Free Practice Questions for Fortinet FCSS_NST_SE-7.6 Exam

To display debug output on FortiGate devices, you must always run both the application-specific debug command and the global debug enable command. The command diagnose debug application ike -1 sets up the detail level for the IKE daemon debug, but it does not display any debug output on its own. As described in the FortiOS CLI debugging manuals, the command diagnose debug enable activates debug output on the console, making all previously set debugs visible. This is especially important for VPN troubleshooting—without the enable command, no output appears even if there is VPN traffic.

The correct diagnostic sequence is:

diagnose debug application ike -1

diagnose debug enable

This procedure is found in every FortiOS CLI debug tutorial and troubleshooting workflow.

The session output reveals a session with proto=1 (ICMP) and the origin and reply directions show address and NAT translations. Specifically, the hook=post dir=org act=snat shows that source NAT is performed for outgoing packets, where the source 10.1.10.10:40602 is translated to 10.200.5.1:8 (likely ICMP id 8, not a TCP/UDP port). The reply direction, hook=pre dir=reply act=dnat, indicates destination NAT for incoming packets: packets incoming for 10.200.5.1:60430 are destination-NATed to 10.1.10.10:40602. The gateway (gwy) is listed as 10.200.1.254/10.1.0.1, which for outgoing traffic means that return traffic is directed to the gateway (10.200.1.254), per the NAT policy. This is confirmed by the FortiOS Session Table Guide, which explains that the returned ICMP reply will be routed out to this NAT gateway. The session statistics and logical flow (SNAT out, matching DNAT in) reinforce that reply traffic to the initiator traverses via 10.200.1.254.

FortiOS Admin Guide: Static Routing, SNAT Route Change Feature

When the FortiGate enters Conserve Mode due to high memory pressure (specifically reaching the Extreme Threshold at 95% memory usage, or the Red Threshold for proxy traffic), the system prioritizes stability and preventing a system crash (kernel panic).

D. FortiGate begins dropping all new sessions to protect resources:

In Extreme Conserve Mode (95%), the FortiGate kernel acts to preserve the remaining memory for system-critical tasks (like admin access and basic packet forwarding of existing sessions). To achieve this, it drops all new session initiation requests regardless of the inspection type.

In Red Conserve Mode (88%), it specifically drops new sessions that require proxy-based inspection (as these consume the most memory), while often still allowing flow-based traffic.

Among the provided choices, "dropping new sessions" is the only standard protective mechanism FortiOS employs to stop memory usage from climbing further.

Why other options are incorrect:

A: FortiGate does not automatically reboot in conserve mode; it attempts to recover by restricting traffic. (Reboot is a last-resort crash, not a configured action).

B: Inspection modes (Proxy vs. Flow) are defined in firewall policies and cannot be dynamically switched by the system during runtime.

C: The system does not arbitrarily stop "non-essential processes" like logging or AV. Logging is critical for audit trails. While av-failopen can be configured to bypass scanning, the system typically defaults to "Fail-Close" (dropping traffic) rather than stopping the engines themselves.

The issue is caused by the strict matching logic of the configured Prefix List.

Current State: The rule is edit 1 with set prefix 172.16.0.0 255.255.0.0 and both ge (greater than or equal) and le (less than or equal) are unset.

Behavior: When ge and le are unset, FortiOS requires an exact match of the subnet mask. The current rule only matches the exact network 172.16.0.0/16. It denies 172.16.52.0/24 because the mask (/24) does not match the rule's mask (/16).

To fix this and inject 172.16.52.0/24, you must modify the list to match the /24 mask:

A. Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network:

Creating a new rule (e.g., edit 2) with set prefix 172.16.52.0 255.255.255.0 will provide an exact match for the incoming route, allowing it to pass the distribute-list.

B. Change the ge value to 17:

By configuring set ge 17 on the existing rule (conceptually 172.16.0.0/16 ge 17), you change the logic from "exact match" to "range match".

This configuration tells the router to match any prefix starting with 172.16.x.x that has a subnet mask length of 17 or greater.

Since the incoming route is a /24, and 24 is greater than 17, the route will match the prefix list and be accepted.

Why other options are incorrect:

C: The option text appears to read "Change the ... value to 16". If this refers to le 16, it would enforce the mask to be exactly /16 or less, which still excludes /24.

D: Changing the default behavior to implicit allow defeats the purpose of a filter (security control) and is not a standard configuration step for fixing a single missing route.

The debug command diagnose debug application fssod -1 reveals the internal processing of the FortiGate Single Sign-On daemon.

Option D (Agentless Polling): The output shows event_id=4768. Event ID 4768 (Kerberos TGT Request) is a Windows Event Log entry. The presence of specific Event IDs in the fssod debug, rather than a generic logon notification, indicates that the system is reading (polling) the Security Event Logs from the Domain Controller. This is characteristic of Agentless Polling Mode (or Collector Agent Polling Mode), where the FortiGate or Collector scrapes logs. In contrast, DC Agent mode intercepts logon calls directly and would typically provide more complete information, including the workstation name.

Option A (Verification): Crucially, the output shows workstation=,, indicating the workstation name field is empty. In Polling Mode, certain Event IDs (like 4768) often do not contain the source workstation's hostname. Without the workstation name, the FortiGate (or Collector) cannot perform a workstation check (WMI/Registry poll) to verify if the user is still logged in. It essentially has to rely on the "dead entry timeout" because active verification is impossible without the target machine's name.

Option B is incorrect because DC Agents reliably capture workstation names. Option C is incorrect because the system cannot poll a workstation it cannot identify.

Based on the Fortinet FCSS - Network Security 7.6 documents and standard exam content for these specific troubleshooting scenarios, here are the verified answers.

Questions no: 74

Verified Answer: A, C

Comprehensive and Detailed Explanation with all FCSS - Network Security 7.6 documents:

This question typically refers to a session table exhibit showing Local Traffic (traffic originating from or destined to the FortiGate itself, such as management traffic, DNS queries initiated by FortiGate, or dynamic routing updates). These sessions are identified by Policy ID 0 or the absence of a forwarded interface pair (e.g., local flag).

C. FortiGate either initiated the session or the session terminates at FortiGate:

This is the definition of Local Traffic. Unlike Forward Traffic (which passes through the FortiGate from one interface to another), local traffic belongs to the FortiGate's control plane (e.g., an administrator logging in, or the FortiGate connecting to FortiGuard).

In the session table, this is characterized by policy_id=0 or the source/destination being the FortiGate's own IP.

A. FortiGate is performing a security profile inspection using the CPU:

Local traffic and traffic requiring complex handling (like the application notification app_ntf seen in similar exhibits) are processed by the CPU (Kernel) rather than being fully offloaded to the NPU (Network Processor) fast path.

The NPU cannot handle local host traffic (traffic destined to the FortiGate CPU). Therefore, the CPU must process these packets.

Why other options are incorrect:

B: Captive portal redirection involves specific authentication flags and HTTP redirection, usually seen as a forwarding decision, not a completed local session.

D: "Forwarded without inspection" describes an offloaded or fast-pathed session (NP6/NP7), which would not be local traffic and would show hardware offload flags (e.g., np6_0).