FCSS_LED_AR-7.6 Fortinet NSE 6 - LAN Edge 7.6 Architect Questions and Answers

This question combines two FortiAP behaviors shown in the study guide:

AP handoff for load balancing

Frequency handoff for band steering to 5 GHz

From the WTP profile in the exhibit:

set handoff-rssi 30

set handoff-sta-thresh 30

The LAN Edge 7.6 Architect study guide explains AP handoff like this:

“If the number of clients is already at the defined threshold, new clients will be redirected to join the least busy nearby AP.” It also states: “The handoff-sta-thresh parameter defines the threshold value that triggers the handoff protocol for new clients.”

So, because the first AP 5 GHz radio already has 32 clients, it is above the threshold of 30, meaning AP handoff can be considered.

However, the same extract adds an important condition:

“The handoff-rssi threshold defined in the AP profile applies when a handed-off client tries to connect to the second AP. The client ' s signal strength must be equal to or greater than the defined RSSI value on the new AP.”

The second AP measures the client at -43 dBm. Based on the configured handoff RSSI threshold of 30, the second AP does not satisfy the required signal condition for the handoff target, so FortiGate does not redirect the client there.

Now consider band selection. The study guide explains frequency handoff:

“Frequency handoff is a band steering technique that FortiGate uses to encourage clients to use the 5 GHz frequency instead of the 2.4 GHz.”

It also says:

“When a client tries to connect, FortiGate checks whether it can support 5 GHz and, if so, how good the signals are. If a client supports the 5 GHz frequency and the signal is strong enough to connect, FortiGate ignores the client’s requests to join the network on 2.4 GHz until the request times out. The client will then automatically try to join the same network using 5 GHz.”

Because the client is dual-band capable and the first AP sees it at a very strong -33 dBm, FortiGate will steer it to 5 GHz on the first AP.

Why the other options are incorrect:

A. Incorrect. The study guide says frequency handoff encourages dual-band clients to use 5 GHz instead of 2.4 GHz when the 5 GHz signal is strong enough

C. Incorrect. Even though the second AP 5 GHz radio has fewer clients, AP handoff only occurs if the target AP meets the configured handoff RSSI requirement. The study guide explicitly makes that a condition

D. Incorrect. 2.4 GHz is not preferred here. The study guide specifically says FortiGate uses frequency handoff to encourage 5 GHz for dual-band-capable clients

Final verified conclusion:

The client will associate with the first AP 5 GHz radio because:

the client is dual-band capable

FortiGate prefers 5 GHz through frequency handoff

the first AP has the stronger signal at -33 dBm

the second AP does not qualify as the handoff target under the configured handoff RSSI condition

According to the Fortinet LAN Edge architecture regarding device discovery and management:

FortiLink Discovery Mechanism: Managed FortiSwitches are designed to be discovered automatically by the FortiGate switch controller. For this discovery to occur, a management IP address must be assigned to the switch so it can communicate with the FortiGate via the FortiLink protocol.

DHCP Requirement: All FortiGate devices include a factory-default FortiLink interface. Once this interface is configured with an IP address and netmask, the FortiGate automatically establishes a DHCP scope dedicated to assigning IP addresses and other network parameters to the connected managed switches.

Troubleshooting Discovery: If a FortiSwitch does not appear in the interface, it indicates a failure in the initial discovery phase. The most common cause is the switch failing to receive an IP address. Therefore, the first logical troubleshooting step is to verify that the FortiGate ' s DHCP server on the FortiLink interface is active and successfully leasing an IP address to the FortiSwitch.

Authorization: Once the switch receives an IP and is discovered, it will typically show as " Unauthorized " until the administrator manually authorizes it (unless " Automatically authorize devices " is enabled). If it doesn ' t appear at all, the issue precedes authorization and likely relates to basic IP connectivity provided by DHCP.

Analysis of Incorrect Options:

A: Security policies on the FortiGate control traffic passing through the firewall (transit traffic), not the management traffic between the FortiGate itself and its managed switches.

B: While static IPs are technically possible, the standard architectural design for LAN Edge relies on DHCP for plug-and-play functionality; manually assigning a static IP is a more advanced step, not the first troubleshooting action.

D: Internet access is not required for the FortiSwitch to be managed locally by a FortiGate via FortiLink.

Goal: enforce captive portal authentication overHTTPSfor guests.

On FortiGate/FortiAuthenticator captive portal setups:

HTTP redirectis used so that when a guest browses to any HTTP site, their request is redirected to theportal URL.

Theportal URLitself must beHTTPSif you want a secure login page.

FortiOS captive portal and firewall authentication guidelines recommend:

EnablingHTTP redirectso unauthenticated HTTP traffic is transparently sent to the portal.

Configuring theportal URL with HTTPS, often referencing a certificate on FortiGate or FortiAuthenticator.

Therefore:

A. Enable HTTP redirect in the user authentication settings.✔This ensures unauthenticated HTTP requests are redirected to the (now HTTPS) portal.

D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator.✔This makes the login itself secure (TLS-protected).

Incorrect:

B– You don’t need a new SSID; the same SSID can use HTTPS portal.

C– Disabling HTTP admin access on the SSID doesn’t control the captive portal scheme; HTTPS enforcement is done by the portal configuration and redirect, not by admin-access flags.

When a FortiGate is deployed usingZero Touch Provisioning (ZTP)or auto-discovery:

FortiGate retrieves theFortiManager IP address(from DHCP Option 240, FortiCloud/ZTNA provisioning, or manual set).

The next step isnot UI authorizationor DHCP changes—it immediately attempts to form aFGFM (FortiGate–FortiManager) tunnel.

The FGFM protocol usesTCP port 541to establish a secure management channel.

FortiManager will still require manual authorization of the deviceinside FortiManager, but this occursafterthe tunnel is established.

Therefore, the first automatic action after retrieving the FMG address iscreating the secure FGFM tunnel on TCP/541.

The problem states:

FortiGate receivesRADIUS accounting messagesonport3.

User-Nameattribute contains the username.

Classattribute contains the group membership.

Goal: authenticate users through RSSO and map them to the correct user groups.

To achieve this, three critical components must be configured:

✔A. RADIUS Attribute Value in the RSSO group must match the Class attribute

This is mandatory because:

RSSO user groups on FortiGate match users based onthe value inside the RADIUS attribute(usually Class).

For group assignment to work, FortiGate must compare:

RSSO User Group → RADIUS Class Attribute Value

This isexactly how FortiGate maps RSSO users to groups.

✔D. RSSO agent’s sso-attribute must be set to Class

Thesso-attributedefineswhich RADIUS attribute contains the group information.

Because group membership is carried in:

➡Class attribute

You must configure:

config user radius

set sso-attribute Class

end

This tells FortiGate:

" Use the Class attribute to derive user group membership. "

✔E. rsso-endpoint-attribute must be set to User-Name

This identifieswhich RADIUS attributecarries the actualusername.

In this scenario:

RADIUS accounting messages contain the username inUser-Name.

So the correct setting is:

config user radius

set rsso-endpoint-attribute User-Name

end

This ensures the RSSO user object uses the correct username.

❌Incorrect Options Explained

B. Assign RSSO user groups to all firewall policies

Not required.

You only assign them to policies where RSSO authentication is used.

C. Device detection and Security Fabric Connection should be enabled on port3

Totally irrelevant to RSSO.

RSSO only needs RADIUS accounting, not device detection or Fabric services.

In a LAN Edge deployment:

FortiSwitch is managedthrough FortiGate via FortiLink.

FortiAIOps integrates withFortiGateas the single managed device; from there it gains visibility intoall Fabric and LAN-edge devices(FortiSwitch, FortiAP) that are registered to that FortiGate.

Once the FortiGate is successfully added to FortiAIOps (as shown in the exhibit, statusOnline / Successfully Discovered), all FortiSwitches managed by that FortiGate are:

Discovered automatically through the FortiGate–FortiAIOps connection

Shown under the appropriate inventory / switch views withno separate onboarding stepfor each switch.

This is why no extra IP, serial number, or credential entry is required for FortiSwitch.

So:

AandBsuggest manual per-switch onboarding, which is not how FortiAIOps works with LAN Edge.

Dsimilarly assumes direct FortiSwitch management, but FortiAIOps talks toFortiGate, not the switch.

Therefore the correct behavior is that theFortiSwitch is added automatically (C)once its managing FortiGate is connected to FortiAIOps.

When FortiAPs connect to FortiGate overIPsec tunnels, this is treated similarly to WAN/MPLS deployments.

In these scenarios, FortiGate must know that CAPWAP must traverse anon-L2transport.

FortiAP profiles include:

set mpls-connection enable

This setting is required so that:

FortiGate can encapsulate CAPWAP inside the transport tunnel

Remote FortiAPs can establish CAPWAP even when behind routed/IPsec networks

Without this option, the FortiGate detects the AP butcannot bring CAPWAP UP, leaving the AP in “discovered/unauthorized” or “offline” state.

Why others are wrong

A. Static route→ Discovery already succeeds, so routing is not the issue.

C. Reduce MTU→ Sometimes useful for IPsec, but not required for CAPWAP establishment.

D. Firmware upgrade→ Firmware mismatch would show “Managed (upgrade required),” not CAPWAP tunnel failure.

Therefore,set mpls-connection enableis the required fix.

In this scenario:

FortiGate + FortiAnalyzer are part of theSecurity Fabric

AnAutomation Stitchis configured:

Trigger:Compromised Host – High(IOC from FortiAnalyzer)

Action:Quarantine on FortiSwitch + FortiAP

A test device10.0.2.1visits a malicious website.

FortiAnalyzer logs show the event, butFortiGate does NOT quarantine the device.

This means theautomation did not receive an IOC trigger, OR theFabric did not classify it as a compromise.

Let ' s evaluate each answer option.

✅C. The malicious website is not recognized as an indicator of compromise (IOC) by FortiAnalyzer.

✔Correct.

For FortiGate to quarantine a device:

FortiAnalyzer must classify the event as aCompromised Host → High / Medium / Critical

FortiAnalyzer must generate anIOC event

FortiGate must receive that IOC through the Fabric

Even though the FAZ log shows:

Action = blocked

Category = Malicious Websites

→ That doesNOTautomatically mean an IOC was generated.

A blocked website event isnot always an IOCunless:

It is included in theIOC database

FAZ’sAnalytics / UTM / IOCengine marks it as a compromise

Thus, if FAZ only logs a “Malicious Website” event butdoes not classify it as an IOC,

From the exhibits:

The AP profile shows:

SSIDs: Tunnel | Bridge | Manual

The current setting isBridge, not Manual.

WhenBridgeorTunnelis selected, the AP profiledoes NOT automatically broadcast SSIDsunless the corresponding VAPs were explicitly mapped in the AP profile.

FortiManager SSID profiles are created, but unless these are explicitly applied underManual SSIDs selection, the AP will not broadcast any SSID.

Fortinet documentation states:

“To control which SSIDs an AP broadcasts, the AP Profile must have SSIDs set toManual, and the desired SSIDs must be selected.”

Therefore, to make the AP broadcast the intended SSIDs:

✔You must switch the SSIDs setting to Manual, and manually select the SSIDs (CompanyPrinters, Student01, Guest-CorpPort, PSK).

Why the other options are incorrect:

A. Adjust AP profile to avoid mixing bridge/tunnelMixed modes ARE supported. Not the issue.

B. Change platformThe platform (FAP231F) already supports all listed SSIDs.

D. Set transmit power mode to autoPower settings have nothing to do with SSID broadcasting.

The FortiOS documentation explicitly states that a CSR used for certificate signing must contain accurate and valid fields, especially:

Common Name (CN)

Organization (O)

Country (C)

Public key parameters

According to the FortiGate certificate section:

Incorrect CSR field information can cause the CA to reject the request.

Reasons include:

The CA validates identity and organizational information.

Missing or malformed data invalidates PKI requirements.

The CSR is not corrected automatically by the CA.

Therefore:

✔A is correct.

Options B–D contradict PKI principles:

B is false: CAs do not issue certificates with mismatched identity fields for public trust.

C is false: CSR fields are not only for internal use; they define certificate identity.

D is false: CAs do not auto-correct CSR fields.

The correct answers are A and B.

The LAN Edge 7.6 Architect study guide explains that when LDAP is the back-end server, CHAP, MS-CHAP, and MS-CHAPv2 do not work because the client sends a one-way password hash, while LDAP expects the actual password:

“If FortiGate is configured to authenticate clients using a remote LDAP server, VPN and wireless clients using CHAP schemes are not able to authenticate... The reason is that during CHAP, MS-CHAP, and MS-CHAPv2 authentication, a client sends a one-way hash of the password. However, the LDAP server, which is on the back end, is expecting the password itself.”

The same study guide then gives the two valid solutions:

“Two possible methods that you can use to solve the CHAP and LDAP problem are:”

“Use RADIUS: Change your back-end server from LDAP to RADIUS.”

and

“If you are using Windows AD as your LDAP server, an alternative is to use FortiAuthenticator as an authentication proxy... You must also configure FortiAuthenticator to log in to the Windows domain using the credentials of a Windows administrator. This adds FortiAuthenticator as a trusted device on the Windows AD domain, allowing FortiAuthenticator to proxy the password hash from the client to the Windows server, using NTLM.”

That directly matches:

A. Enable Windows Active Directory domain authentication on FortiAuthenticator.

B. Configure FortiAuthenticator to use RADIUS instead of LDAP as the back-end authentication server.

The study guide also states this explicitly in the FortiAuthenticator LDAP configuration section:

“If you want FortiAuthenticator to relay CHAP, MS-CHAP, and MS-CHAPv2 authentication to a Windows AD server, you must enable Windows Active Directory Domain Authentication and enter the credentials for a Windows administrator.”

And it separately confirms RADIUS as another supported back-end proxy model:

“You can configure FortiAuthenticator to connect to existing RADIUS servers... If the local user database is not used, FortiAuthenticator proxies RADIUS authentication requests.”

Why the other options are incorrect:

C. Incorrect. RADIUS attribute filtering does not solve the CHAP/MS-CHAPv2 versus LDAP hash problem. The issue is the back-end authentication method, not attribute filtering.

D. Incorrect. Changing from MS-CHAPv2 to CHAP does not fix it, because the study guide says the same limitation applies to CHAP, MS-CHAP, and MS-CHAPv2 when LDAP is the back end

Final verified conclusion:

To enable MS-CHAPv2 authentication in this scenario, the two valid solutions are:

A. Enable Windows Active Directory domain authentication on FortiAuthenticator.

B. Configure FortiAuthenticator to use RADIUS instead of LDAP as the back-end authentication server.