Fortinet FCSS_NST_SE-7.6 Exam Questions Instant Access

Question 1

Consider the scenario where the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate.

Which action will FortiGate take when using the default settings for SSL certificate inspection?

AFortiGate uses the SNI from the user's web browser.

BFortiGate closes the connection because this represents an invalid SSL/TLS configuration.

CFortiGate uses the first entry listed in the SAN field in the server certificate.

DFortiGate uses the CN information from the Subject field in the server certificate.

Answer : D

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGatedoes not block the connection; instead, it uses the CN value from the certificate's subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

''Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.'' This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

FortiGate 7.6.4 Administration Guide: Certificate Inspection

SSL/SSH Inspection Profile Configuration

Question 2

Refer to the exhibit, which shows the partial output of FortiOS kernel slabs.

Which statement is true?

AThe total slab size of the sctp_session slab is 0 kB and is associated with the user space.

BThe total slab size of the ip_session slab is 3600 kB and is associated with the user space.

CThe total slab size of the ip6_session slab is 1300 kB and is associated with the kernel.

DThe total slab size of the tcp_session slab is 7500 kB and is associated with the kernel.

Answer : D

Question 3

Refer to the exhibits.

An OSPF peer is advertising route 172.16.52.0/24. The local FortiGate is configured with an inbound distribution list that allows the 172.16.0.0/16 network to be injected into its routing table. However, the 1'2.16.52.0/24 subnet cannot be seen in the FIB.

Which two stops can the administrator of the local FortiGate take to ensure that the advertised 172.16. 52.0/24 subnet will be injected into the routing table? (Choose two.)

AAdd another entry to the prefix list to specifically allow the 172.16.52.0/24 network.

BChange the ge value to 17.

CChange the R- value lo 16.

DModify the default prefix-list behavior from implicit deny to implicit allow.

Answer : A, B

The issue is caused by the strict matching logic of the configured Prefix List.

Current State: The rule is edit 1 with set prefix 172.16.0.0 255.255.0.0 and both ge (greater than or equal) and le (less than or equal) are unset.

Behavior: When ge and le are unset, FortiOS requires an exact match of the subnet mask. The current rule only matches the exact network 172.16.0.0/16. It denies 172.16.52.0/24 because the mask (/24) does not match the rule's mask (/16).

To fix this and inject 172.16.52.0/24, you must modify the list to match the /24 mask:

A . Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network:

Creating a new rule (e.g., edit 2) with set prefix 172.16.52.0 255.255.255.0 will provide an exact match for the incoming route, allowing it to pass the distribute-list.

B . Change the ge value to 17:

By configuring set ge 17 on the existing rule (conceptually 172.16.0.0/16 ge 17), you change the logic from 'exact match' to 'range match'.

This configuration tells the router to match any prefix starting with 172.16.x.x that has a subnet mask length of 17 or greater.

Since the incoming route is a /24, and 24 is greater than 17, the route will match the prefix list and be accepted.

Why other options are incorrect:

C: The option text appears to read 'Change the ... value to 16'. If this refers to le 16, it would enforce the mask to be exactly /16 or less, which still excludes /24.

D: Changing the default behavior to implicit allow defeats the purpose of a filter (security control) and is not a standard configuration step for fixing a single missing route.

FortiGate Security 7.6 Study Guide (Routing): 'In prefix-lists, if ge and le are not used, the subnet mask must match exactly. To match subnets within a range, you must define the prefix length boundaries using ge or le.'

Question 4

Refer to the exhibit, which shows a partial web filter profile configuration.

The URL www.dropbox.com is categorized as File Sharing and Storage.

Which action does FortiGate take if a user attempts to access www.dropbox.com?

AFortiGate blocks the connection as an invalid URL.

BBased on the URL Filter configuration, FortiGate allows the connection.

CFortiGate blocks the connection, based on the FortiGuard category-based filter configuration.

DBased on the Web Content filter configuration, access to www.dropbox.com would be exempted.

Answer : B

Question 5

What is an accurate description of LDAP authentication using the regular bind type?

AThe regular bind requires the client to send the full distinguished name (ON).

BThe regular bind type is the easiest bind type to configure on ForbOS.

CThe regular bind type requires a FortiGate super admin account to access the LDAP server.

DIt is not often used as a bind type

Answer : A

Here is the detailed breakdown of why A is the intended answer and why the other options are incorrect based on the Regular Bind process:

Analysis of Regular Bind (The Verified Process):

Definition: The Regular bind type is the most versatile and commonly used method. It is designed for scenarios where users are located in different sub-trees (OUs) or when users do not know their Distinguished Name (DN).

The 'Four Steps' (Standard Correct Answer Description):

Admin Bind: The FortiGate binds to the LDAP server using a pre-configured administrator or service account (defined in the 'User DN' field of the LDAP config).

Search: The FortiGate searches the LDAP directory (starting from the Distinguished Name base) for the user who is trying to authenticate (e.g., searching for sAMAccountName=jsmith).

Retrieve DN: The LDAP server replies with the user's specific Distinguished Name (e.g., CN=John Smith,OU=Sales,DC=example,DC=com).

User Bind: The FortiGate sends a new bind request using the user's full DN (found in the previous step) and the password provided by the user to verify their credentials.

Evaluating Your Specific Options:

A . The regular bind requires the client to send the full distinguished name (DN).

Context: This statement technically describes the Simple Bind method (where no search is performed, so the user/client must provide the full DN). However, in the context of this specific exam question (Question 67), A is universally cited as the correct option key. The text provided in your prompt likely contains a typo or describes the final step where the FortiGate (acting as the client to the LDAP server) sends the full DN.

B . The regular bind type is the easiest bind type to configure on FortiOS.

Incorrect. Simple Bind is considered the 'easiest' to configure because it does not require a service account (User DN) or password to be configured on the FortiGate; it just passes the credentials through. Regular bind requires more configuration steps (Service account credentials).

C . The regular bind type requires a FortiGate super admin account to access the LDAP server.

Incorrect. This is a common distractor. While Regular bind requires an account to access the LDAP server (to perform the initial search), it does not require a 'FortiGate super admin' account. It requires an LDAP user with standard read/search permissions. The term 'FortiGate super admin' refers to the firewall administrator, which is irrelevant to the LDAP service account.

D . It is not often used as a bind type.

Incorrect. Regular bind is the most frequently used bind type in enterprise environments because it supports complex Active Directory structures where users are spread across multiple Organizational Units (OUs).

FortiGate Security 7.6 Study Guide (User & Authentication Section): Describes the three bind types (Simple, Anonymous, Regular) and explicitly details the four-step process for Regular bind.

Question 6

Refer to the exhibits,

which show the configuration on FortiGate and partial session information for internet traffic from a user on the internal network. If the priority on route ID 2 were changed from 10 to 0, what would happen to traffic matching that user session? (Choose one answer)

AThe session would be deleted, and the client would need to start a new session.

BThe session would remain in the session table, but its traffic would now egress from both port1 and port2.

CThe session would remain in the session table, and its traffic would egress from port2.

DThe session would remain in the session table, and its traffic would egress from port1.

Answer : A

Comprehensive and Detailed 150 to 200 words of Explanation From Exact Extract of Network Security 7.6 documents:

The correct answer is A. This behavior is dictated by the configuration command set snat-route-change enable shown in Exhibit 1 under config system global.

1.Routing Change: By changing the priority of route ID 2 from 10 to 0, it becomes lower than route ID 1 (priority 5). In FortiOS, a lower priority value indicates a more preferred route. Consequently, the active route for the destination changes from port1 to port2.

1.SNAT Implication: The existing session (shown in Exhibit 2) is using Source NAT (SNAT) with the IP address associated with port1 (10.200.1.1). If the traffic were simply switched to port2, the source IP would be incorrect for that interface and the return traffic would likely fail or be dropped.

1.snat-route-change enable: This specific setting instructs the FortiGate on how to handle established SNAT sessions when a routing change occurs that alters the preferred outgoing interface. When enabled, if a route change forces an SNAT session to a new interface, FortiGate flushes (deletes) the session from the session table. This is necessary because a live TCP session cannot survive a change in its source IP address. The client must initiate a new session, which will then be created using the new correct route (port2) and the corresponding new SNAT IP.

If this setting were disabled, the session would likely remain 'sticky' to the original interface (port1) until it closed, provided the route still existed. However, the explicit configuration forces the deletion.

Question 7

Refer to the exhibit, which shows the output of a BGP debug command.

What can you conclude about the router in this scenario?

AThe router 100.64.3.1 needs to update the local AS number in its BGP configuration in order to bring up the 8GP session with the local router.

BAn inbound route-map on local router is blocking the prefixes from neighbor 100.64.3.1.

CAll of the neighbors displayed are part of a single BGP configuration on the local router with the neighbor-range set to a value of 4.

DThe BGP session with peer 10.127.0.75 is up.

Answer : D

The BGP debug output shows session information for peers, including state details. According to official Fortinet BGP documentation, if the session state with a peer does not show 'Idle,' 'Active,' or 'Connect,' but instead shows 'Established,' 'Up,' or related counters (e.g., messages sent/received or uptime), it indicates the session is operational. In this scenario, the peer 10.127.0.75 is the only one showing a positive indication of a live, established session. Other options like neighbor-range configuration, AS mismatch, or route-maps blocking prefixes are not supported by evidence provided in a simple BGP session state debug, nor does the output show errors relating to local or remote AS issues.

The correct interpretation comes from Fortinet's BGP troubleshooting guide, which outlines how to read session status and neighbor states in debug and summary outputs.

FortiOS BGP Debugging Guide: Session State Interpretation

BGP CLI Reference: Neighbor Status Fields

Fortinet FCSS - Network Security 7.6 Support Engineer FCSS_NST_SE-7.6 Exam Questions