FCSS_NST_SE-7.6 Fortinet NSE 6 - Network Security 7.6 Support Engineer Questions and Answers

FortiOS Admin Guide: Static Routing, SNAT Route Change Feature

The correct answer is A .

The study guide explains the IKEv2 exchange order very clearly:

“The initial exchanges are: IKE_SA_INIT and IKE_AUTH.”

“Create_Child_SA exchange: Creates a new child SA or rekeys an existing child SA.”

It also states:

“After successful IKE_SA_INIT and IKE_AUTH exchanges, the CHILD_SA exchange takes place. In this exchange, the peers negotiate the CHILD_SA and the traffic selectors — traffic selector responder (TSr) and traffic selector initiator (TSi).”

That is why A is correct: if the tunnel was initially brought up successfully , then the initial exchanges already succeeded. A later problem during CREATE_CHILD_SA , especially with traffic selectors/phase 2 selectors , can cause the tunnel to fail during rekey or child-SA renegotiation.

Why the other options are wrong:

B is wrong because proposal mismatch for the IKE SA is handled during IKE_SA_INIT , not after the tunnel is already up. The study guide says IKE_SA_INIT negotiates the security settings to protect the IKE traffic

C is wrong because a pre-shared key mismatch is part of authentication and would prevent successful initial establishment during IKE_AUTH . The study guide shows that after IKE_AUTH, “authentication succeeded” and “established IKE SA” when it works

D is wrong because a Diffie-Hellman mismatch belongs to IKE_SA_INIT , which happens before the tunnel comes up. The study guide also states: “By IKEv2 design, no Diffie-Hellman public key is exchanged during an IKE_AUTH exchange.”

So the verified answer is: A .

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-diagnose-sys-top-CLI-command/ta-p/190238

The correct answer is B .

The study guide explicitly states that slabs are used by the kernel : “The kernel memory slabs are collections of objects with a common purpose. The kernel uses them to store information in memory.”

It also gives the exact calculation method: “Total slab size = available objects x object size” and explains that in the diagnose hardware sysinfo slab output, the columns are active objects , available objects , and object size

From the exhibit:

tcp_session 3 5 1500 ...

available objects = 5

object size = 1500

So:

Total slab size = 5 × 1500 = 7500

That matches option B .

Why the other options are wrong:

A : ip_session 10 10 1408 ... gives 10 × 1408 = 14080 , but slabs are associated with the kernel , not user space

C : ip6_session 5 0 1472 ... gives 0 × 1472 = 0 , not 1472

D : UDPv6 15 10 1408 ... gives 10 × 1408 = 14080 , but again slabs are associated with the kernel , not user space

So the verified answer is B .

Analyze the " Send to Application Layer " Message:

The most critical line in the debug output is: id=65308 ... func=av_receive ... msg= " send to application layer "

Meaning: This message indicates that the FortiGate kernel is handing the packet over to a user-space daemon (specifically the WAD/Proxy process, indicated by av_receive handlers) for deep inspection.

Implication: This behavior is the hallmark of Proxy-based inspection. In Flow-based inspection, the traffic is handled by the IPS engine (often within the kernel or via specific IPS handlers like ips_measure), and you would not typically see a " send to application layer " message for standard web filtering.

Evaluate Option B (Firewall Policy Mode):

Since the traffic is being sent to the application layer proxy, the Firewall Policy controlling this traffic (Policy ID 1, as seen in Allowed by Policy-1) must be configured with Inspection Mode = Proxy. If it were Flow-based, the traffic would stay in the flow path. Thus, Option B is correct.

Evaluate Option C (Web Filter Profile Mode):

In FortiOS, when a firewall policy is set to Proxy-based inspection, the security profiles (like Web Filter) applied to that policy also operate in Proxy-based inspection mode. The presence of the av_receive function confirms that the content inspection (Web Filter/AV) is being performed by the proxy engine. Thus, Option C is correct.

Why Option A is Incorrect (NPU Offload):

The output shows npu_state=0x100. In the context of a flow trace where traffic is being " sent to application layer, " this confirms the session is not fully offloaded to the NPU (Network Processor). Offloaded traffic (Fast Path) is handled by the hardware and would not generate these specific CPU-level debug logs for the payload inspection phase. The proxying process requires CPU intervention.

Why Option D is Incorrect (Port Mapping):

While valid protocol mapping is necessary for inspection, the specific debug output shown is a direct result of the Inspection Mode (Proxy vs. Flow). The observation of the traffic moving to the application layer is primarily caused by the policy and profile mode settings, making B and C the direct " observations " derived from the log data.

The correct answer is B. Assertion dump .

The study guide states: “SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP as part of the authentication process.”

The same study guide page for real-time SAML troubleshooting shows the section labeled **** Assertion Dump **** , and inside that assertion it displays the actual user attributes, such as:

< saml:Attribute Name= " username " >

< saml:Attribute Name= " groups " >

It also explicitly marks this part as “Attributes sent by IdP”

Why the other options are wrong:

A. Bindings HTTP post is incorrect because bindings define how SAML messages are transported , not the section that contains the attributes. The study guide says: “Bindings: Define how SAML protocol messages are transmitted over different communication channels.”

C. Authentication request is incorrect because that is built by the SP and sent toward the IdP, not where the IdP’s user attributes are shown. The study guide’s flow says the SP “Builds auth request” and the IdP later “Builds auth response.”

D. Authentication response is broader than the exact section being asked. The exact section in the study guide where the IdP-provided attributes are shown is the Assertion dump .

So the verified answer is: B .

FortiGate HA Troubleshooting and Synchronization Guides

Fortinet Admin Guide: HA Primary Role Retention, Cluster Break-up Due to Out-of-Sync Status

The correct answer is D. The inbound IPsec SA was copied to the NPU.

The exhibit shows:

npu_flag=02

dec_npuid=1

enc_npuid=0

The study guide gives the exact meaning of the npu_flag field:

npu_flag=00 = Both IPsec SAs loaded to the kernel

npu_flag=01 = Outbound IPsec SA copied to NPU

npu_flag=02 = Inbound IPsec SA copied to NPU

npu_flag=03 = Both outbound and inbound IPsec SAs copied to NPU

It also explains: “If the first IPsec packet is inbound and can be offloaded, the inbound SA is copied to the NPU and the npu_flag changes to 02. After both SAs are copied to the NPU, the npu_flag changes to 03.”

So with npu_flag=02, only the inbound SA has been copied to the NPU. That makes D correct.

Why the other options are wrong:

A is wrong because outbound-only offload would be npu_flag=01, not 02

C is wrong because both directions offloaded would be npu_flag=03, not 02

B is wrong because dec_npuid=1 identifies the NPU ID used for decryption, but it does not state that the processor is specifically NP6 . The study guide only maps the offload state through the npu_flag values in this context, not the NPU model from this field alone

So the verified answer is: D .

The 8.8.8.8/32 route is visible in the OSPF database on FGT-B but not installed into the routing table—the most likely explanation is that FGT-B is filtering it from being installed.

Auxiliary sessions in Fortinet are designed to support ECMP (Equal Cost Multi-Path) and SD-WAN scenarios, allowing sessions to be handled efficiently when traffic needs to be dynamically distributed across multiple links. With the auxiliary session setting enabled, FortiGate creates additional session table entries for each possible path in ECMP or SD-WAN—meaning that if the routing path changes (such as a link failover), a new session can be immediately activated and offloaded to the NP6 network processor for acceleration, ensuring minimal disruption. This greatly benefits high-throughput deployments.

Official documentation specifies that when auxiliary sessions are enabled, FortiGate doesn’t just rely on dynamically creating new sessions after a routing event, it proactively creates sessions for all potential paths. This means that in the event of a route change, two sessions exist and the traffic is quickly re-routed and offloaded, maximizing performance and reliability. Without this feature, multiple paths cannot be efficiently offloaded, and routing changes trigger a single session update, reducing failover performance.

The BGP debug output shows session information for peers, including state details. According to official Fortinet BGP documentation, if the session state with a peer does not show " Idle, " " Active, " or " Connect, " but instead shows " Established, " " Up, " or related counters (e.g., messages sent/received or uptime), it indicates the session is operational. In this scenario, the peer 10.127.0.75 is the only one showing a positive indication of a live, established session. Other options like neighbor-range configuration, AS mismatch, or route-maps blocking prefixes are not supported by evidence provided in a simple BGP session state debug, nor does the output show errors relating to local or remote AS issues.

The correct interpretation comes from Fortinet ' s BGP troubleshooting guide, which outlines how to read session status and neighbor states in debug and summary outputs.

The issue is caused by the strict matching logic of the configured Prefix List.

Current State: The rule is edit 1 with set prefix 172.16.0.0 255.255.0.0 and both ge (greater than or equal) and le (less than or equal) are unset.

Behavior: When ge and le are unset, FortiOS requires an exact match of the subnet mask. The current rule only matches the exact network 172.16.0.0/16. It denies 172.16.52.0/24 because the mask (/24) does not match the rule ' s mask (/16).

To fix this and inject 172.16.52.0/24, you must modify the list to match the /24 mask:

A. Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network:

Creating a new rule (e.g., edit 2) with set prefix 172.16.52.0 255.255.255.0 will provide an exact match for the incoming route, allowing it to pass the distribute-list.

B. Change the ge value to 17:

By configuring set ge 17 on the existing rule (conceptually 172.16.0.0/16 ge 17), you change the logic from " exact match " to " range match " .

This configuration tells the router to match any prefix starting with 172.16.x.x that has a subnet mask length of 17 or greater.

Since the incoming route is a /24, and 24 is greater than 17, the route will match the prefix list and be accepted.

Why other options are incorrect:

C: The option text appears to read " Change the ... value to 16 " . If this refers to le 16, it would enforce the mask to be exactly /16 or less, which still excludes /24.

D: Changing the default behavior to implicit allow defeats the purpose of a filter (security control) and is not a standard configuration step for fixing a single missing route.

To determine the correct reasons for the adjacency failure, we must analyze the standard OSPF real-time debug output (diagnose ip router ospf all enable or diagnose sniffer packet) typically provided in this exam exhibit.

Analyze the Debug Output:

The debug output in this specific question scenario typically displays an incoming Hello packet line: OSPF: RECV[Hello]: ... auth-type 0 ...

" RECV " : Indicates the packet is coming from the Remote peer.

" auth-type 0 " : Indicates the Remote peer is sending " Null " (No) authentication.

Analyze the Failure:

The adjacency fails because the Local FortiGate is rejecting this packet.

If the Local FortiGate accepts " No Authentication " , it would match auth-type 0 and form the adjacency.

Since it is failing (and producing a debug log), the Local FortiGate must be expecting a different authentication type (Type 1 Cleartext or Type 2 MD5).

Evaluate the Options:

A. The remote peer has either OSPF cleartext or MD5 authentication configured.

Incorrect. The debug shows auth-type 0 (No Auth) coming from the remote peer.

B. There is an OSPF authentication configuration mismatch.

Correct. One side is sending " No Auth " (Remote), and the other expects " Auth " (Local). This is a definition of a mismatch.

C. The local FortiGate does not have OSPF authentication configured.

Incorrect. If the Local unit had " No Auth " configured, it would match the Remote ' s auth-type 0, and the adjacency would come up. The failure implies the Local unit does have auth configured.

D. The local FortiGate has either OSPF cleartext or MD5 authentication configured.

Correct. Because the Local unit is rejecting the " No Auth " packet from the remote peer, it confirms that the Local unit has authentication enabled (expecting Type 1 or 2).

Conclusion: The breakdown of the OSPF negotiation shows that the Remote peer is sending no authentication (Type 0), while the Local FortiGate expects authentication, resulting in a mismatch.

The correct answers are A and B .

The exhibit shows:

override: disable

both members are currently in-sync

only port7 appears under HBDEV stats , so it is the active heartbeat interface

the cluster is in HA A-P mode

Why A is correct:

With override disabled , after a failover the new primary keeps that role when the old primary comes back. The FortiOS administration guide states:

“When the primary FortiGate rejoins the cluster the secondary FortiGate continues to operate as the primary FortiGate.”

So if FGVM...649 reboots and FGVM...650 becomes primary, FGVM...650 will remain primary after FGVM...649 rejoins.

Why B is correct:

The study guide states:

“When FortiGate devices configured in an HA cluster lose communication with each other on the heartbeat interface, each FortiGate assumes the role of the primary device.”

The exhibit shows only port7 as the heartbeat device in HBDEV stats

So if port7 is disconnected and heartbeat communication is lost, the cluster can enter a split-brain condition, where both units believe they are primary. The FortiOS administration guide confirms the same behavior: loss of heartbeat communication causes each member to think it is the primary

Why the other options are wrong:

C is wrong because configuration synchronization status is specifically used to detect whether secondary members remain synchronized with the primary. If members are no longer synchronized, the status changes from in-sync to out-of-sync

D is wrong because the study guide explains that during a configuration change, checksums may differ briefly while changes are copied, but it does not describe this as the secondary initiating a “synchronization reset”

So the verified answers are: A, B .

The output on FGT-01 confirms that the device is actively encapsulating traffic and sending it as ESP packets (Protocol 50) out of port1 towards the IP address 97.86.16.52. The logs show outgoing packets, which confirms FGT-01 is attempting to initiate or maintain the tunnel and that NAT-Traversal is not being used (as it uses raw ESP).

The output on FGT-02 , however, displays (no packets captured). This is significant because the sniffer command diagnose sniffer packet any ' esp ' captures traffic at the network interface level (ingress), regardless of whether a matching VPN configuration exists on the receiving unit. The absence of packets proves that the ESP traffic generated by FGT-01 is physically not arriving at FGT-02 ' s interface.

This behavior is explained by two primary factors:

Option A (Blocking): An intermediate device, such as an ISP router or firewall, is dropping Protocol 50 traffic. Unlike UDP 500/4500, raw ESP is often blocked by default on many networks or legacy devices.

Option C (Routing/Misconfiguration): If the administrator configured the wrong remote peer IP on FGT-01 , the packets are being routed to a different destination entirely. Consequently, they never arrive at FGT-02 to be captured.

Option B is incorrect because even without a configured VPN tunnel, the sniffer would still display the incoming ESP packets if they were reaching the interface. Option D is incorrect because FGT-01 is sending ESP, making ' esp ' the correct filter.

The best verified answer is C .

The study guide says that when FortiGate is in conserve mode, it activates protection measures to recover memory space:

“System configuration cannot be changed”

“FortiGate skips quarantine actions (including FortiSandbox analysis)”

It also explains that inspection behavior can be reduced while in conserve mode:

“pass (default): All new sessions pass without inspection until FortiGate switches back to non-conserve mode.”

“The av-failopen setting also applies to flow-based antivirus inspection.”

The FortiOS administration guide summarizes this behavior as:

“This causes functions such as antivirus scanning to change how they operate to reduce the functionality and conserve memory without compromising security.”

That is why C is the closest correct choice: FortiGate can reduce functionality of some processes, especially antivirus-related inspection, to preserve memory.

Why the other options are wrong:

A is wrong because FortiGate does not automatically reboot as a default conserve-mode action. A reboot can be configured through an automation stitch , but that is an optional administrator-defined response, not the built-in conserve-mode behavior

B is wrong because the documentation does not say FortiGate switches from proxy-based inspection to flow-based inspection. Instead, it may pass traffic without inspection depending on av-failopen settings

D is not generally correct for conserve mode . The study guide says FortiGate starts dropping new sessions only when memory usage exceeds the extreme threshold : “If memory usage exceeds the extreme threshold, all new sessions that require inspection (flow-based or proxy-based) are blocked.”

So the verified answer is: C .

The study guide states:

“The kernel memory slabs are collections of objects with a common purpose. The kernel uses them to store information in memory.”

It also gives the exact calculation rule:

“Total slab size = available objects x object size”

From the exhibit:

tcp_session 3 5 1500 ...

So:

available objects = 5

object size = 1500

Therefore:

Total slab size = 5 × 1500 = 7500 kB

That makes D correct, and it is associated with the kernel , not user space.

Why the other options are wrong:

A is wrong because sctp_session 0 0 1600 ... gives 0 × 1600 = 0 , but slabs are associated with the kernel , not user space.

B is wrong because ip_session 1 3 1200 ... gives 3 × 1200 = 3600 , but again slabs are kernel memory, not user space.

C is wrong because ip6_session 0 0 1300 ... gives 0 × 1300 = 0 , not 1300.

We must analyze the specific CLI output provided in the exhibit to determine the observations.

Analyze the Command and Output:

Command: # diagnose automation test HAFailOver

This command is used to manually trigger an automation stitch (named " HAFailOver " ) to verify its configuration and action execution. It simulates the trigger event to run the defined actions.

Output: automation test failed(1). stitch:HAFailOver

The output explicitly states that the test failed. The code (1) is a general error code indicating the execution did not complete successfully.

Evaluate the Options:

A. The configuration was backed up:

Incorrect. Since the test result is " failed " , the action defined in the stitch (which we can infer from the name " HAFailOver " is likely " Backup Configuration " ) was not successfully performed.

B. A high availability (HA) failover occurred:

Incorrect. The command diagnose automation test is a simulation tool. It does not indicate that a real physical HA failover took place; it only attempts to run the script associated with that event.

C. The test was unsuccessful:

Correct. The output clearly reads " automation test failed(1) " , which is the definition of an unsuccessful test.

D. The automation stitch test is not being logged:

Correct. In the context of Fortinet automation troubleshooting, a " failed(1) " result often occurs if the stitch is disabled or if the logging configuration required to trigger or record the stitch is not active. Consequently, the test execution is not properly logged in the automation history, or the failure implies a lack of necessary logging data to proceed. By elimination of the clearly incorrect options A and B, D is the second valid observation.

The correct answers are A and B .

The Network Security Support Engineer 7.6 Study Guide states under OSPF Troubleshooting :

“Follow these steps to troubleshoot an OSPF problem between two peers:

Check that the local router can reach the remote peer. IP addresses must be in the same subnet and have the same subnet mask.

Ensure that IP protocol 89 is not blocked.

Hello and dead intervals must match.

The OSPF router ID for each peer must be unique. Duplicate router IDs are not allowed.

Do the MTUs match?

If authentication is enabled, the type and password must match on both sides.”**

The same page also summarizes the troubleshooting tips as:

“Do peers have an IP address within the same subnet?”

“Is IP protocol 89 blocked?”

This directly confirms:

A is correct

B is correct

Why the other options are wrong:

C is wrong because TCP port 179 is used by BGP , not OSPF. OSPF uses IP protocol 89 , as the study guide explicitly notes

D is wrong because the study guide’s OSPF adjacency troubleshooting checklist does not require an active static route to the peer. OSPF neighbors form adjacency on directly reachable networks, and the guide instead focuses on same subnet, protocol 89, intervals, router ID, MTU, and authentication matching

So the verified answers are: A, B .

To display debug output on FortiGate devices, you must always run both the application-specific debug command and the global debug enable command. The command diagnose debug application ike -1 sets up the detail level for the IKE daemon debug, but it does not display any debug output on its own. As described in the FortiOS CLI debugging manuals, the command diagnose debug enable activates debug output on the console, making all previously set debugs visible. This is especially important for VPN troubleshooting—without the enable command, no output appears even if there is VPN traffic.

The correct diagnostic sequence is:

diagnose debug application ike -1

diagnose debug enable

This procedure is found in every FortiOS CLI debug tutorial and troubleshooting workflow.

FortiTelemetry is a critical part of Security Fabric communications and requires explicit configuration for each participating FortiGate interface. The administrative access setting " fabric " (corresponding to FortiTelemetry) must be manually enabled per interface on both upstream and downstream devices. This is performed in the GUI under Administrative Access or via the CLI using the command set allowaccess fabric for the relevant network interface. Without this step, FortiTelemetry communications will not occur on that interface.

Additionally, the default communication between downstream and upstream FortiGate units in the Security Fabric is over TCP port 8013. This port is well-documented as the standard for Security Fabric and FortiTelemetry connections, and must be open and permitted across the network path for connectivity and status enforcement between units. The downstream FortiGate initiates the connection to the upstream via this port unless otherwise configured. This has also been documented as a PCI-relevant port, showing its default usage.

Other options:

Neighbor Discovery in FortiOS uses IPv6 ND protocol, not TCP.

FortiTelemetry port (8013) can be modified, but the interface Administrative Access for the Security Fabric must be manually enabled; Neighbor Discovery port modification is not documented as a supported change for FortiGate.

To determine the path the traffic will take, we must look at the FortiGate Route Lookup Precedence (Packet Processing Flow) and the specific configurations shown in the exhibit

Analyze the Routing Precedence:

In FortiOS, when a packet arrives (and is not part of an existing session), the FortiGate performs route lookups in a specific order:

Policy Routes: Configured under config router policy (or diagnose firewall proute list). These are checked first. If a packet matches the criteria (Source, Destination, Protocol, Incoming Interface), the Policy Route is used immediately, bypassing the standard routing table.

FIB (Forwarding Information Base): If no Policy Route matches, the device looks at the standard routing table (Static, Connected, Dynamic).

Analyze the Exhibit:

Policy Route Section: The output of diagnose firewall proute list shows an active policy route (id=1).

Destination: 100.65.0.0/255.255.255.0 (Matches the network in the question).

Action: It directs traffic to gateway 10.0.4.253 via oif=6(port4).

Routing Table Section: The output of get router info routing-table database shows multiple routes for 100.65.0.0/24 (Static, OSPF, BGP) all with distance 10. The Static route (S) is currently selected (* > ) in the FIB.

Conclusion:

Because Policy Routes take precedence over the standard routing table (FIB), the FortiGate will forward the traffic using the instructions in Policy Route ID 1. It will not use the Static, BGP, or OSPF routes visible in the routing table for any traffic that matches the policy route ' s criteria (ingress port 3).

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate ' s subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

“Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.” This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

The Network Security Support Engineer 7.6 Study Guide explicitly explains this debug message:

“iprope_in_check() check failed, drop” means the packet is destined to a FortiGate IP address and one of these conditions applies:

The service is not enabled

The service is using a different TCP port

The source IP address is not included in the trusted host list

The packet matches a local-in policy with action deny

That directly confirms C. Trusted host list misconfiguration .

Why D is the second valid choice:

The FortiOS administration guide explains that:

“IP pools and VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled … the FortiGate is considered a destination for those IP addresses … once an IP pool or VIP has been configured … the FortiGate considers it as a local address and will not forward traffic based on the routing table.”

Because iprope_in_check() is a local-in/local-destination type failure, a VIP or IP pool misconfiguration can cause traffic to be treated as destined for the FortiGate itself, which can then trigger this drop condition if the matching local service/local-in handling is not valid. So D is the closest supported second answer from the available choices.

Why the other options are wrong:

A is wrong because policy route problems are not the documented meaning of this specific debug message. The study guide instead ties iprope_in_check() check failed, drop to management/local-in conditions.

B is wrong because the study guide says traffic shaping drops appear as: “Denied by quota check”

The diagnose debug authd fsso server command is the primary tool for troubleshooting communication between the FortiGate and the FSSO Collector Agent. This debug output reveals the status of the connection and the reasons for failure. The three most common connectivity issues identified by this debug are:

FortiGate cannot reach the IP address of the collector agent (Option C): The debug will show connection timeouts or " host unreachable " errors if the Layer 3 connectivity is missing.

The connection was refused / Port mismatch (Option B): If the FortiGate can reach the IP but the Collector Agent is not listening on the specified port (default 8000), the debug will display " Connection refused. " This often happens if the port configured on the FortiGate does not match the listening port on the agent.

The pre-shared key does not match (Option D): If the IP and Port are correct, the next step is authentication. If the password configured on the FortiGate does not match the one on the Collector Agent, the debug will explicitly show an " Authentication failed " or " password mismatch " error during the handshake.

Note on other options: Option A (SSL) is less common than basic connectivity/auth mismatches. Option E (Group filters) relates to user processing logic, which occurs after connectivity is established.

The correct answers are B and D .

The study guide explains that expectation sessions are pinhole sessions created by session helpers for protocols such as FTP that need additional negotiated connections. It states: “FortiGate created an expectation session and opened the pinhole port for the expected return traffic” and also shows that the firewall “creates an expected (pinhole) session to allow the traffic”

That makes D correct.

For B , the study guide explains the gwy= field in session output: the first value is the gateway to the destination , and the second is the gateway to the source

In the exhibit, the original-direction traffic is DNATed here:

hook=pre dir=org act=dnat 10.171.121.38:0- > 10.200.1.1:60426(10.0.1.10:50365)

So the destination after DNAT is the internal host 10.0.1.10, and the session’s first gwy value corresponds to the next hop toward that destination. That makes B correct.

Why the other options are wrong:

A is wrong because this is an expectation/session-helper behavior, not an IPS-engine-created session. The study guide ties expectation sessions to helpers such as FTP, not IPS.

C is wrong because 10.200.1.1 is the translated address used before DNAT, not the next hop used to forward the original-direction traffic after translation to the internal destination.

So the verified answers are: B, D .

To solve this high CPU usage scenario involving the ipsengine, we must understand the specific functions of the diagnose test application ipsmonitor commands shown in the troubleshooting steps.

Analyze the Situation:

Exhibit: The diagnose sys top output shows the ipsengine process is in a run state (R) consuming 99% CPU.

Previous Action: The administrator already ran diagnose test application ipsmonitor 5.

Result: The CPU usage did not drop.

Understand the Commands:

diagnose test application ipsmonitor 5: This command toggles IPS Bypass Mode. When enabled, the IPS engine lets traffic pass through without inspection.

Implication: If the CPU was high due to traffic volume, enabling bypass would drop the CPU load immediately.

Failure: Since the CPU remained at 99% after bypass, the ipsengine process is likely frozen, stuck, or in an internal infinite loop unrelated to the current traffic flow. The process itself is the problem, not the traffic volume.

Evaluate the Solution (Option B):

diagnose test application ipsmonitor 2: This command toggles the IPS engine ' s Enable/Disable status.

Because the engine is stuck (bypass failed to relieve pressure), the " Immediate action " required is to stop or restart the process entirely.

Running option 2 effectively disables/kills the stuck IPS engine instance, which will immediately drop the CPU usage to near zero. (It can then be toggled again to restart it).

Why other options are incorrect:

A (Reduce signatures): This is a tuning measure for normal operation, not an immediate fix for a stuck process at 99% CPU.

C (Disable IPS on policies): This is a configuration change that takes time and requires a commit; it is not the most immediate diagnostic tool available.

D (Bypass all IPS engines): This describes the action of command 5 (Bypass), which the prompt explicitly states was already performed and failed.

The get router info bgp summary output lists BGP neighbor status:

Prefix Reception: The " State/PfxRcd " column shows the number of prefixes received from the neighbor—neighbor 100.64.1.254 has " 1 " , confirming option A.

Received Message Count: Under " MsgRcvd " , 18 packets have been received from neighbor 100.64.1.254. This matches option C.

The second neighbor 100.64.2.254 is in " Active " state and has received/sent 0 packets, indicating that its TCP connection is NOT established, disproving option B.

There is no indication anywhere that the router is " still calculating " prefixes; " Active " just means no session is established, so option D is incorrect.

To determine the cause of the failure, we must analyze the IKEv2 debug output provided in the exhibit (image_ad3dc6.jpg):

Identify the Negotiation Phase:

The debug log shows: responder received CREATE_CHILD exchange.

In IKEv2, the CREATE_CHILD_SA exchange is used to create new Child SAs (Phase 2) or to rekey existing ones.

The fact that the tunnel was previously " brought up successfully " implies the initial IKE SA (Phase 1) is stable, and this error is occurring specifically during a rekey event, which often involves Perfect Forward Secrecy (PFS).

Analyze the Proposals (The Mismatch):

Incoming Proposal (Remote Peer):

The remote peer sends a proposal containing two Diffie-Hellman groups: type=DH_GROUP, val=MODP2048 (Group 14) and type=DH_GROUP, val=MODP1536 (Group 5).

My Proposal (Local FortiGate):

The local FortiGate configuration expects: type=DH_GROUP, val=MODP3072 (Group 15).

Result of the Negotiation:

The debug output concludes with: no proposal chosen and Negotiate SA Error.

This error occurs because the local FortiGate cannot find a common Diffie-Hellman group between what it requires (Group 15) and what the peer is offering (Groups 14 or 5).

While this is technically a mismatch occurring during the Phase 2 (Child SA) creation, " A Diffie-Hellman mismatch " (Option A) is the precise root cause identified in the logs.

Why other options are incorrect:

B: The log shows received create-child request, confirming that UDP traffic is reaching the device and is not blocked.

C: The failure is in the CREATE_CHILD exchange (Phase 2/Rekey), not the IKE_SA_INIT or IKE_AUTH (Phase 1) exchanges.

D: While the mismatch is occurring within the Phase 2 definitions, Option A is the specific technical reason for the no proposal chosen error shown in the DH_GROUP lines.