FCSS_LED_AR-7.6 Fortinet NSE 6 - LAN Edge 7.6 Architect Free Practice Exam Questions (2026 Updated)

From the exhibits:

SSID “Guest”

Security mode:Open

Captive Portal: Enabled, portal typeAuthentication → External

External portal URL: https://fac.trainingad.training.lab/guest (FortiAuthenticator)

Exempt destinations/services:FortiAuthenticator and WindowsAD

Firewall policy

From theGuest interface/zonetoport1 (Internet)

Source user group:guest.portal(authenticated users)

The flow for anexternal captive portalis:

Client associates to theopen Guest SSID.

Client makes an HTTP(S) request.

FortiGate intercepts and redirects the client to theexternal portal.

Client must be able toreach FortiAuthenticator’s IP(and AD if the portal needs it)before authentication.

In this setup:

Theexempt destinationsetting tells the captive portal logicnot to require authenticationfor traffic going to FortiAuthenticator and WindowsAD.

However, there still must be a firewall policy that allows traffic from the Guest SSID subnet to those exempt destinations.

The existing firewall policy uses theguest.portal user groupas a source condition, which only matchesaftersuccessful portal authentication. Before login, the client has no user identity, so:

Traffic from the unauthenticated Guest client → FortiAuthenticator isnot matchedby that policy.

It hits theimplicit deny, so the browser never reaches the login page.

To fix this, the administrator must:

Create or modify a firewall policy thatallows traffic from the Guest SSID subnet/interface to FortiAuthenticator and WindowsAD without requiring user authentication.

That is exactly what optionDdescribes.

Why the others are wrong:

A. Change SSID security mode to WPA2-Enterprise– External captive portals are normally used withopenSSIDs; WPA2-Enterprise uses 802.1X, not captive portal.

B. Disable HTTPS redirection– Redirection is required so users are sent to the portal; disabling it doesn’t solve reachability.

C. Exclude FortiAuthenticator and Windows AD from filtering– They’re already listed asexempt destinationsin the SSID configuration; the missing piece is thefirewall policy, not the exemption.

When a FortiGate is deployed usingZero Touch Provisioning (ZTP)or auto-discovery:

FortiGate retrieves theFortiManager IP address(from DHCP Option 240, FortiCloud/ZTNA provisioning, or manual set).

The next step isnot UI authorizationor DHCP changes—it immediately attempts to form aFGFM (FortiGate–FortiManager) tunnel.

The FGFM protocol usesTCP port 541to establish a secure management channel.

FortiManager will still require manual authorization of the deviceinside FortiManager, but this occursafterthe tunnel is established.

Therefore, the first automatic action after retrieving the FMG address iscreating the secure FGFM tunnel on TCP/541.

Goal: enforce captive portal authentication overHTTPSfor guests.

On FortiGate/FortiAuthenticator captive portal setups:

HTTP redirectis used so that when a guest browses to any HTTP site, their request is redirected to theportal URL.

Theportal URLitself must beHTTPSif you want a secure login page.

FortiOS captive portal and firewall authentication guidelines recommend:

EnablingHTTP redirectso unauthenticated HTTP traffic is transparently sent to the portal.

Configuring theportal URL with HTTPS, often referencing a certificate on FortiGate or FortiAuthenticator.

Therefore:

A. Enable HTTP redirect in the user authentication settings.✔This ensures unauthenticated HTTP requests are redirected to the (now HTTPS) portal.

D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator.✔This makes the login itself secure (TLS-protected).

Incorrect:

B– You don’t need a new SSID; the same SSID can use HTTPS portal.

C– Disabling HTTP admin access on the SSID doesn’t control the captive portal scheme; HTTPS enforcement is done by the portal configuration and redirect, not by admin-access flags.

Auto TX power control on FortiAP is an RF-optimization feature:

FortiGate (as wireless controller) continuously evaluatesRSSI of associated clientson each FortiAP radio.

The algorithm focuses on theweakest client(the one with the worst signal) and adjusts the AP’s transmit power so that this client’s signal level stays within a configured / target range.

This helps balance coverage and limit co-channel interference: APs don’t transmit at maximum power when clients are close, but will increase power when the weakest client signal drops too low.

Therefore the correct behavior description is:

✔C– AP power is adjusted based on the weakest associated client’s signal.

Why the others are wrong:

AandBtalk about matching nearby APs’ power or forcing everything to –70 dBm, which is not how FortiAP auto TX works.

Dincorrectly states the AP “evaluates its own transmission from the client perspective”; the AP can only infer client-side conditions from theclient’s RSSI at the AP, not the inverse.

In this scenario:

FortiGate + FortiAnalyzer are part of theSecurity Fabric

AnAutomation Stitchis configured:

Trigger:Compromised Host – High(IOC from FortiAnalyzer)

Action:Quarantine on FortiSwitch + FortiAP

A test device10.0.2.1visits a malicious website.

FortiAnalyzer logs show the event, butFortiGate does NOT quarantine the device.

This means theautomation did not receive an IOC trigger, OR theFabric did not classify it as a compromise.

Let's evaluate each answer option.

✅C. The malicious website is not recognized as an indicator of compromise (IOC) by FortiAnalyzer.

✔Correct.

For FortiGate to quarantine a device:

FortiAnalyzer must classify the event as aCompromised Host → High / Medium / Critical

FortiAnalyzer must generate anIOC event

FortiGate must receive that IOC through the Fabric

Even though the FAZ log shows:

Action = blocked

Category = Malicious Websites

→ That doesNOTautomatically mean an IOC was generated.

A blocked website event isnot always an IOCunless:

It is included in theIOC database

FAZ’sAnalytics / UTM / IOCengine marks it as a compromise

Thus, if FAZ only logs a “Malicious Website” event butdoes not classify it as an IOC,

Context: You’re troubleshootingSyslog-based SSOonFortiAuthenticator:

Devices (typically firewalls, WLAN controllers, VPN gateways) sendsyslog messagescontaining usernames, IPs, login/logout events.

FortiAuthenticator parses those logs usingSyslog SSO rulesand injects logon sessions intoFSSOfor FortiGate.

When users are not mapping correctly, you need to see:

Did the syslog message arrive?

Which matching rule (if any) caught it?

What username and IP were extracted?

Why was a message ignored or rejected?

FortiAuthenticator has a dedicated debug area for this:

Debug logs → Single Sign-On → Syslog SSO

This view shows:

Raw syslog lines received

Thematching ruleapplied (or “no match”)

Parsed fields (username, IP, group)

Any parsing errors

This is exactly the tool designed totroubleshoot and diagnose Syslog SSO issues.

Why the other options are not the best for this issue

A. Debug logs > Remote Servers > Syslog Viewer

Lets you see syslog traffic in general, but doesnotshow how SSO rules are applied or why they fail. Good for connectivity checks, not SSO logic.

B. Parsing Test Tool

Useful totestpatterns and rules manually by pasting sample log lines, but it doesn’t show live traffic or running SSO sessions.

C. Debug logs > SSO Sessions page

Shows existing SSO sessions (who is logged in), but notwhya particular syslog message did not create a session.

From the exhibits:

The AP profile shows:

SSIDs: Tunnel | Bridge | Manual

The current setting isBridge, not Manual.

WhenBridgeorTunnelis selected, the AP profiledoes NOT automatically broadcast SSIDsunless the corresponding VAPs were explicitly mapped in the AP profile.

FortiManager SSID profiles are created, but unless these are explicitly applied underManual SSIDs selection, the AP will not broadcast any SSID.

Fortinet documentation states:

“To control which SSIDs an AP broadcasts, the AP Profile must have SSIDs set toManual, and the desired SSIDs must be selected.”

Therefore, to make the AP broadcast the intended SSIDs:

✔You must switch the SSIDs setting to Manual, and manually select the SSIDs (CompanyPrinters, Student01, Guest-CorpPort, PSK).

Why the other options are incorrect:

A. Adjust AP profile to avoid mixing bridge/tunnelMixed modes ARE supported. Not the issue.

B. Change platformThe platform (FAP231F) already supports all listed SSIDs.

D. Set transmit power mode to autoPower settings have nothing to do with SSID broadcasting.

The problem states:

FortiGate receivesRADIUS accounting messagesonport3.

User-Nameattribute contains the username.

Classattribute contains the group membership.

Goal: authenticate users through RSSO and map them to the correct user groups.

To achieve this, three critical components must be configured:

✔A. RADIUS Attribute Value in the RSSO group must match the Class attribute

This is mandatory because:

RSSO user groups on FortiGate match users based onthe value inside the RADIUS attribute(usually Class).

For group assignment to work, FortiGate must compare:

RSSO User Group → RADIUS Class Attribute Value

This isexactly how FortiGate maps RSSO users to groups.

✔D. RSSO agent’s sso-attribute must be set to Class

Thesso-attributedefineswhich RADIUS attribute contains the group information.

Because group membership is carried in:

➡Class attribute

You must configure:

config user radius

set sso-attribute Class

end

This tells FortiGate:

"Use the Class attribute to derive user group membership."

✔E. rsso-endpoint-attribute must be set to User-Name

This identifieswhich RADIUS attributecarries the actualusername.

In this scenario:

RADIUS accounting messages contain the username inUser-Name.

So the correct setting is:

config user radius

set rsso-endpoint-attribute User-Name

end

This ensures the RSSO user object uses the correct username.

❌Incorrect Options Explained

B. Assign RSSO user groups to all firewall policies

Not required.

You only assign them to policies where RSSO authentication is used.

C. Device detection and Security Fabric Connection should be enabled on port3

Totally irrelevant to RSSO.

RSSO only needs RADIUS accounting, not device detection or Fabric services.

Let’s verify each protocol:

C. FortiGate uses the FortiLink protocol to establish communication with FortiSwitch.✔

FortiLink is themanagement and control protocol, encapsulated over:

LLDPfor discovery

CAPWAP (UDP/5246–5247)for control channel

DHB (Device Handshake Bus)inside CAPWAP frames

Thus,FortiLink is required.

D. CAPWAP is used to establish the control channel between FortiSwitch and FortiGate.✔

Although CAPWAP is commonly associated with FortiAP, FortiSwitchalso uses CAPWAPinternally when managed by FortiGate.

This is documented in:

FortiSwitch Administration Guide

LAN Edge deployment guide

SoD is correct.

B. UHTTPS is used by FortiGate to securely manage and configure FortiSwitch devices.✔

FortiLink session actually uses:

Encrypted CAPWAP (over DTLS)

UHTTPS (port 4433)for secure configuration exchanges

This protocol is mandatory for:

Switch configuration synchronization

Firmware upgrade

NAC data exchange

VLAN provisioning

ThereforeUHTTPS is indeed one of the key protocols.

Why the incorrect options are wrong:

A. SNMP can be used by FortiGate to manage FortiSwitch.✖

FortiGate doesnotuse SNMP to manage FortiSwitch.

SNMP is for monitoring by external systems, not for FortiLink control.

E. IGMP is required for management.✖

IGMP is a multicast protocol, irrelevant for FortiGate–FortiSwitch management.

WithAD machine authenticationvia FortiAuthenticator:

When a machine successfully authenticates, FortiAuthenticator records:

Machine account / identity

MAC addressof the device

Associated IP and session info

To handle sleep/hibernation:

FortiAuthenticator keeps acache of authenticated MAC addressesfor a configured timeout.

When the device wakes up and sends traffic again, FortiAuthenticator/FSSO can still treat it as authenticated as long as its MAC is in cache, so access is maintained without forcing a full machine re-auth immediately.

This matches optionD.

A(guest VLAN) is not the standard behavior here.

B(WoL) is unrelated.

C(IP-based) would break as IPs can change; MAC-based caching is what’s used.

From the FortiManager NAC policy:

Category =Device

Match criteria includeMAC addressandOperating System = Linux

Action =Assign VLAN “Students”

From the FortiGate CLI:

diagnose switch-controller switch-info mac-table ...

MAC: 70:88:6b:8c:4a:ce VLAN: 4089 Port: port2

diagnose switch-controller mac-device mac onboard­ing

VLAN 4089 MAC 70:88:6b:8c:4a:ce

So the device is stuck inVLAN 4089, which is theonboarding VLAN. No NAC policy is matched.

For a NAC policy to match, FortiGate needsdevice-identity information, which comes fromdevice detection on the VLAN / FortiLink interfaceplus theattributes that the policy expects(OS, MAC, etc.).

A. Device detection is not enabled on VLAN 4089.

If device detection is disabled on the interface/VLAN where the endpoint lives, FortiGate cannot learn OS / device info.

Without this, the NAC engine cannot compare against the NAC policy (which relies on OS and other attributes), so the device remains in the onboarding VLAN.✅This is a valid root cause.

B. The device operating system detected by FortiGate is not Linux.

The NAC policy explicitly requiresOperating System = Linux.

If the endpoint is actually Windows/macOS, or the OS fingerprint is still “Unknown”, the policy will never match, and the device stays in onboarding.✅Also a valid reason.

C. Management communication between FortiGate and FortiSwitch is down.

CLI output (switch-info mac-table and mac-device) proves FortiGate is talking to the switch and sees MAC/VLAN/port information.❌Not a valid reason.

D. The MAC address configured on the NAC policy is incorrect.

The exhibits show the MAC in the NAC policy matches the MAC appearing in the MAC table.❌Not the cause here.