Fortinet FCSS_LED_AR-7.6 Exam Questions Instant Access

Question 1

Refer to the exhibit.

On FortiGate, a RADIUS server is configured to forward authentication requests to FortiAuthenticator, which acts as a RADIUS proxy. FortiAuthenticator then relays these authentication requests to a remote Windows AD server using LDAP.

While testing authentication using the CLI command diagnose test authserver. the administrator observed that authentication succeeded with PAP but failed when using MS-CHAFV2.

Which two solutions can the administrator implement to enable MS-CHAPv2 authentication? (Choose two.)

AChange the FortiGate authentication method to CHAP instead of MS-CHAPv2.

BEnable Windows Active Directory domain authentication on FortiAuthenticator.

CEnable RADIUS attribute filtering on FortiAuthenticator.

DConfigure FortiAuthenticator to use RADIUS instead of LDAP as the back-end authentication server

Answer : A, D

Question 2

Refer to the exhibits.

Examine the FortiGate configuration, FortiAnalyzer logs, and FortiGate widget shown in the exhibits.

Security Fabhc quarantine automation has been configured to isolate compromised devices automatically. FortiAnalyzer has been added to the Security Fabric, and an automation stitch has been configured to quarantine compromised devices.

To test the setup, a device with the IP address 10.0.2.1 that is connected through a managed FortiSwitch attempts to access a malicious website. The logs on FortiAnalyzer confirm that the event was recorded, but the device does not appear in the FortiGate quarantine widget.

Which two reasons could explain why FortiGate is not quarantining the device? (Choose two.)

AThe IOC action should include only the FortiSwitch in the quarantine.

BThe SSL inspection should be set to deep-Inspection

CThe malicious website is not recognized as an indicator of compromise (IOC) by FortiAnalyzer.

DThe threat detection services license is missing or invalid under FortiAnalyzer.

Answer : C, D

In this scenario:

FortiGate + FortiAnalyzer are part of theSecurity Fabric

AnAutomation Stitchis configured:

Trigger:Compromised Host -- High(IOC from FortiAnalyzer)

Action:Quarantine on FortiSwitch + FortiAP

A test device10.0.2.1visits a malicious website.

FortiAnalyzer logs show the event, butFortiGate does NOT quarantine the device.

This means theautomation did not receive an IOC trigger, OR theFabric did not classify it as a compromise.

Let's evaluate each answer option.

C. The malicious website is not recognized as an indicator of compromise (IOC) by FortiAnalyzer.

Correct.

For FortiGate to quarantine a device:

FortiAnalyzer must classify the event as aCompromised Host High / Medium / Critical

FortiAnalyzer must generate anIOC event

FortiGate must receive that IOC through the Fabric

Even though the FAZ log shows:

Action = blocked

Category = Malicious Websites

That doesNOTautomatically mean an IOC was generated.

A blocked website event isnot always an IOCunless:

It is included in theIOC database

FAZ'sAnalytics / UTM / IOCengine marks it as a compromise

Thus, if FAZ only logs a ''Malicious Website'' event butdoes not classify it as an IOC,

Question 3

Refer to the exhibit.

Which shows the WTP profile configuration.

The AP profile is assigned to two FAP-231F APs that are installed in an open plan area.

The first AP has 32 clients associated with the 5 GHz radios and 22 clients associated with the 2.4 GHz radio. The second AP has 12 clients associated with the 5 GHz radios and 20 clients associated with the 2.4 GHz radio.

A dual-band-capable client enters the area near the first AP and the first AP measures the new client at - 3 3 dBm signal strength. The second AP measures the new client at -43 dBm signal strength.

If the new client attempts to conned to the student 01 wireless network, which AP radio will the client be associated with?

AThe first AP 2.4 GHz interface provides a stronger signal, which clients often prioritize.

BThe first AP 5 GHz interface because it has a stronger signal.

CThe second AP 5 GHz interface has fewer clients, which ensures better performance despite the weaker signal.

DThe second AP 2.4 GHz interface is preferred over 5 GHz for better speed and lower interference.

Answer : C

From theWTP profile:

set handoff-rssi 30

set handoff-sta-thresh 30

config radio-1

set band 802.11n-2G

set vaps 'Student01'

config radio-2

set band 802.11ac-5G

set darrp enable

set arrp-profile 'arrp-default'

set vaps 'Student01'

Key points:

Same SSID (Student01)is broadcast onboth APsand onboth bands(2.4 and 5 GHz).

handoff-sta-thresh 30 enablesclient load-balancingbetween APs:

When an AP radio hasmore than 30 associated clients, it starts rejecting new associations so that clients connect to a neighboring AP instead (as long as RSSI is still acceptable).

Current client counts:

AP1:32 clients on 5 GHz, 22 on 2.4 GHz

AP2:12 clients on 5 GHz, 20 on 2.4 GHz

So on 5 GHz:

AP1's 5-GHz radioexceedsthe 30-client threshold (32 > 30) it will try topush new clients away.

AP2's 5-GHz radio iswell belowthe threshold (12 clients) and will happily accept new clients.

The new dual-band client is seen at:

--33 dBmby AP1

--43 dBmby AP2

Even though AP1 has the stronger signal, its 5-GHz radio is already overloaded according to the configured threshold, so AP1 will refuse association attempts from that client. The client will then associate toAP2's 5-GHz radio, which:

Hasfewer clients(better airtime per device), and

Still has an acceptable signal (--43 dBm is easily usable on 5 GHz).

That matches optionCexactly.

Other options are incorrect because they ignore the configuredclient-load-balancing thresholdsand assume association based purely on RSSI or prefer 2.4 GHz, which is not what this profile is tuned to do.

Question 4

A network administrator connects a new FortiGate to the network, allowing it to automatically discover andI register with FortiManager.

What occurs after FortiGate retrieves the FortiManager address?

AFortiGate establishes a secure tunnel to FortiManager over TCP port 541.

BThe device needs to be manually authorized on FortiManager.

CFortiGate configures its interface settings based on a DHCP response from FortiManager.

DFortiGate sends a discovery request to all devices on the local network using UDP port 1068.

Answer : A

When a FortiGate is deployed usingZero Touch Provisioning (ZTP)or auto-discovery:

FortiGate retrieves theFortiManager IP address(from DHCP Option 240, FortiCloud/ZTNA provisioning, or manual set).

The next step isnot UI authorizationor DHCP changes---it immediately attempts to form aFGFM (FortiGate--FortiManager) tunnel.

The FGFM protocol usesTCP port 541to establish a secure management channel.

FortiManager will still require manual authorization of the deviceinside FortiManager, but this occursafterthe tunnel is established.

Therefore, the first automatic action after retrieving the FMG address iscreating the secure FGFM tunnel on TCP/541.

Question 5

A FortiSwitch is not appearing in the FortiGate management interface after being connected via FortiLink. What could be a first troubleshooting step?

AEnsure that the FortiGate security policies allow traffic from the FortiSwitch.

BManually assign a static IP to the FortiSwitch.

CVerify that FortiGate device DHCP server is assigning an IP to the FortiSwitch.

DEnsure the FortiSwitch has internet access.

Answer : C

In FortiLink topologies, a managed FortiSwitch normally gets itsmanagement IP automaticallyfrom theDHCP server on the FortiLink interface. If the switch does not receive an IP:

It cannot form the FortiLink CAPWAP/DTLS control channel.

Therefore it doesnot appearunderWiFi & Switch Controller > FortiSwitch.

FortiOS documentation states that FortiLink uses abuilt-in DHCP serveron the FortiLink interface for onboarding switches.

So thefirst troubleshooting stepis to confirm:

The FortiLink DHCP server is enabled.

Leases are being handed out to the FortiSwitch MAC.

Other options:

A: Security policies do not affect the L2 FortiLink control channel.

B: Static IP may be used but is not the normal first step.

D: Internet access is not required for FortiGate to see the switch.

Question 6

Which VLAN is used by FortiGate to place devices that fail to match any configured NAC policies? CRSPAN

ANAC

Bsegment

CQuarantine

DOnboarding

Answer : D

In FortiLink NAC for LAN Edge:

When a device first connects, it is placed into theonboarding VLAN.

NAC policies then classify the device (by MAC, OS, user, EMS tag, etc.).

If a NAC policy matches, the device may be moved to anaccess VLANorquarantine VLAN.

Ifno NAC policy matches, the device simplystays in the onboarding VLAN.

FortiOS / LAN Edge documentation describes the onboarding VLAN as thedefault VLAN for unknown or unclassified devices, until NAC policy evaluation moves them elsewhere.

Question 7

A network engineer is deploying FortiGate devices using zero-touch provisioning (ZTP). The devices must automatically connect to FortiManager and receive their configurations upon first boot. However, after powering on the devices, they fail to register with FortiManager.

What could be a possible cause of this issue?

AThe FortiGate device requires manual intervention to accept the FortiManager connection.

BIn this scenario, the ZTP process works only when devices are connected using a console cable.

CThe FortiGate device must be preloaded with a configuration file before ZTP can function.

DThe FortiManager IP address is not reachable over TCP port 541.

Answer : D

Zero-Touch Provisioning (ZTP) for FortiGate devices is handled throughFortiDeploy, which automatically connects a FortiGate toFortiManagerso the device can download configuration templates and be centrally managed.

For ZTP to work, the newly booted FortiGate must successfully reach FortiManager. One of thecritical requirementsis connectivity over theFGFM (FortiGate--FortiManager) management protocol, which uses:

TCP Port 541

This is clearly stated in multiple Fortinet documents:

FortiGate Cloud Admin Guidelists port541as the management channel used for FortiGate FortiManager / FortiGate Cloud communications:''Management... Protocol: TCP, Port:541''

FortiOS Administration Guidealso confirms this:''FortiManager provides remote management of FortiGate devices overTCP port 541.''

Since ZTP uses FortiDeploy to push the FortiManager IP to the device and relies on FGFM (port 541) for registration and configuration delivery,any failure on this port breaks the entire ZTP workflow.

Why option D is correct

If the FortiGate cannot reach FortiManager onTCP/541, itcannot register, cannot be authorized, and cannot receive its configuration --- leading to a ZTP failure.

This is themost common causein real deployments:

Firewall blocking TCP/541

Upstream NAT device not forwarding 541

ISP restrictions

Incorrect FortiManager IP or routing issue

ZTP device behind a network that does not allow outbound 541

Why the other options are incorrect

A . The FortiGate device requires manual intervention to accept the FortiManager connection.

Incorrect.

ZTP is built specifically to avoid manual intervention. Once the FortiDeploy key is used, the device auto-connects to FortiManager without needing local acceptance.

B . ZTP works only when devices are connected using a console cable.

Incorrect.

ZTP requiresno console cable--- that's the whole point. It relies on DHCP, WAN connectivity, and FortiDeploy auto-join.

C . The FortiGate device must be preloaded with a configuration file before ZTP can function.

Incorrect.

Preloading configuration defeats the purpose of ZTP.

ZTP delivers the initial configuration automatically from FortiManager using FortiDeploy.

LAN Edge 7.6 Architect Context

LAN Edge deployments often use FortiManager as the central orchestrator for:

FortiSwitch management via FortiLink

FortiAP wireless provisioning

SD-Branch configuration templates

Security Fabric automation

For all of this, ZTP enables remote sites to deploy FortiGate, FortiSwitch, and FortiAP withno on-site expertise.

If TCP/541 to FortiManager is blocked, the entire LAN Edge deployment pipeline fails, making optionDthe only valid and document-supported answer.

Fortinet NSE 6 - LAN Edge 7.6 Architect FCSS_LED_AR-7.6 Exam Questions