The correct answers are A and B .
For UDP , the study guide states this directly: “For UDP, the session state can have only two values: 00 when traffic is only one way, and 01 when traffic is two ways. For ICMP, the protocol state is always 00.”
That makes B correct and D incorrect.
For TCP , the study guide explains that the protocol state is a two-digit number, where the first digit is the server-side state and the second digit is the client-side state . It also states that the first digit is 0 when the session is not subject to any inspection , and the TCP state table shows that value 1 = ESTABLISHED
So, for a normal non-proxied/non-inspected TCP session, proto_state=01 means the TCP session is in the ESTABLISHED state. An established TCP session means the three-way handshake has completed, which requires traffic in both directions. That is why A is correct.
The study guide also says: “proto_state=11 means that the TCP three-way handshake for both server-side and client-side is completed (ESTABLISHED).”
This confirms that TCP state value 1 represents an established state.
Why C is not selected: the study guide defines value 5 as TIME_WAIT and says: “When a session is closed by both the sender and receiver, FortiGate keeps that session in the session table for a few seconds… This is the state value 5.”
So proto_state=05 represents a closing/closed TCP session in TIME_WAIT , not the normal bidirectional state the question is testing.
Therefore, the verified answers are A and B .
Submit