FCSS_NST_SE-7.6 Questions and Answers

The correct answers are A and C .

The study guide describes this exact asymmetric ICMP scenario. It states:

“The server sends an echo request to the PC through port2 of the local router, effectively bypassing FortiGate. When it receives the echo request, the PC responds with an echo reply through its default gateway, 10.1.0.2, which is port1 on FortiGate. Because there is no existing session, the echo reply is dropped. All subsequent echo replies are blocked.”

That means the current problem exists because:

the ICMP request bypasses FortiGate

the ICMP reply goes through FortiGate

FortiGate has no matching session , so it drops the reply

The study guide then shows the exact corrective option:

“Allowing asymmetric routing:”

config system settings

set asymroute enable

end

It further explains:

“After the packet passes through the FortiGate CPU, FortiGate forwards the packet using the FIB, even though there are no session matches. FortiGate forwards all subsequent echo replies using the FIB.”

So A is correct.

The other valid fix is to make the traffic symmetric by changing the laptop’s default gateway so the reply no longer goes through FortiGate. In the exhibit, the alternate gateway is 10.1.0.254 , which is the local router on the same subnet. If the laptop uses 10.1.0.254 instead of 10.1.0.2, the ICMP echo reply follows the same bypass path as the echo request, so the server receives it without involving FortiGate session validation. This makes C correct.

Why the other options are wrong:

B is wrong because this is not an RPF problem. The study guide explains RPF as a reverse path lookup used to validate whether a packet arrived on a legitimate interface, mainly for spoofing protection. The issue in this scenario is a missing session due to asymmetric routing , not a strict-versus-feasible RPF failure

D is wrong because FortiGate already has the specific route 10.4.0.0/24 through port3 in the routing table shown in the exhibit, so adding a default static route to port3 is unnecessary and not the reason the echo reply is being dropped

So the verified answers are: A, C .

The correct answer is D. IKE_AUTH .

The study guide explicitly states:

“IKE_Auth exchange:

• Performs the mutual authentication of two IKE endpoints.

• Configures settings like IP/mask, DNS, and so on.

• Sets up the piggyback of a child SA. Negotiates IP flow and security settings for the IPsec SA.”

It also says:

“By default, a piggyback child (IPsec) SA is negotiated along with the IKEv2 SA during IKE_AUTH. If additional IPsec SAs are needed … they are negotiated during subsequent CREATE_CHILD_SA exchanges.”

Why the other options are wrong:

A. IKE_SA_INIT is incorrect because this exchange negotiates the security settings to protect the IKE traffic, not the first CHILD_SA.

B. INFORMATIONAL is incorrect because it is used to convey control messages between IKE endpoints.

C. CREATE_CHILD_SA is incorrect for the first CHILD_SA, because it is used to create new additional child SAs or rekey existing ones after the initial exchange.

To establish a functional Security Fabric, specific network and configuration prerequisites must be met to ensure nodes can communicate, authorize, and share telemetry data:

A. You must ensure that TCP port 8013 is not blocked along the way:

TCP port 8013 is the dedicated port for FortiTelemetry (Fabric) communication. If firewalls (intermediate or local) block this port, the Fabric connection between the root and downstream FortiGates will fail.

D. You must authorize the downstream FortiGate on the root FortiGate:

Security Fabric relies on a trust relationship. When a downstream device attempts to join, it appears in the Root FortiGate ' s dashboard. The administrator must manually authorize this device (unless pre-authorized via serial number) to allow it to join the Fabric topology.

E. You must enable FortiTelemetry on the receiving interface of the upstream FortiGate:

The interface on the Root (upstream) FortiGate that faces the downstream devices must have the " Security Fabric Connection " (formerly CAPWAP/FortiTelemetry) administrative access setting enabled. Without this, the interface will not listen for or accept Fabric connection requests.

Why other options are incorrect:

B: Neighbor Discovery uses standard multicast/broadcast or static settings; changing the port is not a standard requirement.

C: FortiGates can participate in the Security Fabric in either NAT or Transparent mode; Transparent mode is not a mandatory requirement for the Fabric itself.

The administrator is running a packet sniffer with the filter ' udp port 500 or udp port 4500 or esp ' . The result is " no output, " even though the VPN is attempting to establish (failing).

A. The VPN is configured to use IKE over TCP:

Standard IPsec IKE negotiation uses UDP port 500 (IKE) and UDP port 4500 (NAT-T).

However, if IKEv2 over TCP (RFC 8229) or Fortinet ' s proprietary IKE over TCP is configured (often used to bypass firewalls that block UDP), the traffic will use TCP (often port 4500 or 443).

The sniffer filter explicitly looks for udp or esp (IP Protocol 50).

If the traffic is encapsulated in TCP, it matches tcp protocol, not udp or esp (raw ESP). Therefore, the sniffer sees zero packets matching the filter.

Why other options are incorrect:

B: esp is a valid argument for diagnose sniffer packet. It is equivalent to filtering for IP protocol 50.

C: If the ISP were blocking traffic, the sniffer (running on the local FortiGate) would still see the outbound packets generated by the FortiGate trying to initiate the connection. " No output " implies the local device isn ' t even generating packets matching that filter.

D: Mismatched IKE versions would still generate IKE negotiation packets (proposals/errors) that would be captured by the sniffer.

The correct answer is B .

In the exhibit:

Neighbor 100.64.1.254 shows State/PfxRcd = 1 , which means the session is established and the local FortiGate has received 1 prefix

Neighbor 100.64.2.254 shows State/PfxRcd = Active

The study guide explains the BGP states exactly:

Connect : Waiting for a successful three-way TCP connection

Active : Unable to establish the TCP session

OpenSent : Waiting for an OPEN message from the peer

OpenConfirm : Waiting for the keepalive message from the peer

Established : Peers have successfully exchanged OPEN and keepalive messages

It also explains how to read the State/PfxRcd column:

“If the state is not established, this column displays the BGP state. If the state is established, this column displays the number of prefixes that the local FortiGate received from that neighbor.”

Therefore, because neighbor 100.64.2.254 is in Active state, the correct conclusion is that the BGP adjacency cannot form because the TCP session could not be established .

Why the other options are wrong:

A is wrong because BGP can establish adjacencies with multiple neighbors independently; one established neighbor does not block another

C is wrong because BGP adjacency is not established based on neighbor “priority”; the output shows adjacency is established because the session completed and prefixes were exchanged

D is wrong because having two neighbors in the same remote AS is valid in BGP and does not prevent adjacency formation

So the verified answer is: B .

The correct answer is C. The session is offloaded using NPU .

The exact session example in the study guide shows:

proto=6 → this is a TCP session

expire=3599 → the session will expire in 3599 seconds , not in one second

hook=post dir=org act=snat 10.9.31.117:45388- > 200.8.57.5:443(10.1.0.3:45388)

hook=pre dir=reply act=dnat 200.8.57.5:443- > 10.1.0.3:45388(10.9.31.117:45388)

npu info: ... offload=8/8 ...

and the slide explicitly states: “Offloaded in both directions using NP6”

The study guide also explains this exact point clearly:

“Counters for hardware acceleration—The presence of the npu info field indicates the session has been offloaded to hardware acceleration. In this example, traffic is being offloaded in both directions using network processor (NP) 6, which is represented by the value of 8.”

Why the other options are wrong:

A is wrong because expire=3599, not 1. The duration=1 field means the session has existed for 1 second, not that it will expire in 1 second.

B is wrong because the original session is from 10.9.31.117 to the remote server 200.8.57.5:443. The IP 10.1.0.3 is the SNAT-translated source address , not the final destination.

D is not the best answer for this single-select question . The reply is indeed DNATed back toward the original client, but the exact validated takeaway highlighted by the study guide for this exhibit is the NPU offload state .

The exhibit includes these key debug lines:

start_search_dn-base: ' DC=TAC,DC=ottawa,DC=fortinet,DC=com ' filter:sAMAccountName=jsmith

get_all_dn-Found DN 1:CN=John Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

The study guide explains that in regular bind , LDAP authentication has four steps , and that during step 2 , FortiGate searches the LDAP tree to find the user’s DN:

“During the second step, FortiGate does a search query in the LDAP database to find the user’s location—in other words, the user’s DN. If the user is found, the server replies with the user’s DN.”

It also states for the real-time debug of step 2:

“An fnbamd_ldap_build_dn_search_req-base message indicates that FortiGate is performing step two: searching for the user in the LDAP tree. This message includes the base branch (distinguished name setting) and the name of the attribute used to locate the user... If the LDAP server finds the user, the output shows the user’s full DN.”

That directly proves:

D is correct because the debug is showing step 2: Search Request

A is correct because the base DN and found DN are under DC=TAC,DC=ottawa,DC=fortinet,DC=com, which corresponds to the LDAP domain/tree root TAC.ottawa.fortinet.com

Why the other options are wrong:

B is wrong because binding with the user’s credentials is step 3 , not the step shown here. The study guide says: “Step 3 – Bind user credentials” and shows that this happens later with fnbamd_ldap_build_userbind_req / __ldap_build_bind_req-Binding to ' CN=John Smith... '

C is wrong because collecting user group information is step 4 , not the step shown in the exhibit. The study guide says: “The last step is to get the user group information” and shows step 4 with Attr query / memberOf search

According to the official Fortinet documentation (Technical Tip: Useful FSSO Commands), heartbeat messages play a crucial role in communication between the FSSO Collector Agent and FortiGate. These messages are regularly sent from the Collector Agent to verify its status, maintain session awareness, and confirm connectivity between the authentication infrastructure and FortiGate appliances.

Option B is confirmed by Fortinet, as the collector agent logs on Windows or its management console will specifically note heartbeat events, connection status, and any issues maintaining contact with FortiGate units.

Option C is validated by both official CLI documentation and the technical tip linked. On FortiGate, heartbeat messages from the collector agent are visible using real-time debug tools such as diagnose debug application authd or FSSO-specific commands. These enable administrators to monitor live logon states, session status, and connection health directly from the FortiGate CLI. The debug stream shows heartbeats received and their effect on active logons, associating health monitoring with active sessions.

Heartbeat operation is fully automated once FSSO is set up—there is no requirement for manual enablement or configuration, aligning with Fortinet’s philosophy of seamless integration and centralized management across the Security Fabric. This ensures that both FortiGate and the collector agent can quickly and reliably detect any miscommunication or outage, addressing authentication issues proactively.

The correct answer is D .

In the exhibit, get router info routing-table database shows both static default routes:

0.0.0.0/0 [20/0] via 100.64.2.254, port2

0.0.0.0/0 [10/0] via 100.64.1.254, port1

But get router info routing-table all shows only:

0.0.0.0/0 [10/0] via 100.64.1.254, port1

The study guide explains that get router info routing-table all displays the routes that make it to the FIB — the best active routes . It also says that this command doesn’t show standby or inactive routes , which can remain only in the routing table database. It gives the exact rule: “when two static routes to the same destination subnet have different distances, the one with the lower distance is installed in the routing table, and the one with the higher distance is installed in the routing table database.”

The study guide also shows the route selection process:

Most specific route

Lowest distance

Lowest metric (dynamic routes)

Lowest priority (static routes)

ECMP

So the port2 default route is absent from the second output because its distance is 20 , while the port1 default route has distance 10 . The lower-distance route is installed in the active routing table/FIB.

Why the other options are wrong:

A is wrong because the exhibit does not indicate port2 is down or disabled.

B and C are wrong because priority is checked only after distance for static routes. Here, the routes already differ by distance , so priority is not the deciding factor.

So the verified answer is: D .

Analyze the " Send to Application Layer " Message:

The most critical line in the debug output is: id=65308 ... func=av_receive ... msg= " send to application layer "

Meaning: This message indicates that the FortiGate kernel is handing the packet over to a user-space daemon (specifically the WAD/Proxy process, indicated by av_receive handlers) for deep inspection.

Implication: This behavior is the hallmark of Proxy-based inspection. In Flow-based inspection, the traffic is handled by the IPS engine (often within the kernel or via specific IPS handlers like ips_measure), and you would not typically see a " send to application layer " message for standard web filtering.

Evaluate Option B (Firewall Policy Mode):

Since the traffic is being sent to the application layer proxy, the Firewall Policy controlling this traffic (Policy ID 1, as seen in Allowed by Policy-1) must be configured with Inspection Mode = Proxy. If it were Flow-based, the traffic would stay in the flow path. Thus, Option B is correct.

Evaluate Option C (Web Filter Profile Mode):

In FortiOS, when a firewall policy is set to Proxy-based inspection, the security profiles (like Web Filter) applied to that policy also operate in Proxy-based inspection mode. The presence of the av_receive function confirms that the content inspection (Web Filter/AV) is being performed by the proxy engine. Thus, Option C is correct.

Why Option A is Incorrect (NPU Offload):

The output shows npu_state=0x100. In the context of a flow trace where traffic is being " sent to application layer, " this confirms the session is not fully offloaded to the NPU (Network Processor). Offloaded traffic (Fast Path) is handled by the hardware and would not generate these specific CPU-level debug logs for the payload inspection phase. The proxying process requires CPU intervention.

Why Option D is Incorrect (Port Mapping):

While valid protocol mapping is necessary for inspection, the specific debug output shown is a direct result of the Inspection Mode (Proxy vs. Flow). The observation of the traffic moving to the application layer is primarily caused by the policy and profile mode settings, making B and C the direct " observations " derived from the log data.

The study guide states:

“The kernel memory slabs are collections of objects with a common purpose. The kernel uses them to store information in memory.”

It also gives the exact calculation rule:

“Total slab size = available objects x object size”

From the exhibit:

tcp_session 3 5 1500 ...

So:

available objects = 5

object size = 1500

Therefore:

Total slab size = 5 × 1500 = 7500 kB

That makes D correct, and it is associated with the kernel , not user space.

Why the other options are wrong:

A is wrong because sctp_session 0 0 1600 ... gives 0 × 1600 = 0 , but slabs are associated with the kernel , not user space.

B is wrong because ip_session 1 3 1200 ... gives 3 × 1200 = 3600 , but again slabs are kernel memory, not user space.

C is wrong because ip6_session 0 0 1300 ... gives 0 × 1300 = 0 , not 1300.

The exhibit shows:

memory conserve mode: on

memory used: 2706 MB 89% of total RAM

memory used threshold red: 2675 MB 88% of total RAM

memory used + freeable threshold extreme: 2887 MB 95% of total RAM

The study guide states that the default thresholds are:

Extreme = 95%

Red = 88%

Green = 82%

So this FortiGate is in conserve mode because memory usage is 89% , which is above the red threshold (88%) , but it has not yet reached the extreme threshold (95%) .

The study guide then explains exactly what happens during conserve mode:

“For traffic that requires proxy-based inspection (and if memory usage has not exceeded the extreme threshold):

config system global

set av-failopen [off | pass | one-shot]

pass (default): All new sessions pass without inspection”

It also says:

“The av-failopen setting also applies to flow-based antivirus inspection.”

And the same page adds:

“If memory usage exceeds the extreme threshold, all new sessions that require inspection (flow-based or proxy-based) are blocked.”

Therefore, with default settings and with memory usage below the extreme threshold , FortiGate is allowing new sessions that require inspection, but bypassing inspection . That matches C .

Why the other options are wrong:

A is wrong because the default behavior is not to block proxy-based inspected sessions; the default is pass , meaning they pass without inspection

B is wrong because if memory rises another 6% , it reaches 95% , which is the extreme threshold . At that point, the study guide says all new sessions that require inspection are blocked

D is wrong because FortiGate blocks all new inspected sessions only when memory usage exceeds the extreme threshold , and the exhibit shows it is currently at 89% , not 95%

For Option A:In Fortinet BGP (and standard BGP), when a prefix is displayed with an " i " (lowercase i) in the Path column, it represents an internal prefix that originated from the local router, typically configured via the BGP " network " command. In the exhibit, the prefix 10.20.30.0/24 is listed with a Path value of i, indicating it was injected into BGP by the local router using the network statement, not via redistribution from another routing protocol. The same logic applies to i as documented: " Origin code ' i ' means the route was injected via the network command. "

For Option D:The get router info bgp network output is a summary table displaying both local and received BGP routes. It lists all known routes to the BGP process, whether received from peers or originated locally. The exhibit shows all BGP prefixes known to the local router, matching the official admin guide’s description of this command’s output.

Explanation for B and C:

The phrase “legacy route advertisement” is not formalized in BGP documentation or Fortinet’s admin guide; the output uses standard BGP mechanics.

If a route was redistributed into BGP from another routing protocol, the Path field would display a " ? " (question mark) for incomplete (redistributed) origin. Here the /24 route has " i " so it is NOT a redistribution.

The get router info bgp summary output lists BGP neighbor status:

Prefix Reception: The " State/PfxRcd " column shows the number of prefixes received from the neighbor—neighbor 100.64.1.254 has " 1 " , confirming option A.

Received Message Count: Under " MsgRcvd " , 18 packets have been received from neighbor 100.64.1.254. This matches option C.

The second neighbor 100.64.2.254 is in " Active " state and has received/sent 0 packets, indicating that its TCP connection is NOT established, disproving option B.

There is no indication anywhere that the router is " still calculating " prefixes; " Active " just means no session is established, so option D is incorrect.

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate ' s subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

“Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.” This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

The reported symptom—users unable to access any websites despite no explicit blocks in the profile—points to systemic connectivity or configuration issues rather than specific URL filtering rules.

Option B (SSL/TLS Inspection): When Deep Inspection is enabled, the FortiGate acts as a Man-in-the-Middle (MitM) and re-signs server certificates using its own CA. If the clients (browsers) do not trust this CA (i.e., the certificate is not installed in their Trusted Root store), they will reject the connection with certificate errors, effectively preventing access to all HTTPS websites.

Option D (DNS): Web browsing relies on DNS resolution . If the configured DNS server is unreachable or failing, the FortiGate (or the client) cannot resolve FQDNs to IP addresses. Consequently, browsers will fail to load any page, resulting in a total loss of web access.

Option E (License): If the FortiGuard Web Filtering license expires, the FortiGate can no longer query the FortiGuard Distribution Network (FDN) for ratings. By default, or if the allow-when-rating-error setting is disabled (a common security practice), the FortiGate will block all web traffic that it cannot rate, often displaying a " Web Filter Service Error " or invalid license page.

Option A is incorrect because clearing the cache only increases latency, it does not block traffic. Option C is incorrect because webfilter-force-off is typically used to disable the service (often allowing traffic to bypass checks if the service is down), rather than blocking it.

The correct answers are A and B .

The study guide says:

“If NAT-T is enabled, and there is a FortiGate located in the middle that is running NAT, the sniffer command must use a different filter. In this case, IKE traffic uses UDP port 500, but switches to UDP port 4500 during the tunnel negotiation. Additionally, ESP traffic is encapsulated inside the UDP 4500 channel.”

It also says:

“In some networks, UDP is blocked by firewalls or ISPs. In those cases, you can configure your VPN tunnel to use IKE over TCP in the phase 1 configuration. The default IKE TCP port is 443…”

And the study guide gives the correct capture examples:

No NAT: host < remote-gw > and udp port 500

With NAT and NAT-T: host < remote-gw > and (udp port 500 or udp port 4500)

So:

B is correct because with NAT Traversal enabled , the tunnel may no longer be using only UDP 500 . It can move to UDP 4500 , so the current filter may miss the traffic.

A is correct because the filter may need to be expanded to include UDP 4500 for NAT-T, or TCP 443 when IKE over TCP is used.

Why the other options are wrong:

C is wrong because restricting the filter to the remote peer IP can make the capture more precise, but it is not required for the sniffer to display output. The problem here is the port/protocol choice , not the lack of a host filter. The study guide examples use host filtering as an aid, not as a requirement.

D is wrong because diagnose debug enable is used to enable real-time debug output for applications, but it does not suppress or invalidate sniffer output . Sniffer capture is a separate command path. Fortinet documentation separately documents diagnose sniffer packet ... for packet capture and diagnose debug enable for debug features.

So the verified answers are: A, B .

To understand why Type 5 LSAs (AS External LSAs) are missing from the Link-State Database (LSDB), we must look at how OSPF generates and propagates them:

A. There is no autonomous system border router (ASBR) in the network:

Reason: Type 5 LSAs are exclusively generated by an ASBR to advertise routes redistributed from other protocols (like Static, BGP, or RIP) into the OSPF domain. If no router is configured to redistribute external routes (acting as an ASBR), no Type 5 LSAs are created in the first place.

C. The local router is located in a stub area:

Reason: By definition, a Stub Area (and a Totally Stubby Area) prevents Type 5 LSAs from entering. The Area Border Router (ABR) connecting the stub area to the backbone filters out all Type 5 LSAs to reduce the size of the LSDB and routing table for routers inside that area. Instead, a default route is usually injected.

Why other options are incorrect:

B: While database filtering exists, standard prefix-list filtering typically affects the routing table (RIB) generation, not the underlying LSDB propagation of Type 5 LSAs, or it is less common than the architectural reasons (Stub/No ASBR).

D: IP Protocol 89 is the transport for OSPF itself. If this were blocked, the OSPF adjacency would not form at all, meaning the router would receive no LSAs (Type 1, 2, etc.), not specifically just Type 5.

From the exhibit, you can observe that the debug output captures an IKEv1 negotiation in aggressive mode. Let ' s break down the supporting details in line with official Fortinet IPsec VPN troubleshooting resources and debug guides:

For Option B:

The very first line of the debug output shows:

comes 10.0.0.2:500- > 10.0.0.1:500, ifindex=7.

This indicates the traffic direction—from the remote IP (10.0.0.2) with port 500 to the local IP (10.0.0.1) with port 500. According to Fortinet ' s documentation, the right side of the arrow always represents the local FortiGate gateway. Thus, 10.0.0.1 is the local gateway IP address.

For Option D:

You see the statement:

negotiation result " remote "

and

received peer identifier FQDNCE88525E7DE7F00D6C2D3C00000000

Official debug documentation describes that the " peer identifier " or peer ID sent by the initiator is displayed here. In the context of IKE/IPsec negotiation, this value is used as the IPsec peer ID for authentication and identification purposes. The initiator is providing " remote " as the peer ID for its connection.

Why Not A or C:

Perfect Forward Secrecy (PFS): The debug does not show any DH group negotiation in phase 2 (no reference to group2, group5, etc., for phase 2), so you cannot deduce the presence of PFS solely from this output.

Phase 2 negotiation: The log focuses on IKE (phase 1) negotiation and establishment; there’s no reference to ESP protocol, Quick Mode, or other identifiers that would show phase 2 SA negotiation and establishment.

This interpretation aligns with the explanation in the FortiOS 7.6.4 Administration Guide ' s VPN section and the official debug command output samples published in Fortinet’s documentation. It demonstrates how to distinguish between local and remote addresses and how to identify the use of peer IDs.

The correct answers are B and C .

The study guide has a section titled “Not Verified Status on the Collector Agent” and states:

“The collector agent cannot verify if the user is still logged in” and lists these common causes :

“A firewall is blocking traffic to port 139 and 445”

“The workstation remote registry service is not running”

The guide also explains the verification method:

“For WMI polling mode, the collector agent checks the WMI service. For all the other modes, the collector agent checks the HKEY_USERS hive through remote registry services.” If the workstation does not respond to these checks, the status can become not verified

An additional requirements slide in the same study guide confirms:

“TCP ports 139 and 445 must be open between the collector agent and all workstations”

“Remote registry service must be up and running on each workstation”

Why the other options are wrong:

A is wrong because the study guide mentions a workstation coming out of hibernate mode under a different problem: “No Internet After IP Address Change” , not as a common cause of Not Verified status

D is wrong because DNS resolution issues are also discussed under the IP address change scenario, where the collector agent uses DNS to resolve the workstation name after an IP change. That is separate from the Not Verified causes listed for this log message

So the verified answers are: B, C .

The 8.8.8.8/32 route is visible in the OSPF database on FGT-B but not installed into the routing table—the most likely explanation is that FGT-B is filtering it from being installed.

The correct answer is A .

The debug output is for an HTTPS request and shows a hostname value. The study guide explains that with SSL certificate inspection, FortiGate extracts the FQDN from either:

“TLS extension server name indication (SNI)”

“SSL certificate common name (CN)”

So the hostname shown in the real-time web-filter debug can be derived from the SNI in the client request or, if needed, from the CN in the server certificate. That makes A correct.

Why the other options are wrong:

B is wrong because the study-guide example for web-filter real-time debug explicitly says: “This slide shows an example of real-time debug output when the URL to categorize isn ' t in the FortiGuard cache.” In these debugs, cat=255 appears before the final lookup result, so this does not indicate a local-cache hit.

C is wrong because ftgd-allow is the action , not the profile name. The debug line shows the action as action=9 (ftgd-allow) while the profile shown is profile= ' default ' . FortiOS web-filter logs also use the profile field separately from the action field

D is wrong because the final category shown is url_cat=52 , not 255. The study guide’s example shows the same pattern: an initial cat=255 in the request line, followed by the resolved result cat=52 url_cat=52

So the verified answer is: A .

The exhibit displays the output from the diagnose debug rating command on a FortiGate device. This command is used to display information about FortiGuard Web Filtering or other security-related queries performed by FortiGate to FortiGuard servers. Official Fortinet documentation outlines the meaning of each field in the server list. The FortiGate maintains a list of available FortiGuard servers, selecting the optimal server based on factors such as weight, round-trip time (RTT), and regional settings.

The very first entry in the server list after " Server List " is the server FortiGate initially uses, prioritized by factors such as proximity and RTT. Here, 64.26.151.37 is listed first, and the FortiGuard-requests value confirms that this server handled the highest number of requests.

The IPs, weights, and lost/failed counters are monitored for server performance and selection over time. FortiGate ' s default operational logic is to try the first entry for contract validation and use the next in the list if the first is unavailable or has high latency or packet loss.

There is no direct correlation between the Weight and the number of FortiGuard-requests. The servers with higher or lower weights may still handle different request volumes based on availability and performance.

The TZ (time zone) value ' s sign (positive or negative) does not affect server preference; it is informational, showing the server ' s location relative to UTC, not a rating metric.

DNS query results for FortiGuard servers are not shown here, and the provided servers are not returned in DNS query order.

This command and interpretation are detailed in the FortiOS Administration Guide’s section describing FortiGuard server selection and contract validation processes.

The correct answers are C, D, and E .

The study guide lists the exact OSPF adjacency requirements :

“Interfaces of peers are the same type and in the same OSPF area”

“Each peer has a unique router ID”

“OSPF authentication, if enabled, is successful”

These map directly to:

C. OSPF interface network types match

D. Authentication settings match

E. OSPF router IDs are unique

The same study-guide slide also states other requirements such as:

peers’ primary IPs must be in the same subnet with the same mask

hello and dead intervals must match

OSPF MTUs must match

Why the other options are wrong:

A is wrong because link cost matching is not listed as an adjacency requirement . OSPF cost affects path selection, not whether adjacency can form.

B is wrong because interface priority does not need to be unique . Priority is used for DR/BDR election, where the highest priority wins, and ties are broken by router ID.

So the verified answers are: C, D, E .

FortiOS Admin Guide: Static Routing, SNAT Route Change Feature

The correct answer is C .

The exhibit shows the neighbor state as Connect in the State/PfxRcd column. The study guide explains the BGP states exactly as follows:

“Connect: Waiting for a successful three-way TCP connection”

“OpenSent: Waiting for an OPEN message from the peer”

“Established: Peers have successfully exchanged OPEN and keepalive messages”

Because the router is still in Connect state, the TCP three-way handshake has not completed yet . In practical terms, the local router has sent the TCP SYN but has not successfully received the SYN/ACK needed to complete the handshake . That is why C is correct.

Why the other options are wrong:

A is wrong because the message counters alone do not prove that the neighbor is unreachable. The study guide says the State/PfxRcd field shows the BGP state when the session is not established, and here that state is specifically Connect

B is wrong because waiting for an OPEN message happens in OpenSent , not Connect

D is not the best answer for this output. The study guide ties the displayed state directly to the protocol phase: Connect means the device is still waiting for a successful TCP handshake

So the verified answer is: C .

The best verified answer is C .

The study guide says that when FortiGate is in conserve mode, it activates protection measures to recover memory space:

“System configuration cannot be changed”

“FortiGate skips quarantine actions (including FortiSandbox analysis)”

It also explains that inspection behavior can be reduced while in conserve mode:

“pass (default): All new sessions pass without inspection until FortiGate switches back to non-conserve mode.”

“The av-failopen setting also applies to flow-based antivirus inspection.”

The FortiOS administration guide summarizes this behavior as:

“This causes functions such as antivirus scanning to change how they operate to reduce the functionality and conserve memory without compromising security.”

That is why C is the closest correct choice: FortiGate can reduce functionality of some processes, especially antivirus-related inspection, to preserve memory.

Why the other options are wrong:

A is wrong because FortiGate does not automatically reboot as a default conserve-mode action. A reboot can be configured through an automation stitch , but that is an optional administrator-defined response, not the built-in conserve-mode behavior

B is wrong because the documentation does not say FortiGate switches from proxy-based inspection to flow-based inspection. Instead, it may pass traffic without inspection depending on av-failopen settings

D is not generally correct for conserve mode . The study guide says FortiGate starts dropping new sessions only when memory usage exceeds the extreme threshold : “If memory usage exceeds the extreme threshold, all new sessions that require inspection (flow-based or proxy-based) are blocked.”

So the verified answer is: C .