FCSS_NST_SE-7.6 Exam Dumps - Fortinet Certified Solution Specialist Questions and Answers

The correct answer is D .

The study guide shows the ipsmonitor test usage exactly:

1: Display IPS engine information

2: Toggle IPS engine enable/disable status

5: Toggle bypass status

99: Restart all IPS engines and monitor

So diagnose test application ipsmonitor 5 is used to toggle bypass status , which corresponds to enabling IPS bypass mode .

Why the other options are wrong:

A is wrong because disabling the IPS engine is option 2 , not 5.

B is wrong because the study guide does not define option 5 as IPS session information.

C is wrong because restarting all IPS engines and monitors is option 99 , not 5.

So the verified answer is: D .

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate ' s subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

“Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.” This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

The correct answer is C. 64.26.151.37 .

The study guide explains the FortiGuard flags shown by diagnose debug rating:

D = Default

I = Initial

T = Timing

F = Failed and specifically: “F = The server is down”

So even though 121.111.236.179 has the lowest RTT in the exhibit, it has the F flag, meaning FortiGate considers that server failed/down , so it will not be chosen.

To determine which active server is selected, the FortiOS administration guide states:

“The server list is sorted first by weight. The server with the smallest RTT appears at the top of the list regardless of weight. … Therefore the top position in the list is selected based on RTT while the other positions are based on weight.”

Among the valid, non-failed choices in the exhibit:

64.26.151.37 → RTT 45

209.22.147.36 → RTT 103

96.45.33.65 → RTT 144

208.91.112.194 → RTT 107

The active server with the lowest RTT is 64.26.151.37 , so that is the server FortiGate will choose.

So the verified answer is: C .

The key point is that the two VPNs are dynamic dialup IPsec tunnels on the same interface and both are using IKEv1 main mode . In this design, FortiGate cannot reliably distinguish which dialup phase1 to match before phase 1 completes.

The uploaded Network Security Support Engineer 7.6 Study Guide shows that XAuth happens only after phase 1 is already established:

“The IKE real-time debug shows, after phase 1, the exchange of extended authentication (XAuth) packets… You can also see the CFG_REPLY, showing the XAuth user and group name.”

That means the user group is learned too late to be used for selecting the correct phase1 definition. So the fix must be applied to the phase1 matching method itself , not to XAuth.

The FortiOS administration guide gives the exact rule for this scenario:

“When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key you must select Aggressive mode if there is more than one dialup phase 1 configuration for the interface IP address.”

For Option A:In Fortinet BGP (and standard BGP), when a prefix is displayed with an " i " (lowercase i) in the Path column, it represents an internal prefix that originated from the local router, typically configured via the BGP " network " command. In the exhibit, the prefix 10.20.30.0/24 is listed with a Path value of i, indicating it was injected into BGP by the local router using the network statement, not via redistribution from another routing protocol. The same logic applies to i as documented: " Origin code ' i ' means the route was injected via the network command. "

For Option D:The get router info bgp network output is a summary table displaying both local and received BGP routes. It lists all known routes to the BGP process, whether received from peers or originated locally. The exhibit shows all BGP prefixes known to the local router, matching the official admin guide’s description of this command’s output.

Explanation for B and C:

The phrase “legacy route advertisement” is not formalized in BGP documentation or Fortinet’s admin guide; the output uses standard BGP mechanics.

If a route was redistributed into BGP from another routing protocol, the Path field would display a " ? " (question mark) for incomplete (redistributed) origin. Here the /24 route has " i " so it is NOT a redistribution.

The correct answers are A and B .

The exhibit shows:

override: disable

both members are currently in-sync

only port7 appears under HBDEV stats , so it is the active heartbeat interface

the cluster is in HA A-P mode

Why A is correct:

With override disabled , after a failover the new primary keeps that role when the old primary comes back. The FortiOS administration guide states:

“When the primary FortiGate rejoins the cluster the secondary FortiGate continues to operate as the primary FortiGate.”

So if FGVM...649 reboots and FGVM...650 becomes primary, FGVM...650 will remain primary after FGVM...649 rejoins.

Why B is correct:

The study guide states:

“When FortiGate devices configured in an HA cluster lose communication with each other on the heartbeat interface, each FortiGate assumes the role of the primary device.”

The exhibit shows only port7 as the heartbeat device in HBDEV stats

So if port7 is disconnected and heartbeat communication is lost, the cluster can enter a split-brain condition, where both units believe they are primary. The FortiOS administration guide confirms the same behavior: loss of heartbeat communication causes each member to think it is the primary

Why the other options are wrong:

C is wrong because configuration synchronization status is specifically used to detect whether secondary members remain synchronized with the primary. If members are no longer synchronized, the status changes from in-sync to out-of-sync

D is wrong because the study guide explains that during a configuration change, checksums may differ briefly while changes are copied, but it does not describe this as the secondary initiating a “synchronization reset”

So the verified answers are: A, B .

The study guide states:

“The kernel memory slabs are collections of objects with a common purpose. The kernel uses them to store information in memory.”

It also gives the exact calculation rule:

“Total slab size = available objects x object size”

From the exhibit:

tcp_session 3 5 1500 ...

So:

available objects = 5

object size = 1500

Therefore:

Total slab size = 5 × 1500 = 7500 kB

That makes D correct, and it is associated with the kernel , not user space.

Why the other options are wrong:

A is wrong because sctp_session 0 0 1600 ... gives 0 × 1600 = 0 , but slabs are associated with the kernel , not user space.

B is wrong because ip_session 1 3 1200 ... gives 3 × 1200 = 3600 , but again slabs are kernel memory, not user space.

C is wrong because ip6_session 0 0 1300 ... gives 0 × 1300 = 0 , not 1300.