Free Fortinet FCSS_NST_SE-7.6 Practice Exam with Questions & Answers

The exhibit shows:

memory conserve mode: on

memory used: 2706 MB 89% of total RAM

memory used threshold red: 2675 MB 88% of total RAM

memory used + freeable threshold extreme: 2887 MB 95% of total RAM

The study guide states that the default thresholds are:

Extreme = 95%

Red = 88%

Green = 82%

So this FortiGate is in conserve mode because memory usage is 89% , which is above the red threshold (88%) , but it has not yet reached the extreme threshold (95%) .

The study guide then explains exactly what happens during conserve mode:

“For traffic that requires proxy-based inspection (and if memory usage has not exceeded the extreme threshold):

config system global

set av-failopen [off | pass | one-shot]

pass (default): All new sessions pass without inspection”

It also says:

“The av-failopen setting also applies to flow-based antivirus inspection.”

And the same page adds:

“If memory usage exceeds the extreme threshold, all new sessions that require inspection (flow-based or proxy-based) are blocked.”

Therefore, with default settings and with memory usage below the extreme threshold , FortiGate is allowing new sessions that require inspection, but bypassing inspection . That matches C .

Why the other options are wrong:

A is wrong because the default behavior is not to block proxy-based inspected sessions; the default is pass , meaning they pass without inspection

B is wrong because if memory rises another 6% , it reaches 95% , which is the extreme threshold . At that point, the study guide says all new sessions that require inspection are blocked

D is wrong because FortiGate blocks all new inspected sessions only when memory usage exceeds the extreme threshold , and the exhibit shows it is currently at 89% , not 95%

To determine the path the traffic will take, we must look at the FortiGate Route Lookup Precedence (Packet Processing Flow) and the specific configurations shown in the exhibit

Analyze the Routing Precedence:

In FortiOS, when a packet arrives (and is not part of an existing session), the FortiGate performs route lookups in a specific order:

Policy Routes: Configured under config router policy (or diagnose firewall proute list). These are checked first. If a packet matches the criteria (Source, Destination, Protocol, Incoming Interface), the Policy Route is used immediately, bypassing the standard routing table.

FIB (Forwarding Information Base): If no Policy Route matches, the device looks at the standard routing table (Static, Connected, Dynamic).

Analyze the Exhibit:

Policy Route Section: The output of diagnose firewall proute list shows an active policy route (id=1).

Destination: 100.65.0.0/255.255.255.0 (Matches the network in the question).

Action: It directs traffic to gateway 10.0.4.253 via oif=6(port4).

Routing Table Section: The output of get router info routing-table database shows multiple routes for 100.65.0.0/24 (Static, OSPF, BGP) all with distance 10. The Static route (S) is currently selected (* > ) in the FIB.

Conclusion:

Because Policy Routes take precedence over the standard routing table (FIB), the FortiGate will forward the traffic using the instructions in Policy Route ID 1. It will not use the Static, BGP, or OSPF routes visible in the routing table for any traffic that matches the policy route ' s criteria (ingress port 3).

Based on the Fortinet FCSS - Network Security 7.6 documents and the analysis of the VPN tunnel exhibit, here is the verified answer.

Questions no: 91

Verified Answer: A, C

Comprehensive and Detailed Explanation with all FCSS - Network Security 7.6 documents:

To determine the status of the VPN tunnel, we must examine the specific counters and fields in the diagnose vpn tunnel list output provided in the exhibit.

Analyze Phase 2 Status (Option A):

The output displays child_num=0.

In IKEv2 (and IKEv1 implementations in FortiOS), " Child SAs " refer to the Phase 2 (IPsec) Security Associations that carry the actual data traffic.

A value of 0 indicates that no Phase 2 tunnels are established. If Phase 2 were up, child_num would be at least 1.

Additionally, under the proxyid section, the field sa=0 confirms there is no active Security Association for that traffic selector.

Analyze Traffic Status (Option C):

The stat line shows: rxp=0 txp=0 rxb=0 txb=0.

rxp (Received Packets) and txp (Transmitted Packets) are both zero. This definitively confirms that no traffic is traversing the tunnel currently. This is expected since Phase 2 is down.

Analyze Phase 1 Status (Why B is incorrect):

The tunnel entry exists in the list with a valid tun_id, and NAT-Traversal is active (natt: mode=keepalive).

The presence of the tunnel in this command output, along with active Keepalive mechanisms, typically indicates that Phase 1 (IKE SA) is established and the peers are communicating on port 4500 (NAT-T), even though the data tunnels (Phase 2) failed to negotiate. If Phase 1 were down, the tunnel would often not appear in this " list " view or would show different status flags indicating a complete connection failure.

Conclusion: The exhibit shows a scenario where the Phase 1 control channel is likely up (evidenced by the entry existence and NATT keepalives), but the Phase 2 data channel is down (child_num=0), resulting in zero traffic flow (rxp=0/txp=0).

The correct answers are A and D .

The Network Security Support Engineer 7.6 Study Guide explains that automation stitches consist of a trigger and one or more actions , and that they can detect events such as high CPU and conserve mode across the Security Fabric

The FortiOS administration guide then gives the exact practical example for A :

“Automation stitches can be created to run a CLI script and send an email message when memory or CPU usage exceeds specified thresholds.”

It also shows examples where the email body contains the script output using:

%%results%%

That directly confirms A .

For D , the FortiOS administration guide states:

“The URI and HTTP body can use parameters from logs or previous action results.”

It also explains the execution model:

“The stitch Action execution can be set to either Sequential or Parallel. In sequential execution actions will execute one after another with a delay (if specified). … In parallel execution all actions will execute immediately when the stitch is triggered.”

A concrete example shows a second action using the output of the first action:

“This string for the body text includes the results from the preceding CLI script action.” with

Body=%%results%%...

That confirms D .

Why the other options are wrong:

B is wrong because automation stitches can be triggered by IPS events, but the documentation does not describe them as modifying packet headers or payloads. Instead, they perform actions such as email, CLI script, webhook, quarantine, and similar automated responses

C is wrong because delay is associated with sequential execution, not parallel execution. The guide explicitly says: “A delay can be added before an action if Sequential action execution is used.”

So the verified answers are: A, D .

The command on this slide shows a summary of the statuses of all the OSPF neighbors. For each neighbor, it displays the adjacency state and if it is a DR, a BDR, or neither (DROther) Pagina 362 Enterprise_Firewall_7.2_Study. - Point-to-point networks contain only two peers, one at each end of a point-to-point link - Broadcast networks (multi-access) support more than two attached routers. They also support sending messages to multiple recipients (broadcasting). Pagina 365 Enterprise_Firewall_7.2_Study. In any multi-access network there is one DR and one BDR. Pagina 439 Network_Security_Support_Engineer_7.4_Study FULL/- This represents a point-to-point network

To establish a functional Security Fabric, specific network and configuration prerequisites must be met to ensure nodes can communicate, authorize, and share telemetry data:

A. You must ensure that TCP port 8013 is not blocked along the way:

TCP port 8013 is the dedicated port for FortiTelemetry (Fabric) communication. If firewalls (intermediate or local) block this port, the Fabric connection between the root and downstream FortiGates will fail.

D. You must authorize the downstream FortiGate on the root FortiGate:

Security Fabric relies on a trust relationship. When a downstream device attempts to join, it appears in the Root FortiGate ' s dashboard. The administrator must manually authorize this device (unless pre-authorized via serial number) to allow it to join the Fabric topology.

E. You must enable FortiTelemetry on the receiving interface of the upstream FortiGate:

The interface on the Root (upstream) FortiGate that faces the downstream devices must have the " Security Fabric Connection " (formerly CAPWAP/FortiTelemetry) administrative access setting enabled. Without this, the interface will not listen for or accept Fabric connection requests.

Why other options are incorrect:

B: Neighbor Discovery uses standard multicast/broadcast or static settings; changing the port is not a standard requirement.

C: FortiGates can participate in the Security Fabric in either NAT or Transparent mode; Transparent mode is not a mandatory requirement for the Fabric itself.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-diagnose-sys-top-CLI-command/ta-p/190238