IKE endpoints.

C. CREATE_CHILD_SA is incorrect for the first CHILD_SA, because it is used to create new additional child SAs or rekey existing ones after the initial exchange.

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate ' s subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

“Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.” This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

The IKE_SA_INIT exchange in IKEv2 is responsible for DoS protection measures. During IKE_SA_INIT, before authentication and further exchange, the responder can use cookie challenges (per RFC 7296 and Fortinet VPN documentation). If a DoS attack is suspected (many requests from the same source), the responder replies with a cookie. Only after the initiator returns the correct cookie does the exchange proceed, protecting the responder from state exhaustion and certain forms of DoS traffic at the handshake stage.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-polling/ta-p/214349

From the snippet we can see that FortiGate (via the fssod daemon) is directly detecting the user logon rather than relying on a separate “collector” or “DC agent.” This indicates agentless polling—FortiGate polls the DC’s event logs over TCP 445 to discover logons. So: - FSSO is using agentless polling mode to detect logon events - In agentless mode, FortiGate will periodically poll the same IP (the DC) on port 445 to see if the user is still logged on

According to the official Fortinet administration guide for FortiOS 7.6.4 under the section " Configuring a RADIUS server, " the supported RADIUS authentication methods you can configure via the CLI with config user radius are:

pap

chap

mschap

mschapv2

auto

The relevant CLI syntax is set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}​. You can confirm this directly in the configuration table and from real CLI sessions.

EAP (Extensible Authentication Protocol) is NOT an authentication option you can directly set under config user radius. EAP methods (such as EAP-TLS, EAP-PEAP, EAP-TTLS) are negotiated between the RADIUS client and server but are not configurable as an explicit auth-type option in FortiOS. EAP authentication is typically used automatically by features like 802.1X, not through the user radius object authentication-type setting, and always requires proper backend workings between supplicant and RADIUS server

The correct answer is D .

The exhibit shows:

session_count=591

clash=162

memory_tension_drop=0

TCP sessions:

166 in NONE state

1 in ESTABLISHED state

3 in SYN_SENT state

2 in TIME_WAIT state

The study guide explains the TCP protocol states and states explicitly:

“When a session is closed by both the sender and receiver, FortiGate keeps that session in the session table for a few seconds, to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the state value 5.”

In diagnose sys session stat, the exhibit shows 2 in TIME_WAIT state . Since TIME_WAIT = state value 5 , those are the sessions being kept briefly for possible out-of-order packets. That makes D correct.

Why the other options are wrong:

A is wrong because session_count=591 is the total number of sessions, while the TCP sessions shown add up to only 172 (166 + 1 + 3 + 2). So not all sessions in the table are TCP sessions.

B is wrong because the study guide says the number of sessions deleted because of low free memory is shown by memory_tension_drop , and in the exhibit it is 0 , not 162.

C is wrong because the study guide defines ephemeral/open TCP sessions as those not fully established , but the exhibit does not say all 166 in NONE state are specifically “waiting to complete the three-way handshake.” The clearest directly supported statement from the displayed states is the 2 TIME_WAIT sessions retained for out-of-order packets.

So the verified answer is: D .

The reported symptom—users unable to access any websites despite no explicit blocks in the profile—points to systemic connectivity or configuration issues rather than specific URL filtering rules.

Option B (SSL/TLS Inspection): When Deep Inspection is enabled, the FortiGate acts as a Man-in-the-Middle (MitM) and re-signs server certificates using its own CA. If the clients (browsers) do not trust this CA (i.e., the certificate is not installed in their Trusted Root store), they will reject the connection with certificate errors, effectively preventing access to all HTTPS websites.

Option D (DNS): Web browsing relies on DNS resolution . If the configured DNS server is unreachable or failing, the FortiGate (or the client) cannot resolve FQDNs to IP addresses. Consequently, browsers will fail to load any page, resulting in a total loss of web access.

Option E (License): If the FortiGuard Web Filtering license expires, the FortiGate can no longer query the FortiGuard Distribution Network (FDN) for ratings. By default, or if the allow-when-rating-error setting is disabled (a common security practice), the FortiGate will block all web traffic that it cannot rate, often displaying a " Web Filter Service Error " or invalid license page.

Option A is incorrect because clearing the cache only increases latency, it does not block traffic. Option C is incorrect because webfilter-force-off is typically used to disable the service (often allowing traffic to bypass checks if the service is down), rather than blocking it.

The correct answer is C .

The exhibit shows the neighbor state as Connect in the State/PfxRcd column. The study guide explains the BGP states exactly as follows:

“Connect: Waiting for a successful three-way TCP connection”

“OpenSent: Waiting for an OPEN message from the peer”

“Established: Peers have successfully exchanged OPEN and keepalive messages”

Because the router is still in Connect state, the TCP three-way handshake has not completed yet . In practical terms, the local router has sent the TCP SYN but has not successfully received the SYN/ACK needed to complete the handshake . That is why C is correct.

Why the other options are wrong:

A is wrong because the message counters alone do not prove that the neighbor is unreachable. The study guide says the State/PfxRcd field shows the BGP state when the session is not established, and here that state is specifically Connect

B is wrong because waiting for an OPEN message happens in OpenSent , not Connect

D is not the best answer for this output. The study guide ties the displayed state directly to the protocol phase: Connect means the device is still waiting for a successful TCP handshake

So the verified answer is: C .

The correct answer is D. Assertion dump .

The study guide states that: “SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP as part of the authentication process.”

It also shows the real-time SAML debug output under “ ** Assertion Dump ****”**, where the SAML attributes appear inside the assertion, such as:

< saml:Attribute Name= " username " >

< saml:Attribute Name= " groups " >

The same study-guide page explicitly labels this area as “Attributes sent by IdP”

So, although the IdP sends an authentication response overall, the actual section that contains the SAML attributes is the Assertion dump

FortiGate HA Troubleshooting and Synchronization Guides

Fortinet Admin Guide: HA Primary Role Retention, Cluster Break-up Due to Out-of-Sync Status

The correct answer is B .

The study guide explicitly states: “IKE version 2 does not interoperate with IKE version 1, but they share enough of the header format that both versions can unambiguously operate over the same UDP port.”

That directly proves B .

Why the other options are wrong:

A is wrong because the study guide shows authentication methods as Asymmetric for IKEv2 and Symmetric for IKEv1

C is wrong because the study guide does not say they use the same TCP port; instead, it specifically says they can operate over the same UDP port

D is wrong because the study guide states: “IKEv2 does not use the concept of phase 1 or phase 2” , even though FortiOS CLI/GUI still uses those terms for configuration purposes

The output of the diagnose sys session list command provides the critical evidence needed to determine the behavior during a failover:

Session Synchronization (synced):

The most important indicator in the exhibit is the synced flag located in the state= line (state=may_dirty synced none app_ntf).

In FortiOS HA (High Availability), the synced flag confirms that this specific session has been successfully synchronized from the primary device to the secondary (backup) device.

Session synchronization (Session Pickup) ensures that if the primary unit fails, the secondary unit already has the session in its table and can resume traffic processing immediately.

TCP State (proto_state=01):

The output shows proto=6 (TCP) and proto_state=01.

In the FortiGate session table, proto_state=01 for TCP indicates that the session is in the ESTABLISHED state (post-three-way handshake).

This invalidates Option B, which claims the TCP session is not fully established.

Failover Outcome:

Because the session is ESTABLISHED and SYNCED, the secondary device will seamlessly take over the session upon primary failure.

The traffic continues to flow through the new primary without requiring the user/client to restart the connection. This is the primary function of HA Session Pickup.

Why other options are incorrect:

A: While the output shows app_ntf (Application Control notification) and may_dirty, the presence of the synced flag overrides this concern regarding failover. If the session type were not supported for failover (e.g., certain proxy sessions in older versions), it would not be marked as synced. Since it is synced, it persists.

B: As noted, proto_state=01 means established, not " not fully established " .

D: While the kernel updates routing tables, the purpose of syncing the session is to preserve the state so it does not need to be re-evaluated as a new packet would, preventing traffic drops.

The exhibit shows a FortiGate configuration under config system fortiguard related to web filtering and FortiGuard options. There is a line:

set webfilter-force-off enable

According to official Fortinet documentation, the " webfilter-force-off " option, when enabled, causes the FortiGate to bypass web filtering for all traffic—even if a web filter profile is applied to a policy. This override is typically used for troubleshooting or performance reasons and is documented as an explicit bypass feature.

If an administrator wants to enforce web filtering inspection, this setting must be disabled. The correct way to restore web filtering functionality is to run:

set webfilter-force-off disable

Once done, traffic passing through policies with web filter profiles will be inspected and filtered as per configuration. Other settings such as timeout or cache TTL do not bypass web filtering; they only affect operational nuances.

The get router info bgp summary output lists BGP neighbor status:

Prefix Reception: The " State/PfxRcd " column shows the number of prefixes received from the neighbor—neighbor 100.64.1.254 has " 1 " , confirming option A.

Received Message Count: Under " MsgRcvd " , 18 packets have been received from neighbor 100.64.1.254. This matches option C.

The second neighbor 100.64.2.254 is in " Active " state and has received/sent 0 packets, indicating that its TCP connection is NOT established, disproving option B.

There is no indication anywhere that the router is " still calculating " prefixes; " Active " just means no session is established, so option D is incorrect.

To understand why Type 5 LSAs (AS External LSAs) are missing from the Link-State Database (LSDB), we must look at how OSPF generates and propagates them:

A. There is no autonomous system border router (ASBR) in the network:

Reason: Type 5 LSAs are exclusively generated by an ASBR to advertise routes redistributed from other protocols (like Static, BGP, or RIP) into the OSPF domain. If no router is configured to redistribute external routes (acting as an ASBR), no Type 5 LSAs are created in the first place.

C. The local router is located in a stub area:

Reason: By definition, a Stub Area (and a Totally Stubby Area) prevents Type 5 LSAs from entering. The Area Border Router (ABR) connecting the stub area to the backbone filters out all Type 5 LSAs to reduce the size of the LSDB and routing table for routers inside that area. Instead, a default route is usually injected.

Why other options are incorrect:

B: While database filtering exists, standard prefix-list filtering typically affects the routing table (RIB) generation, not the underlying LSDB propagation of Type 5 LSAs, or it is less common than the architectural reasons (Stub/No ASBR).

D: IP Protocol 89 is the transport for OSPF itself. If this were blocked, the OSPF adjacency would not form at all, meaning the router would receive no LSAs (Type 1, 2, etc.), not specifically just Type 5.

The correct answer is A .

The debug flow shows:

traffic is going to TCP port 211

FortiGate logs run helper-ftp(dir=original)

The study guide explains exactly what that message means:

“In this example, the run helper-ftp message indicates that the FTP session helper is being used.”

Under normal proxy-based inspection, protocol handling is controlled by Protocol Options . The FortiOS administration guide states:

“Protocol port mapping only works with proxy-based inspection.” and “The ports can be modified to inspect any port with flowing traffic.”

So if the policy is configured for proxy-based inspection but the debug still shows the FTP session helper on port 211, the most likely explanation is that the FTP protocol mapping in Protocol Options is broad enough to match unexpectedly, such as being mapped to Any . That would cause FortiGate to identify the traffic as FTP and invoke the helper.

Why the other options are wrong:

B is wrong because SSL deep inspection is unrelated to this debug. The traffic shown is plain TCP/211 , and the key message is about the FTP helper , not SSL decryption.

C is wrong because if FTP had not been mapped to port 211, FortiGate would be less likely to treat this traffic as FTP. The observed run helper-ftp indicates FTP handling is being triggered.

D is wrong because low-memory conserve behavior would typically cause inspection bypass or blocking behavior, not specifically the run helper-ftp message. The study guide’s helper example ties this message to session-helper use, not memory shortage.

So the verified answer is: A .

The study guide explicitly explains the FortiGuard flags shown by diagnose debug rating:

D = Default

“IP addresses of servers received from DNS resolution”

It then clarifies even more specifically:

“D = The IP address FortiGate got when resolving the service.fortiguard.net name (usually two or three servers have this flag, if the administrator didn ' t overwrite the FortiGuard FQDN or IP address in the FortiGate configuration)”

In the exhibit, among the answer choices, the IP address marked with the D flag is 208.91.112.194 . Therefore, that is the IP FortiGate got from resolving service.fortiguard.net.

Why the other options are wrong:

B. 209.22.147.36 is not the correct choice because in the exhibit it is not the DNS-resolution entry identified by the D flag

C. 64.26.151.37 has no D flag

D. 96.45.33.65 has no D flag

So the verified answer is: A .

The exhibit includes these key debug lines:

start_search_dn-base: ' DC=TAC,DC=ottawa,DC=fortinet,DC=com ' filter:sAMAccountName=jsmith

get_all_dn-Found DN 1:CN=John Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

The study guide explains that in regular bind , LDAP authentication has four steps , and that during step 2 , FortiGate searches the LDAP tree to find the user’s DN:

“During the second step, FortiGate does a search query in the LDAP database to find the user’s location—in other words, the user’s DN. If the user is found, the server replies with the user’s DN.”

It also states for the real-time debug of step 2:

“An fnbamd_ldap_build_dn_search_req-base message indicates that FortiGate is performing step two: searching for the user in the LDAP tree. This message includes the base branch (distinguished name setting) and the name of the attribute used to locate the user... If the LDAP server finds the user, the output shows the user’s full DN.”

That directly proves:

D is correct because the debug is showing step 2: Search Request

A is correct because the base DN and found DN are under DC=TAC,DC=ottawa,DC=fortinet,DC=com, which corresponds to the LDAP domain/tree root TAC.ottawa.fortinet.com

Why the other options are wrong:

B is wrong because binding with the user’s credentials is step 3 , not the step shown here. The study guide says: “Step 3 – Bind user credentials” and shows that this happens later with fnbamd_ldap_build_userbind_req / __ldap_build_bind_req-Binding to ' CN=John Smith... '

C is wrong because collecting user group information is step 4 , not the step shown in the exhibit. The study guide says: “The last step is to get the user group information” and shows step 4 with Attr query / memberOf search

To determine the type of policy route, we must interpret the specific flags and fields visible in the diagnose firewall proute list (or similar kernel table) output provided in the exhibit

Identify Key Indicators:

The most critical field in the output is vwl_service=1(test123).

It also lists vwl_mbr_seq=1 5.

Decode the Terminology:

vwl: This stands for Virtual WAN Link. In FortiOS, " Virtual WAN Link " is the legacy internal name for the SD-WAN feature. Even in newer firmware versions (7.x), the kernel and CLI debugs often still refer to SD-WAN objects as vwl.

vwl_service: This specifically refers to an SD-WAN Rule (also known as an SD-WAN Service). The name (test123) is the name given to that specific SD-WAN rule by the administrator.

Evaluate the Options:

A & D (Regular Policy Route): Standard policy routes (configured under config router policy) do not carry the vwl_service tag. They are typically identified by simple gateway or interface instructions without the SD-WAN service abstraction.

B (ISDB Route): While SD-WAN rules can use the Internet Service Database (ISDB) as a destination, the structure of the route entry shown here—specifically defined by a vwl_service ID—classifies it fundamentally as an SD-WAN rule, regardless of the destination object.

C (An SD-WAN rule): The presence of vwl_service and vwl_mbr_seq (SD-WAN member sequence) definitively identifies this entry as a rule generated by the SD-WAN subsystem.

Conclusion: The output shows a route controlled by the SD-WAN engine (vwl), confirming it is an SD-WAN rule.

The correct answer is C .

The exhibit shows:

562 in ESTABLISHED state

27 in CLOSE state

memory_tension_drop=0

ephemeral=0/131072

According to the study guide, for TCP sessions: “The protocol state in the session table is a two-digit number. For TCP, the first number (from left to right) is related to the server-side state and is 0 when the session is not subject to any inspection (flow or proxy)… The second digit is the client-side state.” The same page also shows that value 1 = ESTABLISHED

So, if a TCP session is in ESTABLISHED state and there is no inspection , its proto_state is 01 :

first digit 0 = no inspection

second digit 1 = ESTABLISHED

That makes C correct. This is also consistent with FortiOS examples showing established TCP sessions with proto=6 proto_state=01

Why the other options are wrong:

A is wrong because the field that indicates sessions dropped due to low free memory is memory_tension_drop, and in the exhibit it is 0 , not 113. The study guide states: “If there is a lack of free memory, the kernel deletes the oldest sessions. The command shown on this slide displays the number of sessions the kernel deleted because of this mechanism.” So 113 is the clash value, not memory-tension drops.

B is wrong because ephemeral=0/131072 does not mean 131072 ephemeral sessions were recorded. The study guide explains that FortiGate “sets a hard limit on the maximum number of ephemeral sessions that can exist at the same time in the session table.” Therefore:

0 = current ephemeral sessions

131072 = maximum allowed ephemeral sessions for that model/context

D is wrong because the study guide says the temporary retention for possible out-of-order packets happens in state value 5 (TIME_WAIT) : “When a session is closed by both the sender and receiver, FortiGate keeps that session in the session table for a few seconds, to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the state value 5.” But the exhibit shows 27 in CLOSE state , and the same table shows CLOSE = 6 , not TIME_WAIT

So the verified answer is C .

The correct answers are C and D .

The key clue is the command itself:

diagnose debug application fssod -1

The study guide explicitly states: “There is a specific FortiGate daemon that handles the polling mode. It is the fssod daemon. To enable agentless polling mode real-time debug use the command: diagnose debug application fssod -1.”

That directly proves D. FSSO is using agentless polling mode to detect logon events .

The study guide also states: “In agentless polling mode, FortiGate frequently polls all workstations (as a standalone collector agent does) to check which users are still logged in. You can sniffer this traffic on port 445.”

That directly proves C. FortiGate is frequently polling the workstation in case the user has logged out .

Why the other options are wrong:

A is wrong because the “cannot verify if the user is still logged in” / Not Verified condition is described for the collector agent workstation status, not as a conclusion from this FortiGate fssod debug line. The study guide says: “A user goes to not verified status when they log out, or when there is a problem in the polling done by the collector agent to the workstation.”

B is wrong because DC Agent mode is part of agent-based FSSO , where DC agents send events to a collector agent. This output is from the fssod daemon, which the study guide ties to agentless polling mode , not DC Agent mode.

E is wrong because TCP port 8000 is used for communication between the collector agent and FortiGate , while in agentless polling mode FortiGate polls workstations and that traffic can be sniffed on TCP port 445 .

So the verified answers are: C, D .

The best verified answer is C .

The study guide says that when FortiGate is in conserve mode, it activates protection measures to recover memory space:

“System configuration cannot be changed”

“FortiGate skips quarantine actions (including FortiSandbox analysis)”

It also explains that inspection behavior can be reduced while in conserve mode:

“pass (default): All new sessions pass without inspection until FortiGate switches back to non-conserve mode.”

“The av-failopen setting also applies to flow-based antivirus inspection.”

The FortiOS administration guide summarizes this behavior as:

“This causes functions such as antivirus scanning to change how they operate to reduce the functionality and conserve memory without compromising security.”

That is why C is the closest correct choice: FortiGate can reduce functionality of some processes, especially antivirus-related inspection, to preserve memory.

Why the other options are wrong:

A is wrong because FortiGate does not automatically reboot as a default conserve-mode action. A reboot can be configured through an automation stitch , but that is an optional administrator-defined response, not the built-in conserve-mode behavior

B is wrong because the documentation does not say FortiGate switches from proxy-based inspection to flow-based inspection. Instead, it may pass traffic without inspection depending on av-failopen settings

D is not generally correct for conserve mode . The study guide says FortiGate starts dropping new sessions only when memory usage exceeds the extreme threshold : “If memory usage exceeds the extreme threshold, all new sessions that require inspection (flow-based or proxy-based) are blocked.”

So the verified answer is: C .

The correct answer is C. The session is offloaded using NPU .

The exact session example in the study guide shows:

proto=6 → this is a TCP session

expire=3599 → the session will expire in 3599 seconds , not in one second

hook=post dir=org act=snat 10.9.31.117:45388- > 200.8.57.5:443(10.1.0.3:45388)

hook=pre dir=reply act=dnat 200.8.57.5:443- > 10.1.0.3:45388(10.9.31.117:45388)

npu info: ... offload=8/8 ...

and the slide explicitly states: “Offloaded in both directions using NP6”

The study guide also explains this exact point clearly:

“Counters for hardware acceleration—The presence of the npu info field indicates the session has been offloaded to hardware acceleration. In this example, traffic is being offloaded in both directions using network processor (NP) 6, which is represented by the value of 8.”

Why the other options are wrong:

A is wrong because expire=3599, not 1. The duration=1 field means the session has existed for 1 second, not that it will expire in 1 second.

B is wrong because the original session is from 10.9.31.117 to the remote server 200.8.57.5:443. The IP 10.1.0.3 is the SNAT-translated source address , not the final destination.

D is not the best answer for this single-select question . The reply is indeed DNATed back toward the original client, but the exact validated takeaway highlighted by the study guide for this exhibit is the NPU offload state .

To establish a functional Security Fabric, specific network and configuration prerequisites must be met to ensure nodes can communicate, authorize, and share telemetry data:

A. You must ensure that TCP port 8013 is not blocked along the way:

TCP port 8013 is the dedicated port for FortiTelemetry (Fabric) communication. If firewalls (intermediate or local) block this port, the Fabric connection between the root and downstream FortiGates will fail.

D. You must authorize the downstream FortiGate on the root FortiGate:

Security Fabric relies on a trust relationship. When a downstream device attempts to join, it appears in the Root FortiGate ' s dashboard. The administrator must manually authorize this device (unless pre-authorized via serial number) to allow it to join the Fabric topology.

E. You must enable FortiTelemetry on the receiving interface of the upstream FortiGate:

The interface on the Root (upstream) FortiGate that faces the downstream devices must have the " Security Fabric Connection " (formerly CAPWAP/FortiTelemetry) administrative access setting enabled. Without this, the interface will not listen for or accept Fabric connection requests.

Why other options are incorrect:

B: Neighbor Discovery uses standard multicast/broadcast or static settings; changing the port is not a standard requirement.

C: FortiGates can participate in the Security Fabric in either NAT or Transparent mode; Transparent mode is not a mandatory requirement for the Fabric itself.

The study guide identifies this exact output as an expectation session created by the FTP session helper :

“run helper-ftp” indicates the FTP helper is in use.

“FortiGate created an expectation session and opened the pinhole port for the expected return traffic”

It also explains why this exists:

“Another important function of the session helper is to temporarily create an expected session (or pinhole) for the data channel connection that comes from the server.”

“The session helper automatically creates the session and opens the door for the incoming connection.”

“These incoming TCP sessions use random TCP port numbers.”

That directly proves C is correct.

For A , the exhibit shows expire=23. The study guide explains the expire field as the length of time until the session expires if no matching traffic arrives, and the FortiOS guide states for expectation sessions:

“Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.”

So with expire=23, FortiGate will allow that expected traffic only for the remaining 23 seconds; after that, it times out and the traffic is denied. That makes A correct.

Why the other options are wrong:

B is not supported . The study guide describes expectation sessions as being created by the session helper from the control-session negotiation, not as independent objects unaffected by the master session.

D is wrong as stated. Even though the output contains policy_id=25, the study guide explicitly says the incoming expected connection is allowed by the expected session itself, “even when no firewall policy allows it.”