FCSS_NST_SE-7.6 Questions and Answers

FortiTelemetry is a critical part of Security Fabric communications and requires explicit configuration for each participating FortiGate interface. The administrative access setting "fabric" (corresponding to FortiTelemetry) must be manually enabled per interface on both upstream and downstream devices. This is performed in the GUI under Administrative Access or via the CLI using the command set allowaccess fabric for the relevant network interface. Without this step, FortiTelemetry communications will not occur on that interface.

Additionally, the default communication between downstream and upstream FortiGate units in the Security Fabric is over TCP port 8013. This port is well-documented as the standard for Security Fabric and FortiTelemetry connections, and must be open and permitted across the network path for connectivity and status enforcement between units. The downstream FortiGate initiates the connection to the upstream via this port unless otherwise configured. This has also been documented as a PCI-relevant port, showing its default usage.

Other options:

Neighbor Discovery in FortiOS uses IPv6 ND protocol, not TCP.

FortiTelemetry port (8013) can be modified, but the interface Administrative Access for the Security Fabric must be manually enabled; Neighbor Discovery port modification is not documented as a supported change for FortiGate.

The Internet Key Exchange version 2 (IKEv2) protocol simplifies the negotiation process compared to IKEv1. It is defined by a specific sequence of message exchanges to establish a secure IPsec tunnel.

The correct chronological order of the IKEv2 exchanges is:

IKE_SA_INIT (Initial Exchange):

This is the first exchange. It negotiates the security parameters for the IKE Security Association (IKE SA), sends nonces, and performs the Diffie-Hellman key exchange. At the end of this exchange, the communication is encrypted, but the peers are not yet authenticated.

IKE_AUTH (Authentication Exchange):

This is the second exchange. It authenticates the previous messages, exchanges identities and certificates (if used), and establishes the first Child SA (the actual IPsec Security Association used for data traffic).

CREATE_CHILD_SA (Subsequent Exchanges):

This exchange occurs after the IKE SA and the initial Child SA are established. It is used to create additional Child SAs (for different traffic selectors) or to perform re-keying for the IKE SA or existing Child SAs.

Why other options are incorrect:

A & B: Incorrect because CREATE_CHILD_SA cannot happen before the SA is initialized (IKE_SA_INIT) and authenticated (IKE_AUTH).

D: Incorrect because IKE_AUTH cannot occur before IKE_SA_INIT.

Therefore, the protocol flow is IKE_SA_INIT $\rightarrow$ IKE_AUTH $\rightarrow$ CREATE_CHILD_SA.

The debug flow message iprope_in_check() check failed, drop specifically indicates a failure in the Local-In Policy check. The "iprope" (IP ROouting Policy Enforcement) engine handles policy lookups. The _in_check suffix confirms that the decision is regarding traffic destined to the FortiGate itself (Local-In traffic), rather than traffic passing through it.

D. The packet was dropped because the requested service is not enabled on FortiGate:

Explanation: This is the most common cause. When a packet arrives destined for the FortiGate's interface IP (e.g., an HTTPS or SSH request), the kernel checks if that specific service is enabled in the interface settings (set allowaccess). If the service is not enabled (e.g., trying to Ping an interface where PING access is disabled), the iprope_in_check function fails and drops the packet immediately.

C. The packet was dropped because the trusted host list is misconfigured:

Explanation: Even if the service (e.g., HTTPS) is enabled on the interface, the FortiGate checks the Administrator settings. If Trusted Hosts are configured, the source IP of the incoming packet is compared against the allowed list. If the IP is not on the list, the Local-In policy check (iprope_in_check) fails, and the packet is dropped to secure the management plane.

Why other options are incorrect:

A: If traffic is dropped by a standard Firewall Policy (traffic passing through the device from one interface to another), the debug message will typically state denied by policy x or no matching policy. It would generally be a forward check (iprope_fwd_check or similar), not an _in_check.

B: If there is no route to the source, the error is a Reverse Path Forwarding (RPF) failure. The debug flow logs this explicitly as reverse path check fail, drop.

The diagnose debug authd fsso server command is the primary tool for troubleshooting communication between the FortiGate and the FSSO Collector Agent. This debug output reveals the status of the connection and the reasons for failure. The three most common connectivity issues identified by this debug are:

FortiGate cannot reach the IP address of the collector agent (Option C): The debug will show connection timeouts or "host unreachable" errors if the Layer 3 connectivity is missing.

The connection was refused / Port mismatch (Option B): If the FortiGate can reach the IP but the Collector Agent is not listening on the specified port (default 8000), the debug will display "Connection refused." This often happens if the port configured on the FortiGate does not match the listening port on the agent.

The pre-shared key does not match (Option D): If the IP and Port are correct, the next step is authentication. If the password configured on the FortiGate does not match the one on the Collector Agent, the debug will explicitly show an "Authentication failed" or "password mismatch" error during the handshake.

Note on other options: Option A (SSL) is less common than basic connectivity/auth mismatches. Option E (Group filters) relates to user processing logic, which occurs after connectivity is established.

According to the official Fortinet administration guide for FortiOS 7.6.4 under the section "Configuring a RADIUS server," the supported RADIUS authentication methods you can configure via the CLI with config user radius are:

pap

chap

mschap

mschapv2

auto

The relevant CLI syntax is set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}​. You can confirm this directly in the configuration table and from real CLI sessions.

EAP (Extensible Authentication Protocol) is NOT an authentication option you can directly set under config user radius. EAP methods (such as EAP-TLS, EAP-PEAP, EAP-TTLS) are negotiated between the RADIUS client and server but are not configurable as an explicit auth-type option in FortiOS. EAP authentication is typically used automatically by features like 802.1X, not through the user radius object authentication-type setting, and always requires proper backend workings between supplicant and RADIUS server

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate's subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

“Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.” This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

The administrator is running a packet sniffer with the filter 'udp port 500 or udp port 4500 or esp'. The result is "no output," even though the VPN is attempting to establish (failing).

A. The VPN is configured to use IKE over TCP:

Standard IPsec IKE negotiation uses UDP port 500 (IKE) and UDP port 4500 (NAT-T).

However, if IKEv2 over TCP (RFC 8229) or Fortinet's proprietary IKE over TCP is configured (often used to bypass firewalls that block UDP), the traffic will use TCP (often port 4500 or 443).

The sniffer filter explicitly looks for udp or esp (IP Protocol 50).

If the traffic is encapsulated in TCP, it matches tcp protocol, not udp or esp (raw ESP). Therefore, the sniffer sees zero packets matching the filter.

Why other options are incorrect:

B: esp is a valid argument for diagnose sniffer packet. It is equivalent to filtering for IP protocol 50.

C: If the ISP were blocking traffic, the sniffer (running on the local FortiGate) would still see the outbound packets generated by the FortiGate trying to initiate the connection. "No output" implies the local device isn't even generating packets matching that filter.

D: Mismatched IKE versions would still generate IKE negotiation packets (proposals/errors) that would be captured by the sniffer.

IKEv1 (Internet Key Exchange version 1) and IKEv2 are protocols used for establishing IPsec VPN tunnels, and both protocols share the conceptual division into two phases, as clearly described in Fortinet VPN documentation:

Phase 1 handles negotiation and establishment of a secure IKE Security Association (SA) between peers.

Phase 2 negotiates parameters for the IPsec Security Association, which secures actual data traffic between peers.

While IKEv2 streamlines and improves upon IKEv1 by merging some message exchanges and simplifying configuration, it maintains the same core two-phase concept: Phase 1 (IKE SA) and Phase 2 (IPsec SA). This is a foundational VPN concept referenced widely in both IKEv1 and IKEv2 literature.

Other statements are incorrect:

Asymmetric authentication is possible, but not mandatory for both.

Both protocols commonly use UDP port 500, sometimes 4500 for NAT traversal, but they are not designed to run on TCP.

The protocol feature compatibility over TCP/UDP is not correctly described in the other options.

Intermittent behavior (working sometimes, failing others) points to resource or connectivity fluctuations rather than static misconfigurations.

B. Check that FortiGate is not entering conserve mode:

Reason: When FortiGate enters Conserve Mode (due to high memory usage), it changes its inspection behavior to save resources. Depending on the av-failopen setting, it may either bypass inspection (allowing blocked sites) or drop traffic (blocking valid sites) temporarily until memory recovers. This flapping between states causes intermittent filtering issues.

D. Check that the communication between FortiGate and FortiGuard is stable:

Reason: The Web Filter engine relies on real-time queries to the FortiGuard Distribution Network (FDN) to categorize URLs that are not in the local cache. If the internet connection or the specific path to FortiGuard is unstable (packet loss, latency), queries will time out. This results in "Rating Errors," which can block or allow traffic unpredictably based on the "Allow websites when a rating error occurs" setting.

Why other options are incorrect:

A: A mismatch in inspection mode (e.g., Profile set to Proxy, Policy set to Flow) is a static configuration error. It would typically result in the profile not being selectable or consistently failing/not applying, rather than working intermittently.

C: If the wrong port is mapped (e.g., HTTP on 8080 is not mapped), the inspection engine will consistently ignore traffic on that port. It would not be intermittent.

The session output reveals a session with proto=1 (ICMP) and the origin and reply directions show address and NAT translations. Specifically, the hook=post dir=org act=snat shows that source NAT is performed for outgoing packets, where the source 10.1.10.10:40602 is translated to 10.200.5.1:8 (likely ICMP id 8, not a TCP/UDP port). The reply direction, hook=pre dir=reply act=dnat, indicates destination NAT for incoming packets: packets incoming for 10.200.5.1:60430 are destination-NATed to 10.1.10.10:40602. The gateway (gwy) is listed as 10.200.1.254/10.1.0.1, which for outgoing traffic means that return traffic is directed to the gateway (10.200.1.254), per the NAT policy. This is confirmed by the FortiOS Session Table Guide, which explains that the returned ICMP reply will be routed out to this NAT gateway. The session statistics and logical flow (SNAT out, matching DNAT in) reinforce that reply traffic to the initiator traverses via 10.200.1.254.