FCSS_NST_SE-7.6 Fortinet NSE 6 - Network Security 7.6 Support Engineer Questions and Answers

The exhibit shows a FortiGate configuration under config system fortiguard related to web filtering and FortiGuard options. There is a line:

set webfilter-force-off enable

According to official Fortinet documentation, the "webfilter-force-off" option, when enabled, causes the FortiGate to bypass web filtering for all traffic—even if a web filter profile is applied to a policy. This override is typically used for troubleshooting or performance reasons and is documented as an explicit bypass feature.

If an administrator wants to enforce web filtering inspection, this setting must be disabled. The correct way to restore web filtering functionality is to run:

set webfilter-force-off disable

Once done, traffic passing through policies with web filter profiles will be inspected and filtered as per configuration. Other settings such as timeout or cache TTL do not bypass web filtering; they only affect operational nuances.

To determine the type of policy route, we must interpret the specific flags and fields visible in the diagnose firewall proute list (or similar kernel table) output provided in the exhibit

Identify Key Indicators:

The most critical field in the output is vwl_service=1(test123).

It also lists vwl_mbr_seq=1 5.

Decode the Terminology:

vwl: This stands for Virtual WAN Link. In FortiOS, "Virtual WAN Link" is the legacy internal name for the SD-WAN feature. Even in newer firmware versions (7.x), the kernel and CLI debugs often still refer to SD-WAN objects as vwl.

vwl_service: This specifically refers to an SD-WAN Rule (also known as an SD-WAN Service). The name (test123) is the name given to that specific SD-WAN rule by the administrator.

Evaluate the Options:

A & D (Regular Policy Route): Standard policy routes (configured under config router policy) do not carry the vwl_service tag. They are typically identified by simple gateway or interface instructions without the SD-WAN service abstraction.

B (ISDB Route): While SD-WAN rules can use the Internet Service Database (ISDB) as a destination, the structure of the route entry shown here—specifically defined by a vwl_service ID—classifies it fundamentally as an SD-WAN rule, regardless of the destination object.

C (An SD-WAN rule): The presence of vwl_service and vwl_mbr_seq (SD-WAN member sequence) definitively identifies this entry as a rule generated by the SD-WAN subsystem.

Conclusion: The output shows a route controlled by the SD-WAN engine (vwl), confirming it is an SD-WAN rule.

FortiGate HA Troubleshooting and Synchronization Guides

Fortinet Admin Guide: HA Primary Role Retention, Cluster Break-up Due to Out-of-Sync Status

Based on the Fortinet FCSS - Network Security 7.6 documents and the analysis of the VPN tunnel exhibit, here is the verified answer.

Questions no: 91

Verified Answer: A, C

Comprehensive and Detailed Explanation with all FCSS - Network Security 7.6 documents:

To determine the status of the VPN tunnel, we must examine the specific counters and fields in the diagnose vpn tunnel list output provided in the exhibit.

Analyze Phase 2 Status (Option A):

The output displays child_num=0.

In IKEv2 (and IKEv1 implementations in FortiOS), "Child SAs" refer to the Phase 2 (IPsec) Security Associations that carry the actual data traffic.

A value of 0 indicates that no Phase 2 tunnels are established. If Phase 2 were up, child_num would be at least 1.

Additionally, under the proxyid section, the field sa=0 confirms there is no active Security Association for that traffic selector.

Analyze Traffic Status (Option C):

The stat line shows: rxp=0 txp=0 rxb=0 txb=0.

rxp (Received Packets) and txp (Transmitted Packets) are both zero. This definitively confirms that no traffic is traversing the tunnel currently. This is expected since Phase 2 is down.

Analyze Phase 1 Status (Why B is incorrect):

The tunnel entry exists in the list with a valid tun_id, and NAT-Traversal is active (natt: mode=keepalive).

The presence of the tunnel in this command output, along with active Keepalive mechanisms, typically indicates that Phase 1 (IKE SA) is established and the peers are communicating on port 4500 (NAT-T), even though the data tunnels (Phase 2) failed to negotiate. If Phase 1 were down, the tunnel would often not appear in this "list" view or would show different status flags indicating a complete connection failure.

Conclusion: The exhibit shows a scenario where the Phase 1 control channel is likely up (evidenced by the entry existence and NATT keepalives), but the Phase 2 data channel is down (child_num=0), resulting in zero traffic flow (rxp=0/txp=0).

Analyze the "Send to Application Layer" Message:

The most critical line in the debug output is: id=65308 ... func=av_receive ... msg="send to application layer"

Meaning: This message indicates that the FortiGate kernel is handing the packet over to a user-space daemon (specifically the WAD/Proxy process, indicated by av_receive handlers) for deep inspection.

Implication: This behavior is the hallmark of Proxy-based inspection. In Flow-based inspection, the traffic is handled by the IPS engine (often within the kernel or via specific IPS handlers like ips_measure), and you would not typically see a "send to application layer" message for standard web filtering.

Evaluate Option B (Firewall Policy Mode):

Since the traffic is being sent to the application layer proxy, the Firewall Policy controlling this traffic (Policy ID 1, as seen in Allowed by Policy-1) must be configured with Inspection Mode = Proxy. If it were Flow-based, the traffic would stay in the flow path. Thus, Option B is correct.

Evaluate Option C (Web Filter Profile Mode):

In FortiOS, when a firewall policy is set to Proxy-based inspection, the security profiles (like Web Filter) applied to that policy also operate in Proxy-based inspection mode. The presence of the av_receive function confirms that the content inspection (Web Filter/AV) is being performed by the proxy engine. Thus, Option C is correct.

Why Option A is Incorrect (NPU Offload):

The output shows npu_state=0x100. In the context of a flow trace where traffic is being "sent to application layer," this confirms the session is not fully offloaded to the NPU (Network Processor). Offloaded traffic (Fast Path) is handled by the hardware and would not generate these specific CPU-level debug logs for the payload inspection phase. The proxying process requires CPU intervention.

Why Option D is Incorrect (Port Mapping):

While valid protocol mapping is necessary for inspection, the specific debug output shown is a direct result of the Inspection Mode (Proxy vs. Flow). The observation of the traffic moving to the application layer is primarily caused by the policy and profile mode settings, making B and C the direct "observations" derived from the log data.

IKEv1 (Internet Key Exchange version 1) and IKEv2 are protocols used for establishing IPsec VPN tunnels, and both protocols share the conceptual division into two phases, as clearly described in Fortinet VPN documentation:

Phase 1 handles negotiation and establishment of a secure IKE Security Association (SA) between peers.

Phase 2 negotiates parameters for the IPsec Security Association, which secures actual data traffic between peers.

While IKEv2 streamlines and improves upon IKEv1 by merging some message exchanges and simplifying configuration, it maintains the same core two-phase concept: Phase 1 (IKE SA) and Phase 2 (IPsec SA). This is a foundational VPN concept referenced widely in both IKEv1 and IKEv2 literature.

Other statements are incorrect:

Asymmetric authentication is possible, but not mandatory for both.

Both protocols commonly use UDP port 500, sometimes 4500 for NAT traversal, but they are not designed to run on TCP.

The protocol feature compatibility over TCP/UDP is not correctly described in the other options.

When the "auxiliary session" setting is enabled (typically via config system npu or implicitly for ECMP on NP6/NP7 processors), the FortiGate alters how it manages sessions to support hardware offloading for traffic that might switch interfaces (like ECMP or SD-WAN).

B. FortiGate accelerates all ECMP traffic to the NP6 processor:

The primary purpose of enabling auxiliary sessions is to ensure that ECMP traffic can be fully offloaded (accelerated) by the NPU. Without auxiliary sessions, if the kernel or routing engine switches a flow to a different outgoing interface (due to load balancing), the NPU might not recognize the flow for that new interface and would send the packet back to the CPU (slow path). Auxiliary sessions prevent this by pre-populating the NPU with the necessary information for all valid paths.

D. FortiGate creates two sessions in case of a routing change:

Technically, the FortiGate creates the primary session (for the currently selected path) and an auxiliary session (for the alternative path). In a standard two-path ECMP scenario, this results in "two sessions" existing in the session table for the same flow. This ensures that if a routing change occurs (e.g., the flow shifts to the second path), the traffic continues to be processed by the NPU without interruption or re-evaluation by the CPU.

In the provided session table output, the following details justify the answers:

Policy ID Match: The line policy_id=1 directly confirms that this session was matched by Firewall Policy ID 1. According to Fortinet’s session table documentation, the policy_id field always references the policy that allowed this session, so this is a clear indicator.

Session Offloading: The presence of the strings npu_state, ips_offload, and notably the NPU info section such as offload=8/8, ips_offload=1/1 shows that this session has been offloaded to the Network Processor Unit (NPU). Fortinet technical documentation states that "offload" values greater than zero in both directions (and an NPU info section) affirm that NPU hardware processing (fast path) is handling this traffic, thus the session is not being handled in software only.

Other options:

VLAN Tagging (vlan=0x0000/0x0000): This means no VLAN tag is assigned to this session.

NP7: The actual NPU model handling the session isn’t exposed in this snippet–the offload parameters shown are generic and not specific to NP7 hardware, so it cannot be concluded from the session data.

The administrator is running a packet sniffer with the filter 'udp port 500 or udp port 4500 or esp'. The result is "no output," even though the VPN is attempting to establish (failing).

A. The VPN is configured to use IKE over TCP:

Standard IPsec IKE negotiation uses UDP port 500 (IKE) and UDP port 4500 (NAT-T).

However, if IKEv2 over TCP (RFC 8229) or Fortinet's proprietary IKE over TCP is configured (often used to bypass firewalls that block UDP), the traffic will use TCP (often port 4500 or 443).

The sniffer filter explicitly looks for udp or esp (IP Protocol 50).

If the traffic is encapsulated in TCP, it matches tcp protocol, not udp or esp (raw ESP). Therefore, the sniffer sees zero packets matching the filter.

Why other options are incorrect:

B: esp is a valid argument for diagnose sniffer packet. It is equivalent to filtering for IP protocol 50.

C: If the ISP were blocking traffic, the sniffer (running on the local FortiGate) would still see the outbound packets generated by the FortiGate trying to initiate the connection. "No output" implies the local device isn't even generating packets matching that filter.

D: Mismatched IKE versions would still generate IKE negotiation packets (proposals/errors) that would be captured by the sniffer.

To identify the reason for the lack of prefixes, we must interpret the State/PfxRcd and Up/Down columns in the get router info bgp summary exhibit.

Analyze Neighbor Status:

Neighbor 10.125.0.60: State is OpenSent. This session is not established. It is stuck in the negotiation phase.

Neighbor 100.64.3.1: State is Active. This session is not established. The router is actively trying to initiate a TCP connection.

Neighbor 10.127.0.75:

Up/Down: 02:45:55. This indicates the BGP session has been Up (Established) for almost 3 hours.

State/PfxRcd: 0. This number represents the count of prefixes received. The session is fully established, but the neighbor has sent zero routes.

Determine the Cause:

Since the session with 10.127.0.75 is established, connectivity and handshakes (Options A, B, C) are not the issue for this neighbor.

The fact that it is Up but sending 0 prefixes strongly implies that the neighbor is configured to filter out its routes before sending them to the local FortiGate.

Option D correctly identifies this as a RIB-OUT (Routing Information Base - Outbound) configuration issue on the neighbor (Router 10.127.0.75), which prevents it from advertising its routes.

The Internet Key Exchange version 2 (IKEv2) protocol simplifies the negotiation process compared to IKEv1. It is defined by a specific sequence of message exchanges to establish a secure IPsec tunnel.

The correct chronological order of the IKEv2 exchanges is:

IKE_SA_INIT (Initial Exchange):

This is the first exchange. It negotiates the security parameters for the IKE Security Association (IKE SA), sends nonces, and performs the Diffie-Hellman key exchange. At the end of this exchange, the communication is encrypted, but the peers are not yet authenticated.

IKE_AUTH (Authentication Exchange):

This is the second exchange. It authenticates the previous messages, exchanges identities and certificates (if used), and establishes the first Child SA (the actual IPsec Security Association used for data traffic).

CREATE_CHILD_SA (Subsequent Exchanges):

This exchange occurs after the IKE SA and the initial Child SA are established. It is used to create additional Child SAs (for different traffic selectors) or to perform re-keying for the IKE SA or existing Child SAs.

Why other options are incorrect:

A & B: Incorrect because CREATE_CHILD_SA cannot happen before the SA is initialized (IKE_SA_INIT) and authenticated (IKE_AUTH).

D: Incorrect because IKE_AUTH cannot occur before IKE_SA_INIT.

Therefore, the protocol flow is IKE_SA_INIT $\rightarrow$ IKE_AUTH $\rightarrow$ CREATE_CHILD_SA.

To determine the cause of the failure, we must analyze the IKEv2 debug output provided in the exhibit (image_ad3dc6.jpg):

Identify the Negotiation Phase:

The debug log shows: responder received CREATE_CHILD exchange.

In IKEv2, the CREATE_CHILD_SA exchange is used to create new Child SAs (Phase 2) or to rekey existing ones.

The fact that the tunnel was previously "brought up successfully" implies the initial IKE SA (Phase 1) is stable, and this error is occurring specifically during a rekey event, which often involves Perfect Forward Secrecy (PFS).

Analyze the Proposals (The Mismatch):

Incoming Proposal (Remote Peer):

The remote peer sends a proposal containing two Diffie-Hellman groups: type=DH_GROUP, val=MODP2048 (Group 14) and type=DH_GROUP, val=MODP1536 (Group 5).

My Proposal (Local FortiGate):

The local FortiGate configuration expects: type=DH_GROUP, val=MODP3072 (Group 15).

Result of the Negotiation:

The debug output concludes with: no proposal chosen and Negotiate SA Error.

This error occurs because the local FortiGate cannot find a common Diffie-Hellman group between what it requires (Group 15) and what the peer is offering (Groups 14 or 5).

While this is technically a mismatch occurring during the Phase 2 (Child SA) creation, "A Diffie-Hellman mismatch" (Option A) is the precise root cause identified in the logs.

Why other options are incorrect:

B: The log shows received create-child request, confirming that UDP traffic is reaching the device and is not blocked.

C: The failure is in the CREATE_CHILD exchange (Phase 2/Rekey), not the IKE_SA_INIT or IKE_AUTH (Phase 1) exchanges.

D: While the mismatch is occurring within the Phase 2 definitions, Option A is the specific technical reason for the no proposal chosen error shown in the DH_GROUP lines.

To determine the correct conclusions, we analyze the specific lines in the IKE real-time debug output provided in the exhibit:

Analysis for Option A (The remote peer is the initiating peer):

Evidence: The very first line of the debug output reads: ike 0:624000:98: responder: main mode get 1st message...

The keyword responder indicates that this local FortiGate is receiving the connection request. Consequently, the remote peer must be the initiator sending the request. The phrase "get 1st message" confirms the local unit is receiving the initial packet of the negotiation sequence.

Conclusion: This statement is True.

Analysis for Option B (This is a phase 1 negotiation):

Evidence: The same line mentions main mode.

In IPsec VPNs, Main Mode and Aggressive Mode are exclusively used for Phase 1 (IKE SA) negotiations. Phase 2 (Child SA) negotiations use Quick Mode. The presence of "main mode" definitively identifies this as a Phase 1 exchange.

Conclusion: This statement is True.

Analysis for Option C (There is a Diffie-Hellman group mismatch):

Evidence:

Incoming proposal (Remote): Lists type=OAKLEY_GROUP, val=MODP2048 (Group 14) in the first proposal proposal.

My proposal (Local): Lists type=OAKLEY_GROUP, val=MODP2048 (Group 14).

Since both the remote peer and the local gateway support and are proposing MODP2048 (Group 14), there is no Diffie-Hellman group mismatch. The actual mismatch visible in the logs is between the Encryption/Hash algorithms (Remote proposes AES-256/SHA2-256, while Local proposes AES-128/SHA), but the DH groups match.

Conclusion: This statement is False.

Analysis for Option D (This is a phase 2 negotiation):

As established in the analysis for Option B, "Main Mode" is a Phase 1 protocol. If this were Phase 2, the debug would show "Quick Mode".

Conclusion: This statement is False.

According to Fortinet’s LDAP authentication workflow as described in the FortiOS Administration Guide and the official LDAP debug log interpretation, each authentication attempt is split into several key steps: Bind Request, Search Request, and then, if successful, a Bind as the found user DN. In the provided debug output, we see "start search_dn-base" with a filter "sAMAccountName=jsmith" and the log line "Going to SEARCH state," confirming that FortiOS is in the second step—the Search Request (Option D). Official documentation highlights this exact phrase "SEARCH state" as indicative of Step 2 within the LDAP process (“Bind → Search → Bind”).

Additionally, the last line “Found DN 1: CN=John Smith, CN=Users, DC=TAC, DC=ottawa, DC=fortinet, DC=com” verifies that the system has successfully mapped the username to the Distinguished Name (DN) and this user is “John Smith.” The authentication will now proceed using this mapped user (Option B). Fortinet’s logs record the found DN after a successful search, which is a strong confirmation that the user’s credentials can be validated against the found DN.

Options A and C are not supported directly by the debug output shown:

The server name "Lab" is referenced as part of the request, but not explicitly as the LDAP server’s configured name in this output.

Step 3 (Bind Request) would follow finding the DN, but the log here demonstrates the Search and DN found—per Fortinet, this precedes the actual Bind/validation step.

Based on the Fortinet FCSS - Network Security 7.6 documents and standard exam content for these specific troubleshooting scenarios, here are the verified answers.

Questions no: 74

Verified Answer: A, C

Comprehensive and Detailed Explanation with all FCSS - Network Security 7.6 documents:

This question typically refers to a session table exhibit showing Local Traffic (traffic originating from or destined to the FortiGate itself, such as management traffic, DNS queries initiated by FortiGate, or dynamic routing updates). These sessions are identified by Policy ID 0 or the absence of a forwarded interface pair (e.g., local flag).

C. FortiGate either initiated the session or the session terminates at FortiGate:

This is the definition of Local Traffic. Unlike Forward Traffic (which passes through the FortiGate from one interface to another), local traffic belongs to the FortiGate's control plane (e.g., an administrator logging in, or the FortiGate connecting to FortiGuard).

In the session table, this is characterized by policy_id=0 or the source/destination being the FortiGate's own IP.

A. FortiGate is performing a security profile inspection using the CPU:

Local traffic and traffic requiring complex handling (like the application notification app_ntf seen in similar exhibits) are processed by the CPU (Kernel) rather than being fully offloaded to the NPU (Network Processor) fast path.

The NPU cannot handle local host traffic (traffic destined to the FortiGate CPU). Therefore, the CPU must process these packets.

Why other options are incorrect:

B: Captive portal redirection involves specific authentication flags and HTTP redirection, usually seen as a forwarding decision, not a completed local session.

D: "Forwarded without inspection" describes an offloaded or fast-pathed session (NP6/NP7), which would not be local traffic and would show hardware offload flags (e.g., np6_0).

The output of the diagnose sys session list command provides the critical evidence needed to determine the behavior during a failover:

Session Synchronization (synced):

The most important indicator in the exhibit is the synced flag located in the state= line (state=may_dirty synced none app_ntf).

In FortiOS HA (High Availability), the synced flag confirms that this specific session has been successfully synchronized from the primary device to the secondary (backup) device.

Session synchronization (Session Pickup) ensures that if the primary unit fails, the secondary unit already has the session in its table and can resume traffic processing immediately.

TCP State (proto_state=01):

The output shows proto=6 (TCP) and proto_state=01.

In the FortiGate session table, proto_state=01 for TCP indicates that the session is in the ESTABLISHED state (post-three-way handshake).

This invalidates Option B, which claims the TCP session is not fully established.

Failover Outcome:

Because the session is ESTABLISHED and SYNCED, the secondary device will seamlessly take over the session upon primary failure.

The traffic continues to flow through the new primary without requiring the user/client to restart the connection. This is the primary function of HA Session Pickup.

Why other options are incorrect:

A: While the output shows app_ntf (Application Control notification) and may_dirty, the presence of the synced flag overrides this concern regarding failover. If the session type were not supported for failover (e.g., certain proxy sessions in older versions), it would not be marked as synced. Since it is synced, it persists.

B: As noted, proto_state=01 means established, not "not fully established".

D: While the kernel updates routing tables, the purpose of syncing the session is to preserve the state so it does not need to be re-evaluated as a new packet would, preventing traffic drops.