Fortinet FCSS_NST_SE-7.6 - Fortinet NSE 6 - Network Security 7.6 Support Engineer

Analyze the " Send to Application Layer " Message:

The most critical line in the debug output is: id=65308 ... func=av_receive ... msg= " send to application layer "

Meaning: This message indicates that the FortiGate kernel is handing the packet over to a user-space daemon (specifically the WAD/Proxy process, indicated by av_receive handlers) for deep inspection.

Implication: This behavior is the hallmark of Proxy-based inspection. In Flow-based inspection, the traffic is handled by the IPS engine (often within the kernel or via specific IPS handlers like ips_measure), and you would not typically see a " send to application layer " message for standard web filtering.

Evaluate Option B (Firewall Policy Mode):

Since the traffic is being sent to the application layer proxy, the Firewall Policy controlling this traffic (Policy ID 1, as seen in Allowed by Policy-1) must be configured with Inspection Mode = Proxy. If it were Flow-based, the traffic would stay in the flow path. Thus, Option B is correct.

Evaluate Option C (Web Filter Profile Mode):

In FortiOS, when a firewall policy is set to Proxy-based inspection, the security profiles (like Web Filter) applied to that policy also operate in Proxy-based inspection mode. The presence of the av_receive function confirms that the content inspection (Web Filter/AV) is being performed by the proxy engine. Thus, Option C is correct.

Why Option A is Incorrect (NPU Offload):

The output shows npu_state=0x100. In the context of a flow trace where traffic is being " sent to application layer, " this confirms the session is not fully offloaded to the NPU (Network Processor). Offloaded traffic (Fast Path) is handled by the hardware and would not generate these specific CPU-level debug logs for the payload inspection phase. The proxying process requires CPU intervention.

Why Option D is Incorrect (Port Mapping):

While valid protocol mapping is necessary for inspection, the specific debug output shown is a direct result of the Inspection Mode (Proxy vs. Flow). The observation of the traffic moving to the application layer is primarily caused by the policy and profile mode settings, making B and C the direct " observations " derived from the log data.

The correct answer is D. Assertion dump .

The study guide states that: “SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP as part of the authentication process.”

It also shows the real-time SAML debug output under “ ** Assertion Dump ****”**, where the SAML attributes appear inside the assertion, such as:

< saml:Attribute Name= " username " >

< saml:Attribute Name= " groups " >

The same study-guide page explicitly labels this area as “Attributes sent by IdP”

So, although the IdP sends an authentication response overall, the actual section that contains the SAML attributes is the Assertion dump

The 8.8.8.8/32 route is visible in the OSPF database on FGT-B but not installed into the routing table—the most likely explanation is that FGT-B is filtering it from being installed.

The key point is that the two VPNs are dynamic dialup IPsec tunnels on the same interface and both are using IKEv1 main mode . In this design, FortiGate cannot reliably distinguish which dialup phase1 to match before phase 1 completes.

The uploaded Network Security Support Engineer 7.6 Study Guide shows that XAuth happens only after phase 1 is already established:

“The IKE real-time debug shows, after phase 1, the exchange of extended authentication (XAuth) packets… You can also see the CFG_REPLY, showing the XAuth user and group name.”

That means the user group is learned too late to be used for selecting the correct phase1 definition. So the fix must be applied to the phase1 matching method itself , not to XAuth.

The FortiOS administration guide gives the exact rule for this scenario:

“When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address.”

FortiTelemetry is a critical part of Security Fabric communications and requires explicit configuration for each participating FortiGate interface. The administrative access setting " fabric " (corresponding to FortiTelemetry) must be manually enabled per interface on both upstream and downstream devices. This is performed in the GUI under Administrative Access or via the CLI using the command set allowaccess fabric for the relevant network interface. Without this step, FortiTelemetry communications will not occur on that interface.

Additionally, the default communication between downstream and upstream FortiGate units in the Security Fabric is over TCP port 8013. This port is well-documented as the standard for Security Fabric and FortiTelemetry connections, and must be open and permitted across the network path for connectivity and status enforcement between units. The downstream FortiGate initiates the connection to the upstream via this port unless otherwise configured. This has also been documented as a PCI-relevant port, showing its default usage.

Other options:

Neighbor Discovery in FortiOS uses IPv6 ND protocol, not TCP.

FortiTelemetry port (8013) can be modified, but the interface Administrative Access for the Security Fabric must be manually enabled; Neighbor Discovery port modification is not documented as a supported change for FortiGate.

The best verified answer is C .

The study guide says that when FortiGate is in conserve mode, it activates protection measures to recover memory space:

“System configuration cannot be changed”

“FortiGate skips quarantine actions (including FortiSandbox analysis)”

It also explains that inspection behavior can be reduced while in conserve mode:

“pass (default): All new sessions pass without inspection until FortiGate switches back to non-conserve mode.”

“The av-failopen setting also applies to flow-based antivirus inspection.”

The FortiOS administration guide summarizes this behavior as:

“This causes functions such as antivirus scanning to change how they operate to reduce the functionality and conserve memory without compromising security.”

That is why C is the closest correct choice: FortiGate can reduce functionality of some processes, especially antivirus-related inspection, to preserve memory.

Why the other options are wrong:

A is wrong because FortiGate does not automatically reboot as a default conserve-mode action. A reboot can be configured through an automation stitch , but that is an optional administrator-defined response, not the built-in conserve-mode behavior

B is wrong because the documentation does not say FortiGate switches from proxy-based inspection to flow-based inspection. Instead, it may pass traffic without inspection depending on av-failopen settings

D is not generally correct for conserve mode . The study guide says FortiGate starts dropping new sessions only when memory usage exceeds the extreme threshold : “If memory usage exceeds the extreme threshold, all new sessions that require inspection (flow-based or proxy-based) are blocked.”

So the verified answer is: C .

The correct answer is D. The inbound IPsec SA was copied to the NPU.

The exhibit shows:

npu_flag=02

dec_npuid=1

enc_npuid=0

The study guide gives the exact meaning of the npu_flag field:

npu_flag=00 = Both IPsec SAs loaded to the kernel

npu_flag=01 = Outbound IPsec SA copied to NPU

npu_flag=02 = Inbound IPsec SA copied to NPU

npu_flag=03 = Both outbound and inbound IPsec SAs copied to NPU

It also explains: “If the first IPsec packet is inbound and can be offloaded, the inbound SA is copied to the NPU and the npu_flag changes to 02. After both SAs are copied to the NPU, the npu_flag changes to 03.”

So with npu_flag=02, only the inbound SA has been copied to the NPU. That makes D correct.

Why the other options are wrong:

A is wrong because outbound-only offload would be npu_flag=01, not 02

C is wrong because both directions offloaded would be npu_flag=03, not 02

B is wrong because dec_npuid=1 identifies the NPU ID used for decryption, but it does not state that the processor is specifically NP6 . The study guide only maps the offload state through the npu_flag values in this context, not the NPU model from this field alone

So the verified answer is: D .

The correct answers are A and B .

For UDP , the study guide states this directly: “For UDP, the session state can have only two values: 00 when traffic is only one way, and 01 when traffic is two ways. For ICMP, the protocol state is always 00.”

That makes B correct and D incorrect.

For TCP , the study guide explains that the protocol state is a two-digit number, where the first digit is the server-side state and the second digit is the client-side state . It also states that the first digit is 0 when the session is not subject to any inspection , and the TCP state table shows that value 1 = ESTABLISHED

So, for a normal non-proxied/non-inspected TCP session, proto_state=01 means the TCP session is in the ESTABLISHED state. An established TCP session means the three-way handshake has completed, which requires traffic in both directions. That is why A is correct.

The study guide also says: “proto_state=11 means that the TCP three-way handshake for both server-side and client-side is completed (ESTABLISHED).”

This confirms that TCP state value 1 represents an established state.

Why C is not selected: the study guide defines value 5 as TIME_WAIT and says: “When a session is closed by both the sender and receiver, FortiGate keeps that session in the session table for a few seconds… This is the state value 5.”

So proto_state=05 represents a closing/closed TCP session in TIME_WAIT , not the normal bidirectional state the question is testing.

Therefore, the verified answers are A and B .