Spring Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: best70

FCSS_NST_SE-7.6 Fortinet NSE 6 - Network Security 7.6 Support Engineer Questions and Answers

Questions 4

Refer to the exhibit, which shows the output of diagnose sys session list.

FCSS_NST_SE-7.6 Question 4

If the HA ID for the primary device is 0, what happens if the primary fails and the secondary becomes the primary?

Options:

A.

The secondary device has this session synchronized; however, because application control is applied, the session is marked dirty and has to be re-evaluated after failover.

B.

Traffic for this session continues to be permitted on the new primary device after failover, without requiring the client to restart the session with the server.

C.

The session will be removed from the session table of the secondary device because of the presence of allowed error packets, which will force the client to restart the session with the server.

D.

The session state is preserved but the kernel will need to re-evaluate the session because NAT was applied.

Buy Now
Questions 5

Which Iwo actions does FortiGate take after an administrator enables the auxiliary session selling? (Choose two.)

Options:

A.

FortiGate only offloads auxiliary sessions.

B.

FortiGate accelerates all ECMP traffic to the NP6 processor

C.

FortiGates creates a now auxiliary session for each packet it receives.

D.

FortiGate creates two sessions in case of a routing change.

Buy Now
Questions 6

FCSS_NST_SE-7.6 Question 6

The output of a policy route table entry is shown.

Which type of policy route does the output show?

Options:

A.

A regular policy route, which is not associated with an active static route in the FIB

B.

An ISDB route

C.

An SD-WAN rule

D.

A regular policy route, which is associated with an active static route in the FIB

Buy Now
Questions 7

Refer to the exhibit, which contains partial output from an IKE real-time debug.

FCSS_NST_SE-7.6 Question 7

The administrator does not have access to the remote gateway.

Based on the debug output, which configuration change the administrator make to the local gateway to resolve the phase 1 negotiation error?

Options:

A.

In the phase 1 proposal configuration, add AES256-SHA256 to the list of encryption algorithms.

B.

In the phase 1 proposal configuration, add AESCBC-SHA2 to the list of encryption algorithms.

C.

In the phase 1 network configuration, set the IKE version to 2.

D.

In the phase 1 proposal configuration, add AES128-SHA128 to the list of encryption algorithms.

Buy Now
Questions 8

Which authentication option can you not configure under config user radius on FortiOS?

Options:

A.

mschap

B.

pap

C.

mschap2

D.

eap

Buy Now
Questions 9

Refer to the exhibit, which shows the output o! the BGP database.

FCSS_NST_SE-7.6 Question 9

Which two statements are correct? (Choose two.)

Options:

A.

The advertised prefix of 10.20.30.0/24 was configured using the network command.

B.

The first four prefixes are being advertised using a legacy route advertisement.

C.

The advertised prefix of 10.20.30.0/24 is being advertised through the redistribution of another routing protocol.

D.

The output shows all prefixes advertised by all neighbors as well as the local router.

Buy Now
Questions 10

Refer to the exhibit.

FCSS_NST_SE-7.6 Question 10

A partial output from an IKE real-time debug is shown

The administrator does not have access to (he remote gateway

Based on the debug output, which two conclusions can you draw? (Choose two.)

Options:

A.

The remote peer is the initiating peer.

B.

This is a phase1 negotiation.

C.

There is a Diffie-Hellman group mismatch.

D.

This is a phase2 negotiation

Buy Now
Questions 11

Which three common FortiGate-to-collector-agent connectivity issues can you identify using the FSSO real-time debug? (Choose three.)

Options:

A.

The SSL certificate used for FSSO over SSL has expired.

B.

The connection was refused. There may be a mismatch of the TCP port.

C.

FortiGate cannot reach the IP address of the collector agent.

D.

The pro-shared key does not match

E.

The group filters do not match.

Buy Now
Questions 12

What are two reasons that an OSPF router does not have any type 5 tank-state advertisements (LSAs) In its link-stale database (LSD6)? (Choose two.)

Options:

A.

There is no autonomous system border router (ASBR) in the network,

B.

The peer of the local router is using a prefix-list-out. configuration to prevent all type 5 LSAs to be advertised.

C.

The local router is located in a stub area

D.

IP protocol 89 is blocked between the local router and its peer.

Buy Now
Questions 13

Exhibit.

FCSS_NST_SE-7.6 Question 13

Refer to the exhibit, which shows a FortiGate configuration.

An administrator is troubleshooting a web filter issue on FortiGate. The administrator has configured a web filter profile and applied it to a policy; however the web filter is not inspecting any traffic that is passing through the policy.

What must the administrator do to fix the issue?

Options:

A.

Disable webfilter-force-off.

B.

Increase webfilter-timeout.

C.

Enable fortiguard-anycast.

D.

Change protocol to TCP.

Buy Now
Questions 14

Refer to the exhibit, which shows the output of a BGP debug command.

FCSS_NST_SE-7.6 Question 14

What can you conclude about the router in this scenario?

Options:

A.

The router 100.64.3.1 needs to update the local AS number in its BGP configuration in order to bring up the 8GP session with the local router.

B.

An inbound route-map on local router is blocking the prefixes from neighbor 100.64.3.1.

C.

All of the neighbors displayed are part of a single BGP configuration on the local router with the neighbor-range set to a value of 4.

D.

The BGP session with peer 10.127.0.75 is up.

Buy Now
Questions 15

During which phase of IKEv2 does the Diffie-Helman key exchange take place?

Options:

A.

IKE_Req_INIT

B.

Create_CHILD_SA

C.

IKE_Auth

D.

IKE_SA_INIT

Buy Now
Questions 16

Refer to the exhibit.

FCSS_NST_SE-7.6 Question 16

The modified output of live routing kemel is shown

Which two statements about the output are (rue? (Choose two.)

Options:

A.

The BGP route to 10.0.4.0/24 is not in the forwarding information base.

B.

The default static route through 10.200.1 254 is in the forwarding information* base.

C.

FortiGate is performing ECMP using both default static routes.

D.

The local FortiGate is receiving only one LSA from one OSPF neighbor.

Buy Now
Questions 17

Refer to the exhibit.

FCSS_NST_SE-7.6 Question 17

The output of diagnose sys session list command is shown.

If the HA ID for the primary device is 9, what happens if the primary fails and the secondary becomes the primary?

Options:

A.

The session is synchronized with the secondary device, however, because application control is applied. the session is marked dirty and has to be reevaluated after failover.

B.

The session will be removed from the session table of the secondary device because the TCP session is not yet fully established.

C.

The session continues to permit traffic on the new primary device after failover. without requiring the client to restart the session with the server.

D.

The session state is preserved but the kernel will re-evaluate the session because the routing information will be flushed

Buy Now
Questions 18

Refer to the exhibit, which shows a partial web filter profile configuration.

FCSS_NST_SE-7.6 Question 18

The URL www.dropbox.com is categorized as File Sharing and Storage.

Which action does FortiGate take if a user attempts to access www.dropbox.com?

Options:

A.

FortiGate blocks the connection as an invalid URL.

B.

Based on the URL Filter configuration, FortiGate allows the connection.

C.

FortiGate blocks the connection, based on the FortiGuard category-based filter configuration.

D.

Based on the Web Content filter configuration, access to www.dropbox.com would be exempted.

Buy Now
Questions 19

In IKEv2, which exchange establishes the first CHILD_SA?

Options:

A.

IKE_SA_INIT

B.

INFORMATIONAL

C.

CREATE_CHILD_SA

D.

IKE_Auth

Buy Now
Questions 20

Which exchange lakes care of DoS protection in IKEv2?

Options:

A.

Create_CHILD_SA

B.

IKE_Auth

C.

IKE_Req_INIT

D.

IKE_SA_NIT

Buy Now
Questions 21

Refer to the exhibit, which shows a truncated output of a real-time LDAP debug.

FCSS_NST_SE-7.6 Question 21

What two conclusions can you draw from the output? (Choose two.)

Options:

A.

The name of the configured LDAP server is Lab.

B.

The user is authenticating using CN=John Smith.

C.

FortiOS is able to locate the user in step 3 (Bind Request) of the LDAP authentication process.

D.

FortiOS is performing the second step (Search Request) in the LDAP authentication process.

Buy Now
Questions 22

Exhibit.

FCSS_NST_SE-7.6 Question 22

Refer to the exhibit, which contains a screenshot of some phase 1 settings.

The VPN is not up. To diagnose the issue, the administrator enters the following CLI commands on an SSH session on FortiGate:

FCSS_NST_SE-7.6 Question 22

However, the IKE real-time debug does not show any output. Why?

Options:

A.

The administrator must also run the command diagnose debug enable.

B.

The debug shows only error messages. If there is no output, then the phase 1 and phase 2 configurations match.

C.

The log-filter setting is incorrect. The VPN traffic does not match this filter.

D.

Replace diagnose debug application ike -1 with diagnose debug application ipsec -1.

Buy Now
Questions 23

Refer to the exhibit showing a debug output.

FCSS_NST_SE-7.6 Question 23

An administrator deployed FSSO in DC Agent Mode but FSSO is failing on FortiGate. Pinging FortiGate from where the collector agent is deployed is successful.

The administrator then produces the debug output shown in the exhibit.

What could be causing this error message?

Options:

A.

The TCP port 445 is blocked between FortiGate and collector agent.

B.

The collector agent preshared password is mismatched.

C.

The FortiGate cannot resolve the active directory server name.

D.

The FortiGate and the collector agent are using different TCP ports.

Buy Now
Questions 24

Refer to the exhibit.

FCSS_NST_SE-7.6 Question 24

An IPsec VPN tunnel using IKEv2 was brought up successfully, but when the tunnel rekey takes place the tunnel goes down.

The debug command for IKE was enabled and, in the exhibit, you can review the partial output of the debug IKE while attempting to bring the tunnel up.

What is causing. The tunnel to be down?

Options:

A.

A Diffie-Hellman mismatch

B.

Blocked traffic on UDP port 500

C.

A mismatch m the Phase 1 negotiations

D.

A mismatch in the Phase 2 negotiations

Buy Now
Questions 25

Refer to the exhibit.

FCSS_NST_SE-7.6 Question 25

Which Iwo statements about FortiGate behavior relating to this session are correct? (Choose two.)

Options:

A.

FortiGate is performing a security profile inspection using the CPU.

B.

FortiGate redirected the client to trio captive portal to authenticate so that a correct policy match could be

C.

FortiGate either initiated the session or the session terminates at FortiGate.

D.

FortiGate forwarded this session without any inspection.

Buy Now
Questions 26

Exhibit 1.

FCSS_NST_SE-7.6 Question 26

Exhibit 2.

FCSS_NST_SE-7.6 Question 26

Refer to the exhibits, which show the configuration on FortiGate and partial internet session information from a user on the internal network.

An administrator would like to lest session failover between the two service provider connections.

Which two changes must the administrator make to force this existing session to immediately start using the other interface? (Choose two.)

Options:

A.

Change the priority of the port1 static route to 11.

B.

Change the priority of the port2 static route to 5.

C.

Configure unset snat-route-change to return it to the default setting.

D.

Configure set snat-route-change enable.

Buy Now
Questions 27

Refer to the exhibit, which shows the modified output of the routing kernel.

FCSS_NST_SE-7.6 Question 27

Which statement is true?

Options:

A.

The egress interface associated with static route 8.8.8.8/32 is administratively up.

B.

The default static route through 10.200.1.254 is not in the forwarding information base.

C.

The default static route through port2 is in the forwarding information base.

D.

The BGP route to 10.0.4.0/24 is not in the forwarding information base.

Buy Now
Questions 28

Refer to the exhibit, which shows the output of a policy route table entry.

FCSS_NST_SE-7.6 Question 28

Which type of policy route does the output show?

Options:

A.

An ISDB route

B.

A regular policy route

C.

A regular policy route, which is associated with an active static route in the FIB

D.

An SD-WAN rule

Buy Now
Questions 29

Which two statements about conserve mode are true? (Choose two.)

Options:

A.

FortiGate enters conserve mode when the system memory reaches the configured extreme threshold.

B.

FortiGate starts taking the configured action for new sessions requiring content inspection when the system memory reaches the configured red threshold.

C.

FortiGate exits conserve mode when the system memory goes below the configured green threshold.

D.

FortiGate starts dropping all new sessions when the system memory reaches the configured red threshold.

Buy Now
Questions 30

Refer to the exhibit.

FCSS_NST_SE-7.6 Question 30

Partial output of the fssod daemon real-time debug command is shown. Which two conclusions can you draw from the output? (Choose two answers)

Options:

A.

FSSO cannot verify if the user is still logged in.

B.

Fortinet Single Sign-On (FSSO) is using DC Agent mode to detect logon events.

C.

FortiGate is frequently polling the workstation in case the user has logged out.

D.

FSSO is using agentless polling mode to detect logon events.

E.

FortiGate polled this event through TCP port 8000.

Buy Now
Exam Code: FCSS_NST_SE-7.6
Exam Name: Fortinet NSE 6 - Network Security 7.6 Support Engineer
Last Update: Feb 25, 2026
Questions: 95

PDF + Testing Engine

$134.99

Testing Engine

$99.99

PDF (Q&A)

$84.99