Pass the Fortinet Fortinet Certified Solution Specialist FCSS_LED_AR-7.6 Questions and answers with CertsForce

In a LAN Edge deployment:

FortiSwitch is managedthrough FortiGate via FortiLink.

FortiAIOps integrates withFortiGateas the single managed device; from there it gains visibility intoall Fabric and LAN-edge devices(FortiSwitch, FortiAP) that are registered to that FortiGate.

Once the FortiGate is successfully added to FortiAIOps (as shown in the exhibit, statusOnline / Successfully Discovered), all FortiSwitches managed by that FortiGate are:

Discovered automatically through the FortiGate–FortiAIOps connection

Shown under the appropriate inventory / switch views withno separate onboarding stepfor each switch.

This is why no extra IP, serial number, or credential entry is required for FortiSwitch.

So:

AandBsuggest manual per-switch onboarding, which is not how FortiAIOps works with LAN Edge.

Dsimilarly assumes direct FortiSwitch management, but FortiAIOps talks toFortiGate, not the switch.

Therefore the correct behavior is that theFortiSwitch is added automatically (C)once its managing FortiGate is connected to FortiAIOps.

From the exhibits:

The AP profile shows:

SSIDs: Tunnel | Bridge | Manual

The current setting isBridge, not Manual.

WhenBridgeorTunnelis selected, the AP profiledoes NOT automatically broadcast SSIDsunless the corresponding VAPs were explicitly mapped in the AP profile.

FortiManager SSID profiles are created, but unless these are explicitly applied underManual SSIDs selection, the AP will not broadcast any SSID.

Fortinet documentation states:

“To control which SSIDs an AP broadcasts, the AP Profile must have SSIDs set toManual, and the desired SSIDs must be selected.”

Therefore, to make the AP broadcast the intended SSIDs:

✔You must switch the SSIDs setting to Manual, and manually select the SSIDs (CompanyPrinters, Student01, Guest-CorpPort, PSK).

Why the other options are incorrect:

A. Adjust AP profile to avoid mixing bridge/tunnelMixed modes ARE supported. Not the issue.

B. Change platformThe platform (FAP231F) already supports all listed SSIDs.

D. Set transmit power mode to autoPower settings have nothing to do with SSID broadcasting.

From the exhibits:

Interface“APs”is a VLAN sub-interface onfortilinkwith IP10.10.100.254/24and a DHCP server scope 10.10.100.1–10.10.100.253.

This VLAN is assigned toport1on the managed FortiSwitch for FortiAPs.

The interface config showsonly allowaccess ping—Security Fabric Connection is not enabled.

In LAN Edge designs, FortiAPs connected through FortiSwitch are discovered and managed asLAN edge devices of the Security Fabric. FortiOS documentation states that FortiAPs and FortiSwitches appear in the Fabric topologyonly when connected on an interface with Security Fabric Connection enabled.

If the VLAN/AP management interface lacksSecurity Fabric Connection:

FortiGate does not treat that network as aFabric connection segment.

CAPWAP discovery from FortiAPs on that VLAN will not result in the AP being onboarded and shown for management.

Therefore the key misconfiguration is:

✔A – Security Fabric is disabled on the VLAN interface used for AP management.

Why the others are not the root cause:

B. Firmware incompatibility– would usually show as a “Managed (upgrade required)” or similar status after discovery, not complete non-detection. The scenario specifically points to a configuration issue, not firmware.

C. VLAN not tagged correctly on uplink– The FortiSwitch uplink to FortiGate is the FortiLink trunk, and the VLAN sub-interface APs is already bound to fortilink, so tagging on the uplink is correct by definition.

D. CAPWAP ports not open– CAPWAP (UDP 5246/5247) is terminated locally on FortiGate and does not depend on any firewall policy; these ports are open on the FortiGate itself by default.

In FortiGate captive portal workflows (local or external):

Client connects to SSID / interface that has captive portal enabled.

Client makes an HTTP/HTTPS request.

FortiGate intercepts and redirects to alogin page(local or external URL).

The portal form is submitted viaPOSTback to FortiGate.

To prevent tampering and to tie the POST back to thecorrect user session, FortiGate includes a special hidden parameter in the redirect and expects it in the POST:

The parameter is namedmagic.

The magic value:

Is aunique tokengenerated per captive-portal session.

Encodes/session-links the user’s IP, interface, and session info.

Allows FortiGate to ensure that:

The POST comes from the user who initiated the original request.

The request is not a random or replayed submission.

When troubleshooting:

If the external portal does notpreserve and resendthe magic parameter back to FortiGate exactly as received, authentication fails, and you’ll see errors like “session not found” or “invalid magic”.

Why the other fields are not used for this purpose

A. username– Just the login ID; multiple users can use the same username from different locations, so it can’t uniquely track the browser session.

B. redir– Contains the URL the user originally requested, so they can be sent back there after login. It is not a session integrity token.

D. email– Optional field used in some guest/registration flows; irrelevant to session validation.

Goal: enforce captive portal authentication overHTTPSfor guests.

On FortiGate/FortiAuthenticator captive portal setups:

HTTP redirectis used so that when a guest browses to any HTTP site, their request is redirected to theportal URL.

Theportal URLitself must beHTTPSif you want a secure login page.

FortiOS captive portal and firewall authentication guidelines recommend:

EnablingHTTP redirectso unauthenticated HTTP traffic is transparently sent to the portal.

Configuring theportal URL with HTTPS, often referencing a certificate on FortiGate or FortiAuthenticator.

Therefore:

A. Enable HTTP redirect in the user authentication settings.✔This ensures unauthenticated HTTP requests are redirected to the (now HTTPS) portal.

D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator.✔This makes the login itself secure (TLS-protected).

Incorrect:

B– You don’t need a new SSID; the same SSID can use HTTPS portal.

C– Disabling HTTP admin access on the SSID doesn’t control the captive portal scheme; HTTPS enforcement is done by the portal configuration and redirect, not by admin-access flags.

This question combines two FortiAP behaviors shown in the study guide:

AP handoff for load balancing

Frequency handoff for band steering to 5 GHz

From the WTP profile in the exhibit:

set handoff-rssi 30

set handoff-sta-thresh 30

The LAN Edge 7.6 Architect study guide explains AP handoff like this:

“If the number of clients is already at the defined threshold, new clients will be redirected to join the least busy nearby AP.” It also states: “The handoff-sta-thresh parameter defines the threshold value that triggers the handoff protocol for new clients.”

So, because the first AP 5 GHz radio already has 32 clients, it is above the threshold of 30, meaning AP handoff can be considered.

However, the same extract adds an important condition:

“The handoff-rssi threshold defined in the AP profile applies when a handed-off client tries to connect to the second AP. The client ' s signal strength must be equal to or greater than the defined RSSI value on the new AP.”

The second AP measures the client at -43 dBm. Based on the configured handoff RSSI threshold of 30, the second AP does not satisfy the required signal condition for the handoff target, so FortiGate does not redirect the client there.

Now consider band selection. The study guide explains frequency handoff:

“Frequency handoff is a band steering technique that FortiGate uses to encourage clients to use the 5 GHz frequency instead of the 2.4 GHz.”

It also says:

“When a client tries to connect, FortiGate checks whether it can support 5 GHz and, if so, how good the signals are. If a client supports the 5 GHz frequency and the signal is strong enough to connect, FortiGate ignores the client’s requests to join the network on 2.4 GHz until the request times out. The client will then automatically try to join the same network using 5 GHz.”

Because the client is dual-band capable and the first AP sees it at a very strong -33 dBm, FortiGate will steer it to 5 GHz on the first AP.

Why the other options are incorrect:

A. Incorrect. The study guide says frequency handoff encourages dual-band clients to use 5 GHz instead of 2.4 GHz when the 5 GHz signal is strong enough

C. Incorrect. Even though the second AP 5 GHz radio has fewer clients, AP handoff only occurs if the target AP meets the configured handoff RSSI requirement. The study guide explicitly makes that a condition

D. Incorrect. 2.4 GHz is not preferred here. The study guide specifically says FortiGate uses frequency handoff to encourage 5 GHz for dual-band-capable clients

Final verified conclusion:

The client will associate with the first AP 5 GHz radio because:

the client is dual-band capable

FortiGate prefers 5 GHz through frequency handoff

the first AP has the stronger signal at -33 dBm

the second AP does not qualify as the handoff target under the configured handoff RSSI condition

From the exhibits:

SSID “Guest”

Security mode:Open

Captive Portal: Enabled, portal typeAuthentication → External

External portal URL: https://fac.trainingad.training.lab/guest (FortiAuthenticator)

Exempt destinations/services:FortiAuthenticator and WindowsAD

Firewall policy

From theGuest interface/zonetoport1 (Internet)

Source user group:guest.portal(authenticated users)

The flow for anexternal captive portalis:

Client associates to theopen Guest SSID.

Client makes an HTTP(S) request.

FortiGate intercepts and redirects the client to theexternal portal.

Client must be able toreach FortiAuthenticator’s IP(and AD if the portal needs it)before authentication.

In this setup:

Theexempt destinationsetting tells the captive portal logicnot to require authenticationfor traffic going to FortiAuthenticator and WindowsAD.

However, there still must be a firewall policy that allows traffic from the Guest SSID subnet to those exempt destinations.

The existing firewall policy uses theguest.portal user groupas a source condition, which only matchesaftersuccessful portal authentication. Before login, the client has no user identity, so:

Traffic from the unauthenticated Guest client → FortiAuthenticator isnot matchedby that policy.

It hits theimplicit deny, so the browser never reaches the login page.

To fix this, the administrator must:

Create or modify a firewall policy thatallows traffic from the Guest SSID subnet/interface to FortiAuthenticator and WindowsAD without requiring user authentication.

That is exactly what optionDdescribes.

Why the others are wrong:

A. Change SSID security mode to WPA2-Enterprise– External captive portals are normally used withopenSSIDs; WPA2-Enterprise uses 802.1X, not captive portal.

B. Disable HTTPS redirection– Redirection is required so users are sent to the portal; disabling it doesn’t solve reachability.

C. Exclude FortiAuthenticator and Windows AD from filtering– They’re already listed asexempt destinationsin the SSID configuration; the missing piece is thefirewall policy, not the exemption.

The LAN Edge 7.6 Architect Study Guide explicitly states in the " Device Detection + FortiGuard Services " section:

" With the FortiGuard Attack Surface Security Service and IoT Detection, FortiGate assesses the security posture of connected devices, especially IoT devices, which often have weak security settings. This feature helps you to monitor and control the growing attack surface created by numerous IoT endpoints, by detecting and identifying connected IoT devices and assessing their vulnerabilities. "

The guide further confirms that FortiLink device detection, combined with these two specific FortiGuard services, enables comprehensive device identification and vulnerability detection, allowing FortiGate to automatically detect any device connected to the network and analyze its potential security risks.

Why the other options are wrong:

A is incorrect — " FortiGuard Vulnerability Management " and " FortiGuard Endpoint Protection " are not the services referenced in the study guide for this feature.

B is incorrect — " FortiGuard Threat Intelligence " is not the named service for this functionality; the correct service is Attack Surface Security.

C is incorrect — Same reason as B; Threat Intelligence and Endpoint Protection are not the correct license pair for FortiLink device detection and IoT vulnerability assessment.

???? Typing Error Corrections Made: Option B and D in the original question had " loT " (lowercase L) corrected to " IoT " (capital I) — the correct abbreviation for Internet of Things.

The LAN Edge 7.6 Architect Study Guide identifies the following communication mechanisms between FortiGate and FortiSwitch:

C — FortiLink Protocol (Primary Management Protocol): The study guide states: " FortiLink, also known as the switch controller function, allows FortiGate firewalls to remotely manage FortiSwitch devices. FortiLink defines the management interface and remote management protocol between FortiGate and FortiSwitch, enabling seamless control and integration. " FortiLink is the foundational protocol for the entire management relationship.

B — HTTPS (REST API): The study guide confirms: " FortiGate applies the quarantine-related configuration for the quarantined device to FortiSwitch using the FortiSwitch REST API. " FortiGate communicates with FortiSwitch via HTTPS-based REST API calls for specific configuration pushes such as quarantine enforcement, port configuration, and security policy application.

A — SNMP: SNMP is referenced in the study guide as a management protocol used by FortiGate to monitor and gather status information from FortiSwitch devices. SNMP is a standard network management protocol used for monitoring switch status, which aligns with its role in FortiSwitch management.

Why the other options are wrong:

D is incorrect — CAPWAP (UDP 5246/5247) is the protocol used between FortiGate and FortiAP for wireless AP management, NOT between FortiGate and FortiSwitch. The study guide explicitly states: " FortiGate manages FortiAPs using the CAPWAP protocol. "

E is incorrect — IGMP is an IP multicast group management protocol. It plays no role in the management or control channel between FortiGate and FortiSwitch. It is not mentioned in the LAN Edge 7.6 study guide in the context of FortiSwitch management.

The correct answer is D.

The LAN Edge 7.6 Architect study guide directly explains this exact behavior for SSIDs configured on FortiManager.

The study guide states:

“In central management mode, profiles are created and stored on FortiManager. An AP profile is distributed to a controller when at least one of its supported APs is assigned the profile and the device settings are installed. SSID profiles are delivered only when you select Manual in the SSID field.”

It further says:

“If you create an SSID profile centrally and configure all the AP profiles to be tunnel or bridge, the SSID profile is not delivered to FortiGate. FortiManager does not know which of the SSID profiles to distribute to which FortiGate.”

And the guide gives the exact fix:

“A manual SSID explicitly tells FortiManager which SSID profile to broadcast on the AP and, as a result, the required SSID profile is delivered to the controller.”

Another extract from the same section confirms:

“When you want to broadcast an SSID, you must configure the AP profile that is being used by the APs that are to transmit it... Manual: You can select a mix of SSIDs to broadcast.”

So in this scenario, the AP profile must be changed from Bridge or Tunnel to Manual, and then the required SSIDs must be explicitly selected.

Why the other options are incorrect:

A. Incorrect. The issue is not the AP platform. The study guide identifies the problem as SSID delivery and mapping from FortiManager to FortiGate, not AP hardware support

B. Incorrect. The study guide explicitly says Manual can be used to “select a mix of SSIDs to broadcast,” so a mix is supported when Manual is chosen

C. Incorrect. Transmit Power Mode affects RF behavior, not whether FortiManager delivers SSID profiles to FortiGate. The problem here is SSID assignment and profile distribution, not radio power.

Extra confirmation from FortiGate Cloud administration guidance:

“To configure the SSID that you created select Manual for SSIDs then select the SSID from the dialog.”

Final verified conclusion:

Because the SSIDs were created on FortiManager and are not being broadcast, the AP profile must use Manual in the SSIDs field and the intended SSIDs must be explicitly selected.

So the correct answer is D.