FCSS_NST_SE-7.6 Fortinet NSE 6 - Network Security 7.6 Support Engineer Free Practice Exam Questions (2026 Updated)

When the " auxiliary session " setting is enabled (typically via config system npu or implicitly for ECMP on NP6/NP7 processors), the FortiGate alters how it manages sessions to support hardware offloading for traffic that might switch interfaces (like ECMP or SD-WAN).

B. FortiGate accelerates all ECMP traffic to the NP6 processor:

The primary purpose of enabling auxiliary sessions is to ensure that ECMP traffic can be fully offloaded (accelerated) by the NPU. Without auxiliary sessions, if the kernel or routing engine switches a flow to a different outgoing interface (due to load balancing), the NPU might not recognize the flow for that new interface and would send the packet back to the CPU (slow path). Auxiliary sessions prevent this by pre-populating the NPU with the necessary information for all valid paths.

D. FortiGate creates two sessions in case of a routing change:

Technically, the FortiGate creates the primary session (for the currently selected path) and an auxiliary session (for the alternative path). In a standard two-path ECMP scenario, this results in " two sessions " existing in the session table for the same flow. This ensures that if a routing change occurs (e.g., the flow shifts to the second path), the traffic continues to be processed by the NPU without interruption or re-evaluation by the CPU.

The exhibit displays the output from the diagnose debug rating command on a FortiGate device. This command is used to display information about FortiGuard Web Filtering or other security-related queries performed by FortiGate to FortiGuard servers. Official Fortinet documentation outlines the meaning of each field in the server list. The FortiGate maintains a list of available FortiGuard servers, selecting the optimal server based on factors such as weight, round-trip time (RTT), and regional settings.

The very first entry in the server list after " Server List " is the server FortiGate initially uses, prioritized by factors such as proximity and RTT. Here, 64.26.151.37 is listed first, and the FortiGuard-requests value confirms that this server handled the highest number of requests.

The IPs, weights, and lost/failed counters are monitored for server performance and selection over time. FortiGate ' s default operational logic is to try the first entry for contract validation and use the next in the list if the first is unavailable or has high latency or packet loss.

There is no direct correlation between the Weight and the number of FortiGuard-requests. The servers with higher or lower weights may still handle different request volumes based on availability and performance.

The TZ (time zone) value ' s sign (positive or negative) does not affect server preference; it is informational, showing the server ' s location relative to UTC, not a rating metric.

DNS query results for FortiGuard servers are not shown here, and the provided servers are not returned in DNS query order.

This command and interpretation are detailed in the FortiOS Administration Guide’s section describing FortiGuard server selection and contract validation processes.

The partial output from diagnose hardware sysinfo memory provides details on system RAM allocation. According to Fortinet ' s technical documentation for memory troubleshooting and Linux memory management (which FortiOS is based on):

MemFree is the portion of physical memory not currently allocated to any running process or kernel function. Thus, 708880 kB is available and can be immediately used by user-space programs or system operations.

Inactive refers to pages in the memory cache that were previously in use for I/O or file system buffering but are now not actively referenced. These pages are retained in memory for quick access if needed again, but can be reclaimed for other memory operations if demand increases. The value 98908 kB here represents currently unused cache pages (inactive pages), ready for repurposing or deletion if the system requires more RAM.

Cached represents the total amount of system memory allocated to cache, which includes both active and inactive cache pages. It does not, by itself, represent I/O cache exclusively, nor does " inactive " mean memory “will never be used” as the kernel can re-purpose inactive pages on demand.

The study guide identifies this exact output as an expectation session created by the FTP session helper :

“run helper-ftp” indicates the FTP helper is in use.

“FortiGate created an expectation session and opened the pinhole port for the expected return traffic”

It also explains why this exists:

“Another important function of the session helper is to temporarily create an expected session (or pinhole) for the data channel connection that comes from the server.”

“The session helper automatically creates the session and opens the door for the incoming connection.”

“These incoming TCP sessions use random TCP port numbers.”

That directly proves C is correct.

For A , the exhibit shows expire=23. The study guide explains the expire field as the length of time until the session expires if no matching traffic arrives, and the FortiOS guide states for expectation sessions:

“Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.”

So with expire=23, FortiGate will allow that expected traffic only for the remaining 23 seconds; after that, it times out and the traffic is denied. That makes A correct.

Why the other options are wrong:

B is not supported . The study guide describes expectation sessions as being created by the session helper from the control-session negotiation, not as independent objects unaffected by the master session.

D is wrong as stated. Even though the output contains policy_id=25, the study guide explicitly says the incoming expected connection is allowed by the expected session itself, “even when no firewall policy allows it.”

To determine the cause of the failure, we must analyze the IKEv2 debug output provided in the exhibit (image_ad3dc6.jpg):

Identify the Negotiation Phase:

The debug log shows: responder received CREATE_CHILD exchange.

In IKEv2, the CREATE_CHILD_SA exchange is used to create new Child SAs (Phase 2) or to rekey existing ones.

The fact that the tunnel was previously " brought up successfully " implies the initial IKE SA (Phase 1) is stable, and this error is occurring specifically during a rekey event, which often involves Perfect Forward Secrecy (PFS).

Analyze the Proposals (The Mismatch):

Incoming Proposal (Remote Peer):

The remote peer sends a proposal containing two Diffie-Hellman groups: type=DH_GROUP, val=MODP2048 (Group 14) and type=DH_GROUP, val=MODP1536 (Group 5).

My Proposal (Local FortiGate):

The local FortiGate configuration expects: type=DH_GROUP, val=MODP3072 (Group 15).

Result of the Negotiation:

The debug output concludes with: no proposal chosen and Negotiate SA Error.

This error occurs because the local FortiGate cannot find a common Diffie-Hellman group between what it requires (Group 15) and what the peer is offering (Groups 14 or 5).

While this is technically a mismatch occurring during the Phase 2 (Child SA) creation, " A Diffie-Hellman mismatch " (Option A) is the precise root cause identified in the logs.

Why other options are incorrect:

B: The log shows received create-child request, confirming that UDP traffic is reaching the device and is not blocked.

C: The failure is in the CREATE_CHILD exchange (Phase 2/Rekey), not the IKE_SA_INIT or IKE_AUTH (Phase 1) exchanges.

D: While the mismatch is occurring within the Phase 2 definitions, Option A is the specific technical reason for the no proposal chosen error shown in the DH_GROUP lines.

The correct answer is C .

The exhibit shows the neighbor state as Connect in the State/PfxRcd column. The study guide explains the BGP states exactly as follows:

“Connect: Waiting for a successful three-way TCP connection”

“OpenSent: Waiting for an OPEN message from the peer”

“Established: Peers have successfully exchanged OPEN and keepalive messages”

Because the router is still in Connect state, the TCP three-way handshake has not completed yet . In practical terms, the local router has sent the TCP SYN but has not successfully received the SYN/ACK needed to complete the handshake . That is why C is correct.

Why the other options are wrong:

A is wrong because the message counters alone do not prove that the neighbor is unreachable. The study guide says the State/PfxRcd field shows the BGP state when the session is not established, and here that state is specifically Connect

B is wrong because waiting for an OPEN message happens in OpenSent , not Connect

D is not the best answer for this output. The study guide ties the displayed state directly to the protocol phase: Connect means the device is still waiting for a successful TCP handshake

So the verified answer is: C .

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate ' s subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

“Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.” This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

Intermittent behavior (working sometimes, failing others) points to resource or connectivity fluctuations rather than static misconfigurations.

B. Check that FortiGate is not entering conserve mode:

Reason: When FortiGate enters Conserve Mode (due to high memory usage), it changes its inspection behavior to save resources. Depending on the av-failopen setting, it may either bypass inspection (allowing blocked sites) or drop traffic (blocking valid sites) temporarily until memory recovers. This flapping between states causes intermittent filtering issues.

D. Check that the communication between FortiGate and FortiGuard is stable:

Reason: The Web Filter engine relies on real-time queries to the FortiGuard Distribution Network (FDN) to categorize URLs that are not in the local cache. If the internet connection or the specific path to FortiGuard is unstable (packet loss, latency), queries will time out. This results in " Rating Errors, " which can block or allow traffic unpredictably based on the " Allow websites when a rating error occurs " setting.

Why other options are incorrect:

A: A mismatch in inspection mode (e.g., Profile set to Proxy, Policy set to Flow) is a static configuration error. It would typically result in the profile not being selectable or consistently failing/not applying, rather than working intermittently.

C: If the wrong port is mapped (e.g., HTTP on 8080 is not mapped), the inspection engine will consistently ignore traffic on that port. It would not be intermittent.

The correct answers are A and D .

The debug output shows:

Sent RADIUS req to server ' RadiusServer ' : IP=172.25.188.164 ... user= " student " using CHAP

Result for radius svr ' RadiusServer ' 172.25.188.164(0) is 0

Sending result 0 for req 2

The study guide explains that in RADIUS real-time debug, FortiGate shows the IP address of the RADIUS server it is querying. In the example, it says FortiGate “creates an access request to the RADIUS server at IP address 10.0.13.130” and shows the line Sent radius req to server ... IP=10.0.13.130

So in your exhibit, the queried server is clearly 172.25.188.164 , which makes A correct.

The study guide also states:

“The message fnbamd_comm_send_result-Sending result 0 indicates that the authentication was successful and that FortiGate received the Access-Accept message.”

Since your exhibit also ends with Sending result 0 , that makes D correct.

Why the other options are wrong:

B is wrong because result 0 means authentication successful , not failed

C is wrong because the debug explicitly shows using CHAP , and the study guide lists supported RADIUS schemes as CHAP, PAP, MS-CHAP, and MS-CHAPv2

E is wrong because the study guide says two-factor authentication would involve an Access-Challenge response: “If two-factor authentication is enabled on the server, the response is an Access-Challenge message” Your exhibit shows successful result 0 / Access-Accept , not a challenge.

So the verified answers are: A, D .

Based on the Fortinet FCSS - Network Security 7.6 documents and the analysis of the VPN tunnel exhibit, here is the verified answer.

Questions no: 91

Verified Answer: A, C

Comprehensive and Detailed Explanation with all FCSS - Network Security 7.6 documents:

To determine the status of the VPN tunnel, we must examine the specific counters and fields in the diagnose vpn tunnel list output provided in the exhibit.

Analyze Phase 2 Status (Option A):

The output displays child_num=0.

In IKEv2 (and IKEv1 implementations in FortiOS), " Child SAs " refer to the Phase 2 (IPsec) Security Associations that carry the actual data traffic.

A value of 0 indicates that no Phase 2 tunnels are established. If Phase 2 were up, child_num would be at least 1.

Additionally, under the proxyid section, the field sa=0 confirms there is no active Security Association for that traffic selector.

Analyze Traffic Status (Option C):

The stat line shows: rxp=0 txp=0 rxb=0 txb=0.

rxp (Received Packets) and txp (Transmitted Packets) are both zero. This definitively confirms that no traffic is traversing the tunnel currently. This is expected since Phase 2 is down.

Analyze Phase 1 Status (Why B is incorrect):

The tunnel entry exists in the list with a valid tun_id, and NAT-Traversal is active (natt: mode=keepalive).

The presence of the tunnel in this command output, along with active Keepalive mechanisms, typically indicates that Phase 1 (IKE SA) is established and the peers are communicating on port 4500 (NAT-T), even though the data tunnels (Phase 2) failed to negotiate. If Phase 1 were down, the tunnel would often not appear in this " list " view or would show different status flags indicating a complete connection failure.

Conclusion: The exhibit shows a scenario where the Phase 1 control channel is likely up (evidenced by the entry existence and NATT keepalives), but the Phase 2 data channel is down (child_num=0), resulting in zero traffic flow (rxp=0/txp=0).

FortiOS Admin Guide: Static Routing, SNAT Route Change Feature

To determine the path the traffic will take, we must look at the FortiGate Route Lookup Precedence (Packet Processing Flow) and the specific configurations shown in the exhibit

Analyze the Routing Precedence:

In FortiOS, when a packet arrives (and is not part of an existing session), the FortiGate performs route lookups in a specific order:

Policy Routes: Configured under config router policy (or diagnose firewall proute list). These are checked first. If a packet matches the criteria (Source, Destination, Protocol, Incoming Interface), the Policy Route is used immediately, bypassing the standard routing table.

FIB (Forwarding Information Base): If no Policy Route matches, the device looks at the standard routing table (Static, Connected, Dynamic).

Analyze the Exhibit:

Policy Route Section: The output of diagnose firewall proute list shows an active policy route (id=1).

Destination: 100.65.0.0/255.255.255.0 (Matches the network in the question).

Action: It directs traffic to gateway 10.0.4.253 via oif=6(port4).

Routing Table Section: The output of get router info routing-table database shows multiple routes for 100.65.0.0/24 (Static, OSPF, BGP) all with distance 10. The Static route (S) is currently selected (* > ) in the FIB.

Conclusion:

Because Policy Routes take precedence over the standard routing table (FIB), the FortiGate will forward the traffic using the instructions in Policy Route ID 1. It will not use the Static, BGP, or OSPF routes visible in the routing table for any traffic that matches the policy route ' s criteria (ingress port 3).

The correct answer is C. 64.26.151.37 .

The study guide explains the FortiGuard flags shown by diagnose debug rating:

D = Default

I = Initial

T = Timing

F = Failed and specifically: “F = The server is down”

So even though 121.111.236.179 has the lowest RTT in the exhibit, it has the F flag, meaning FortiGate considers that server failed/down , so it will not be chosen.

To determine which active server is selected, the FortiOS administration guide states:

“The server list is sorted first by weight. The server with the smallest RTT appears at the top of the list regardless of weight. … Therefore the top position in the list is selected based on RTT while the other positions are based on weight.”

Among the valid, non-failed choices in the exhibit:

64.26.151.37 → RTT 45

209.22.147.36 → RTT 103

96.45.33.65 → RTT 144

208.91.112.194 → RTT 107

The active server with the lowest RTT is 64.26.151.37 , so that is the server FortiGate will choose.

So the verified answer is: C .

FortiTelemetry is a critical part of Security Fabric communications and requires explicit configuration for each participating FortiGate interface. The administrative access setting " fabric " (corresponding to FortiTelemetry) must be manually enabled per interface on both upstream and downstream devices. This is performed in the GUI under Administrative Access or via the CLI using the command set allowaccess fabric for the relevant network interface. Without this step, FortiTelemetry communications will not occur on that interface.

Additionally, the default communication between downstream and upstream FortiGate units in the Security Fabric is over TCP port 8013. This port is well-documented as the standard for Security Fabric and FortiTelemetry connections, and must be open and permitted across the network path for connectivity and status enforcement between units. The downstream FortiGate initiates the connection to the upstream via this port unless otherwise configured. This has also been documented as a PCI-relevant port, showing its default usage.

Other options:

Neighbor Discovery in FortiOS uses IPv6 ND protocol, not TCP.

FortiTelemetry port (8013) can be modified, but the interface Administrative Access for the Security Fabric must be manually enabled; Neighbor Discovery port modification is not documented as a supported change for FortiGate.