Fortinet FCSS_NST_SE-7.6 Online Practice Questions and Exam Preparation

Fortinet FCSS_NST_SE-7.6 Online Questions & Answers

• Question 71:

  Refer to the exhibits.

  

  

  FGT-1 is an area border router (ABR) that has interfaces in OSPF areas 0.0.0.0 and 0.0.0.5. FGT-3 acts as an autonomous system border router (ASBR), importing static routes into OSPF. FGT-2 is an internal router with all its interfaces belonging to area 0.0.0.5. FGT-1 is receiving all advertised routes from FGT-2, however, FGT-3 is not receiving any

  of the advertised routes from FGT-1. What is the most likely reason for this? (Choose one answer)

  A. Area 0.0.0.5 is configured not to propagate type 5 LSAs.
  B. FGT-2 is configured with a distribution list to block all advertised routes from FGT-3.
  C. FGT-3 and FGT-2 have not formed an OSPF adjacency yet.
  D. IP protocol 89 is blocked between FGT-1 and FGT-3.
  A. Area 0.0.0.5 is configured not to propagate type 5 LSAs.

  ---

  Explanation

  The get router info ospf database brief output on FGT-2 clearly indicates that Area 0.0.0.5 is configured as a [Stub] area. In OSPF, a Stub Area is specifically designed to reduce the size of the Link State Database (LSDB) on internal routers. The primary behavior of a Stub area is that it does not accept Type 5 (AS External) LSAs. FGT-3 is the ASBR (Autonomous System Border Router) and is importing static routes, which are generated as Type 5 LSAs in the OSPF domain. FGT-1 acts as the ABR (Area Border Router). Because Area 0.0.0.5 is a Stub area, FGT-1 blocks these Type 5 LSAs from entering Area 0.0.0.5. Consequently, FGT-2 will not receive the specific external routes advertised by

  FGT-3. Instead, the ABR (FGT-1) injects a default route (0.0.0.0/0) into the Stub area to allow connectivity to the external world, which is visible in the database output. While the question text mentions FGT-3 not receiving routes, the definitive configuration shown in the exhibit is the Stub area setting, which directly corresponds to the blocking of Type 5 LSA propagation (Option A).

• Question 72:

  Refer to the exhibit, which shows the output of diagnose sys session list.

  

  If the HA ID for the primary device is 0, what happens if the primary fails and the secondary becomes the primary?

  A. The secondary device has this session synchronized; however, because application control is applied, the session is marked dirty and has to be re-evaluated after failover.
  B. Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.
  C. The session will be removed from the session table of the secondary device because of the presence of allowed error packets, which will force the client to restart the session with the server.
  D. The session state is preserved but the kernel will need to re-evaluate the session because NAT was applied.
  B. Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.

• Question 73:

  Refer to the exhibit, which shows partial outputs from two routing debug commands.

  

  Which change must an administrator make on FortiGate to route web traffic from internal users to the internet, using ECMP?

  A. Set snat-route-change to enable.
  B. Set the priority of the static default route using port2 to 1.
  C. Set preserve-session-route to enable.
  D. Set the priority of the static default route using port1 to 10.
  D. Set the priority of the static default route using port1 to 10.

• Question 74:

  Refer to the exhibit, which shows a partial output from the get router info routing-table database command.

  

  The administrator wants to configure a default static route for port3 and assign a distance of 50 and a priority of 0.

  What will happen to the port1 and port2 default static routes after the port3 default static route is created?

  A. The port2 default static route will be injected into the forwarding information base (FIB).
  B. The port1 default static route will be injected into the FIB.
  C. Neither of the routes shown in the output will be injected into the FIB.
  D. Both default static routes shown in the output will be injected into the FIB.
  A. The port2 default static route will be injected into the forwarding information base (FIB).

• Question 75:

  Refer to the exhibits,

  

  Which show the configuration on FortiGate and partial session information for internet traffic from a user on the internal network.

  If the priority on route ID 2 were changed from 10 to 0, what would happen to traffic matching that user session? (Choose one answer)

  A. The session would be deleted, and the client would need to start a new session.
  B. The session would remain in the session table, but its traffic would now egress from both port1 and
  C. The session would remain in the session table, and its traffic would egress from port2.
  D. The session would remain in the session table, and its traffic would egress from port1.
  D. The session would remain in the session table, and its traffic would egress from port1.

• Question 76:

  Which FortiGate feature allows administrators to capture live traffic for troubleshooting without using external packet capture tools?

  A. diagnose sys top
  B. diagnose sniffer packet
  C. diagnose debug crashlog read
  D. diagnose vpn ike log-filter
  B. diagnose sniffer packet

• Question 77:

  Refer to the exhibits.

  

  An OSPF peer is advertising route 172.16.52.0/24.

  The local FortiGate is configured with an inbound distribution list that allows the 172.16.0.0/16 network to be injected into its routing table.

  However, the 1'2.16.52.0/24 subnet cannot be seen in the FIB.

  Which two stops can the administrator of the local FortiGate take to ensure that the advertised 172.16.

  52.0/24 subnet will be injected into the routing table? (Choose two.)

  A. Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network.
  B. Change the ge value to 17.
  C. Change the R- value lo 16.
  D. Modify the default prefix-list behavior from implicit deny to implicit allow.
  A. Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network.
  B. Change the ge value to 17.

  ---

  Explanation

  The issue is caused by the strict matching logic of the configured Prefix List. Current State: The rule is edit 1 with set prefix 172.16.0.0 255.255.0.0 and both ge (greater than or equal) and le (less than or equal) are unset. Behavior: When ge and le are unset, FortiOS requires an exact match of the subnet mask. The current rule only matches the exact network 172.16.0.0/16. It denies 172.16.52.0/24 because the mask (/24) does not match the rule's mask (/16). To fix this and inject 172.16.52.0/24, you must modify the list to match the /24 mask:

  A. Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network: Creating a new rule (e.g., edit 2) with set prefix 172.16.52.0 255.255.255.0 will provide an exact match for the incoming route, allowing it to pass the distribute-list.

  B. Change the ge value to 17: By configuring set ge 17 on the existing rule (conceptually 172.16.0.0/16 ge 17), you change the logic from "exact match" to "range match". This configuration tells the router to match any prefix starting with 172.16.x.x that has a subnet mask length of 17 or greater. Since the incoming route is a /24, and 24 is greater than 17, the route will match the prefix list and be accepted. Why other options are incorrect: C: The option text appears to read "Change the... value to 16". If this refers to le 16, it would enforce the mask to be exactly /16 or less, which still excludes /24. D: Changing the default behavior to implicit allow defeats the purpose of a filter (security control) and is not a standard configuration step for fixing a single missing route.

  References:

  FortiGate Security 7.6 Study Guide (Routing): "In prefix-lists, if ge and le are not used, the subnet mask must match exactly. To match subnets within a range, you must define the prefix length boundaries using ge or le."

• Question 78:

  Consider the scenario where the server name indication (SNI) does not match either the common name (CN) or any of the subject alternative names (SAN) in the server certificate.

  Which action will FortiGate take when using the default settings for SSL certificate inspection?

  A. FortiGate uses the SNI from the user's web browser.
  B. FortiGate closes the connection because this represents an invalid SSL/TLS configuration.
  C. FortiGate uses the first entry listed in the SAN field in the server certificate.
  D. FortiGate uses the CN information from the Subject field in the server certificate.
  D. FortiGate uses the CN information from the Subject field in the server certificate.

  ---

  Explanation

  When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate's subject field to continue web filtering and categorization. This behavior is described in the official Fortinet 7.6.4 Administration Guide: "Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate." This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection. By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

  References:

  FortiGate 7.6.4 Administration Guide: Certificate Inspection SSL/SSH Inspection Profile Configuration

• Question 79:

  Refer to the exhibit, which shows a partial output of the real-time LDAP debug.

  

  What two actions can the administrator take to resolve this issue? (Choose two.)

  A. Ensure the user logs in using 'John Smith' not 'jsmith'.
  B. Ensure the user is providing the correct user credentials.
  C. Ensure the user is a member of at least one AD group to ensure step 4 of the LDAP authentication process is successful.
  D. Ensure the account is active.
  B. Ensure the user is providing the correct user credentials.
  D. Ensure the account is active.

• Question 80:

  Refer to the exhibit,

  

  Which shows the output of a diagnose command.

  What can you conclude about the debug output in this scenario?

  A. The first server provided to FortiGate when it performed a DNS query looking for a list of rating servers, was 121.111.236.179.
  B. There is a natural correlation between the value in the FortiGuard-requests field and the value in the Weight field.
  C. FortiGate used 64.26.151.37 as the initial server to validate its contract.
  D. Servers with a negative TZ value are less preferred for rating requests.
  B. There is a natural correlation between the value in the FortiGuard-requests field and the value in the Weight field.