Fortinet FCSS_NST_SE-7.6 - Fortinet NSE 6 - Network Security 7.6 Support Engineer

The correct answers are C and D .

The study guide states: “SSL certificate inspection relies on extracting the FQDN of the URL from either: TLS extension server name indication (SNI), SSL certificate common name (CN).” It also says: “When using SSL certificate inspection, FortiGate is not decrypting the traffic. It is only inspecting the server digital certificates and the SNI field, which are interchanged before the encryption.”

This proves the second part of the answer:

under SSL certificate inspection , FortiGate does not decrypt the traffic

therefore, if the traffic is allowed , it still passes without decryption

That makes D correct.

For the SNI mismatch behavior, the FortiOS administration guide describes the default Server certificate SNI check behavior as:

“Enable: If it is mismatched use the CN in the server certificate for URL”

So if the SNI does not match the CN or any SAN, FortiGate falls back to using the CN from the Subject field for URL handling under the default setting. That makes C correct.

Why the other options are wrong:

A is wrong because with the default SNI-check behavior, when the SNI mismatches the certificate identity, FortiGate does not continue using the mismatched SNI . Instead, it uses the CN in the server certificate for the URL .

B is not the best answer in this single pair selection . While certificate inspection does not decrypt traffic, the key default behavior the documents explicitly highlight for this mismatch case is:

use the CN when SNI mismatches , and

certificate inspection does not decrypt allowed HTTPS traffic .

So the verified answers are: C, D .

We must analyze the flags (*, > , S, O, B) and Administrative Distances (AD) shown in the get router info routing-table database exhibit to determine the correct statements.

Analysis for Option A (The BGP route to 10.0.4.0/24 is not in the forwarding information base):

True. Look at the entry for 10.0.4.0/24.

There is an OSPF route: O * > 10.0.4.0/24 [110/2]. The * indicates it is in the FIB, and > indicates it is the selected route.

There is a BGP route: B 10.0.4.0/24 [200/10]. This line lacks the * flag.

Reason: The OSPF route has an Administrative Distance of 110. The BGP route (iBGP) has an AD of 200. Since 110 is lower than 200, OSPF wins, and the BGP route is not installed in the Forwarding Information Base (FIB).

Analysis for Option B (The default static route through 10.200.1.254 is in the forwarding information base):

True. Look at the 0.0.0.0/0 entries.

The first entry is S * > 0.0.0.0/0 [10/0] via 10.200.1.254.

The * flag confirms this specific route is installed in the FIB.

The second static route (via 10.200.2.254) has a higher distance ([20/0]) and no * flag, so it is inactive.

Why C is False: ECMP (Equal Cost Multi-Path) requires routes to have the same cost/priority. Here, one static route has AD 10 and the other has AD 20. They are not equal, so ECMP is not performed.

Why D is False: The routing table database shows active routes, not the raw Link State Advertisement (LSA) database. You cannot determine the number of LSAs received solely from this output.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-polling/ta-p/214349

From the snippet we can see that FortiGate (via the fssod daemon) is directly detecting the user logon rather than relying on a separate “collector” or “DC agent.” This indicates agentless polling—FortiGate polls the DC’s event logs over TCP 445 to discover logons. So: - FSSO is using agentless polling mode to detect logon events - In agentless mode, FortiGate will periodically poll the same IP (the DC) on port 445 to see if the user is still logged on

The correct answer is B .

In the exhibit:

Neighbor 100.64.1.254 shows State/PfxRcd = 1 , which means the session is established and the local FortiGate has received 1 prefix

Neighbor 100.64.2.254 shows State/PfxRcd = Active

The study guide explains the BGP states exactly:

Connect : Waiting for a successful three-way TCP connection

Active : Unable to establish the TCP session

OpenSent : Waiting for an OPEN message from the peer

OpenConfirm : Waiting for the keepalive message from the peer

Established : Peers have successfully exchanged OPEN and keepalive messages

It also explains how to read the State/PfxRcd column:

“If the state is not established, this column displays the BGP state. If the state is established, this column displays the number of prefixes that the local FortiGate received from that neighbor.”

Therefore, because neighbor 100.64.2.254 is in Active state, the correct conclusion is that the BGP adjacency cannot form because the TCP session could not be established .

Why the other options are wrong:

A is wrong because BGP can establish adjacencies with multiple neighbors independently; one established neighbor does not block another

C is wrong because BGP adjacency is not established based on neighbor “priority”; the output shows adjacency is established because the session completed and prefixes were exchanged

D is wrong because having two neighbors in the same remote AS is valid in BGP and does not prevent adjacency formation

So the verified answer is: B .

The correct answers are B and C .

The study guide has a section titled “Not Verified Status on the Collector Agent” and states:

“The collector agent cannot verify if the user is still logged in” and lists these common causes :

“A firewall is blocking traffic to port 139 and 445”

“The workstation remote registry service is not running”

The guide also explains the verification method:

“For WMI polling mode, the collector agent checks the WMI service. For all the other modes, the collector agent checks the HKEY_USERS hive through remote registry services.” If the workstation does not respond to these checks, the status can become not verified

An additional requirements slide in the same study guide confirms:

“TCP ports 139 and 445 must be open between the collector agent and all workstations”

“Remote registry service must be up and running on each workstation”

Why the other options are wrong:

A is wrong because the study guide mentions a workstation coming out of hibernate mode under a different problem: “No Internet After IP Address Change” , not as a common cause of Not Verified status

D is wrong because DNS resolution issues are also discussed under the IP address change scenario, where the collector agent uses DNS to resolve the workstation name after an IP change. That is separate from the Not Verified causes listed for this log message

So the verified answers are: B, C .

The correct answer is C. The session is offloaded using NPU .

The exact session example in the study guide shows:

proto=6 → this is a TCP session

expire=3599 → the session will expire in 3599 seconds , not in one second

hook=post dir=org act=snat 10.9.31.117:45388- > 200.8.57.5:443(10.1.0.3:45388)

hook=pre dir=reply act=dnat 200.8.57.5:443- > 10.1.0.3:45388(10.9.31.117:45388)

npu info: ... offload=8/8 ...

and the slide explicitly states: “Offloaded in both directions using NP6”

The study guide also explains this exact point clearly:

“Counters for hardware acceleration—The presence of the npu info field indicates the session has been offloaded to hardware acceleration. In this example, traffic is being offloaded in both directions using network processor (NP) 6, which is represented by the value of 8.”

Why the other options are wrong:

A is wrong because expire=3599, not 1. The duration=1 field means the session has existed for 1 second, not that it will expire in 1 second.

B is wrong because the original session is from 10.9.31.117 to the remote server 200.8.57.5:443. The IP 10.1.0.3 is the SNAT-translated source address , not the final destination.

D is not the best answer for this single-select question . The reply is indeed DNATed back toward the original client, but the exact validated takeaway highlighted by the study guide for this exhibit is the NPU offload state .

The administrator is running a packet sniffer with the filter ' udp port 500 or udp port 4500 or esp ' . The result is " no output, " even though the VPN is attempting to establish (failing).

A. The VPN is configured to use IKE over TCP:

Standard IPsec IKE negotiation uses UDP port 500 (IKE) and UDP port 4500 (NAT-T).

However, if IKEv2 over TCP (RFC 8229) or Fortinet ' s proprietary IKE over TCP is configured (often used to bypass firewalls that block UDP), the traffic will use TCP (often port 4500 or 443).

The sniffer filter explicitly looks for udp or esp (IP Protocol 50).

If the traffic is encapsulated in TCP, it matches tcp protocol, not udp or esp (raw ESP). Therefore, the sniffer sees zero packets matching the filter.

Why other options are incorrect:

B: esp is a valid argument for diagnose sniffer packet. It is equivalent to filtering for IP protocol 50.

C: If the ISP were blocking traffic, the sniffer (running on the local FortiGate) would still see the outbound packets generated by the FortiGate trying to initiate the connection. " No output " implies the local device isn ' t even generating packets matching that filter.

D: Mismatched IKE versions would still generate IKE negotiation packets (proposals/errors) that would be captured by the sniffer.

The study guide states:

“FortiGate categorizes an entry in the session table as an ephemeral session when it is a TCP session that is not fully established (three-way handshake not completed), or when it is a UDP session with only one packet received.”

This directly proves:

A is correct because a UDP session with only one packet received is ephemeral.

C is correct because a TCP session waiting for the SYN/ACK is not fully established , so it is ephemeral. The study guide’s TCP state table shows that the handshake is only completed when the session reaches ESTABLISHED

Why the other options are wrong:

B is wrong because once UDP traffic has been seen in both directions , it is no longer the “single packet received” condition described for ephemeral sessions. The study guide says for UDP: 00 = one way , 01 = both ways

D is wrong because a TCP session waiting for FIN/ACK is already in the closing stage after establishment, not in the “not fully established” stage. The study guide explains that after both sides close the session, FortiGate can keep it briefly in the table in state value 5 for out-of-order packets after FIN/ACK