Free Practice Questions for Fortinet FCSS_NST_SE-7.6 Exam

To understand why Type 5 LSAs (AS External LSAs) are missing from the Link-State Database (LSDB), we must look at how OSPF generates and propagates them:

A. There is no autonomous system border router (ASBR) in the network:

Reason: Type 5 LSAs are exclusively generated by an ASBR to advertise routes redistributed from other protocols (like Static, BGP, or RIP) into the OSPF domain. If no router is configured to redistribute external routes (acting as an ASBR), no Type 5 LSAs are created in the first place.

C. The local router is located in a stub area:

Reason: By definition, a Stub Area (and a Totally Stubby Area) prevents Type 5 LSAs from entering. The Area Border Router (ABR) connecting the stub area to the backbone filters out all Type 5 LSAs to reduce the size of the LSDB and routing table for routers inside that area. Instead, a default route is usually injected.

Why other options are incorrect:

B: While database filtering exists, standard prefix-list filtering typically affects the routing table (RIB) generation, not the underlying LSDB propagation of Type 5 LSAs, or it is less common than the architectural reasons (Stub/No ASBR).

D: IP Protocol 89 is the transport for OSPF itself. If this were blocked, the OSPF adjacency would not form at all, meaning the router would receive no LSAs (Type 1, 2, etc.), not specifically just Type 5.

The debug flow message iprope_in_check() check failed, drop specifically indicates a failure in the Local-In Policy check. The " iprope " (IP ROouting Policy Enforcement) engine handles policy lookups. The _in_check suffix confirms that the decision is regarding traffic destined to the FortiGate itself (Local-In traffic), rather than traffic passing through it.

D. The packet was dropped because the requested service is not enabled on FortiGate:

This is the most common cause. When a packet arrives destined for the FortiGate ' s interface IP (e.g., an HTTPS or SSH request), the kernel checks if that specific service is enabled in the interface settings (set allowaccess). If the service is not enabled (e.g., trying to Ping an interface where PING access is disabled), the iprope_in_check function fails and drops the packet immediately.

C. The packet was dropped because the trusted host list is misconfigured:

Even if the service (e.g., HTTPS) is enabled on the interface, the FortiGate checks the Administrator settings. If Trusted Hosts are configured, the source IP of the incoming packet is compared against the allowed list. If the IP is not on the list, the Local-In policy check (iprope_in_check) fails, and the packet is dropped to secure the management plane.

Why other options are incorrect:

A: If traffic is dropped by a standard Firewall Policy (traffic passing through the device from one interface to another), the debug message will typically state denied by policy x or no matching policy. It would generally be a forward check (iprope_fwd_check or similar), not an _in_check.

B: If there is no route to the source, the error is a Reverse Path Forwarding (RPF) failure. The debug flow logs this explicitly as reverse path check fail, drop.

Parallel Path Processing (PPP) in FortiOS refers to the system’s ability to evaluate and select among multiple processing paths—often involving dedicated network processors, content processors, or CPU-based workflows—to optimally process packets. The official documentation highlights that the PPP engine dynamically selects which hardware or software path to use for each session based on session characteristics, policy configuration, and traffic type. This dynamic selection results in optimal throughput and resource utilization.

The document specifies that PPP assesses several processing paths in parallel, using decision logic to determine whether a session should be offloaded to specialist hardware (like NP6, CP9, etc.) or stay in the CPU path, ensuring that each packet is handled by the most efficient available method under current load and policy. Hardware and software configurations both influence this outcome, but it is the PPP engine ' s decision-making that defines the optimal path per session.

The correct answers are B and C .

The study guide has a section titled “Not Verified Status on the Collector Agent” and states:

“The collector agent cannot verify if the user is still logged in” and lists these common causes :

“A firewall is blocking traffic to port 139 and 445”

“The workstation remote registry service is not running”

The guide also explains the verification method:

“For WMI polling mode, the collector agent checks the WMI service. For all the other modes, the collector agent checks the HKEY_USERS hive through remote registry services.” If the workstation does not respond to these checks, the status can become not verified

An additional requirements slide in the same study guide confirms:

“TCP ports 139 and 445 must be open between the collector agent and all workstations”

“Remote registry service must be up and running on each workstation”

Why the other options are wrong:

A is wrong because the study guide mentions a workstation coming out of hibernate mode under a different problem: “No Internet After IP Address Change” , not as a common cause of Not Verified status

D is wrong because DNS resolution issues are also discussed under the IP address change scenario, where the collector agent uses DNS to resolve the workstation name after an IP change. That is separate from the Not Verified causes listed for this log message

So the verified answers are: B, C .

FortiGate HA Troubleshooting and Synchronization Guides

Fortinet Admin Guide: HA Primary Role Retention, Cluster Break-up Due to Out-of-Sync Status

Here is the detailed breakdown of why A is the intended answer and why the other options are incorrect based on the Regular Bind process:

Analysis of Regular Bind (The Verified Process):

Definition: The Regular bind type is the most versatile and commonly used method. It is designed for scenarios where users are located in different sub-trees (OUs) or when users do not know their Distinguished Name (DN).

The " Four Steps " (Standard Correct Answer Description):

Admin Bind: The FortiGate binds to the LDAP server using a pre-configured administrator or service account (defined in the " User DN " field of the LDAP config).

Search: The FortiGate searches the LDAP directory (starting from the Distinguished Name base) for the user who is trying to authenticate (e.g., searching for sAMAccountName=jsmith).

Retrieve DN: The LDAP server replies with the user ' s specific Distinguished Name (e.g., CN=John Smith,OU=Sales,DC=example,DC=com).

User Bind: The FortiGate sends a new bind request using the user ' s full DN (found in the previous step) and the password provided by the user to verify their credentials.

Evaluating Your Specific Options:

A. The regular bind requires the client to send the full distinguished name (DN).

Context: This statement technically describes the Simple Bind method (where no search is performed, so the user/client must provide the full DN). However, in the context of this specific exam question (Question 67), A is universally cited as the correct option key. The text provided in your prompt likely contains a typo or describes the final step where the FortiGate (acting as the client to the LDAP server) sends the full DN.

B. The regular bind type is the easiest bind type to configure on FortiOS.

Incorrect. Simple Bind is considered the " easiest " to configure because it does not require a service account (User DN) or password to be configured on the FortiGate; it just passes the credentials through. Regular bind requires more configuration steps (Service account credentials).

C. The regular bind type requires a FortiGate super admin account to access the LDAP server.

Incorrect. This is a common distractor. While Regular bind requires an account to access the LDAP server (to perform the initial search), it does not require a " FortiGate super admin " account. It requires an LDAP user with standard read/search permissions. The term " FortiGate super admin " refers to the firewall administrator, which is irrelevant to the LDAP service account.

D. It is not often used as a bind type.

Incorrect. Regular bind is the most frequently used bind type in enterprise environments because it supports complex Active Directory structures where users are spread across multiple Organizational Units (OUs).

The best verified answer is C .

The study guide says that when FortiGate is in conserve mode, it activates protection measures to recover memory space:

“System configuration cannot be changed”

“FortiGate skips quarantine actions (including FortiSandbox analysis)”

It also explains that inspection behavior can be reduced while in conserve mode:

“pass (default): All new sessions pass without inspection until FortiGate switches back to non-conserve mode.”

“The av-failopen setting also applies to flow-based antivirus inspection.”

The FortiOS administration guide summarizes this behavior as:

“This causes functions such as antivirus scanning to change how they operate to reduce the functionality and conserve memory without compromising security.”

That is why C is the closest correct choice: FortiGate can reduce functionality of some processes, especially antivirus-related inspection, to preserve memory.

Why the other options are wrong:

A is wrong because FortiGate does not automatically reboot as a default conserve-mode action. A reboot can be configured through an automation stitch , but that is an optional administrator-defined response, not the built-in conserve-mode behavior

B is wrong because the documentation does not say FortiGate switches from proxy-based inspection to flow-based inspection. Instead, it may pass traffic without inspection depending on av-failopen settings

D is not generally correct for conserve mode . The study guide says FortiGate starts dropping new sessions only when memory usage exceeds the extreme threshold : “If memory usage exceeds the extreme threshold, all new sessions that require inspection (flow-based or proxy-based) are blocked.”

So the verified answer is: C .

The correct answers are A and B .

For UDP , the study guide states this directly: “For UDP, the session state can have only two values: 00 when traffic is only one way, and 01 when traffic is two ways. For ICMP, the protocol state is always 00.”

That makes B correct and D incorrect.

For TCP , the study guide explains that the protocol state is a two-digit number, where the first digit is the server-side state and the second digit is the client-side state . It also states that the first digit is 0 when the session is not subject to any inspection , and the TCP state table shows that value 1 = ESTABLISHED

So, for a normal non-proxied/non-inspected TCP session, proto_state=01 means the TCP session is in the ESTABLISHED state. An established TCP session means the three-way handshake has completed, which requires traffic in both directions. That is why A is correct.

The study guide also says: “proto_state=11 means that the TCP three-way handshake for both server-side and client-side is completed (ESTABLISHED).”

This confirms that TCP state value 1 represents an established state.

Why C is not selected: the study guide defines value 5 as TIME_WAIT and says: “When a session is closed by both the sender and receiver, FortiGate keeps that session in the session table for a few seconds… This is the state value 5.”

So proto_state=05 represents a closing/closed TCP session in TIME_WAIT , not the normal bidirectional state the question is testing.

Therefore, the verified answers are A and B .

The exhibit includes these key debug lines:

start_search_dn-base: ' DC=TAC,DC=ottawa,DC=fortinet,DC=com ' filter:sAMAccountName=jsmith

get_all_dn-Found DN 1:CN=John Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

The study guide explains that in regular bind , LDAP authentication has four steps , and that during step 2 , FortiGate searches the LDAP tree to find the user’s DN:

“During the second step, FortiGate does a search query in the LDAP database to find the user’s location—in other words, the user’s DN. If the user is found, the server replies with the user’s DN.”

It also states for the real-time debug of step 2:

“An fnbamd_ldap_build_dn_search_req-base message indicates that FortiGate is performing step two: searching for the user in the LDAP tree. This message includes the base branch (distinguished name setting) and the name of the attribute used to locate the user... If the LDAP server finds the user, the output shows the user’s full DN.”

That directly proves:

D is correct because the debug is showing step 2: Search Request

A is correct because the base DN and found DN are under DC=TAC,DC=ottawa,DC=fortinet,DC=com, which corresponds to the LDAP domain/tree root TAC.ottawa.fortinet.com

Why the other options are wrong:

B is wrong because binding with the user’s credentials is step 3 , not the step shown here. The study guide says: “Step 3 – Bind user credentials” and shows that this happens later with fnbamd_ldap_build_userbind_req / __ldap_build_bind_req-Binding to ' CN=John Smith... '

C is wrong because collecting user group information is step 4 , not the step shown in the exhibit. The study guide says: “The last step is to get the user group information” and shows step 4 with Attr query / memberOf search