Pass the Fortinet Fortinet Certified Solution Specialist FCSS_NST_SE-7.6 Questions and answers with CertsForce

Parallel Path Processing (PPP) in FortiOS refers to the system’s ability to evaluate and select among multiple processing paths—often involving dedicated network processors, content processors, or CPU-based workflows—to optimally process packets. The official documentation highlights that the PPP engine dynamically selects which hardware or software path to use for each session based on session characteristics, policy configuration, and traffic type. This dynamic selection results in optimal throughput and resource utilization.

The document specifies that PPP assesses several processing paths in parallel, using decision logic to determine whether a session should be offloaded to specialist hardware (like NP6, CP9, etc.) or stay in the CPU path, ensuring that each packet is handled by the most efficient available method under current load and policy. Hardware and software configurations both influence this outcome, but it is the PPP engine ' s decision-making that defines the optimal path per session.

Analyze the " Send to Application Layer " Message:

The most critical line in the debug output is: id=65308 ... func=av_receive ... msg= " send to application layer "

Meaning: This message indicates that the FortiGate kernel is handing the packet over to a user-space daemon (specifically the WAD/Proxy process, indicated by av_receive handlers) for deep inspection.

Implication: This behavior is the hallmark of Proxy-based inspection. In Flow-based inspection, the traffic is handled by the IPS engine (often within the kernel or via specific IPS handlers like ips_measure), and you would not typically see a " send to application layer " message for standard web filtering.

Evaluate Option B (Firewall Policy Mode):

Since the traffic is being sent to the application layer proxy, the Firewall Policy controlling this traffic (Policy ID 1, as seen in Allowed by Policy-1) must be configured with Inspection Mode = Proxy. If it were Flow-based, the traffic would stay in the flow path. Thus, Option B is correct.

Evaluate Option C (Web Filter Profile Mode):

In FortiOS, when a firewall policy is set to Proxy-based inspection, the security profiles (like Web Filter) applied to that policy also operate in Proxy-based inspection mode. The presence of the av_receive function confirms that the content inspection (Web Filter/AV) is being performed by the proxy engine. Thus, Option C is correct.

Why Option A is Incorrect (NPU Offload):

The output shows npu_state=0x100. In the context of a flow trace where traffic is being " sent to application layer, " this confirms the session is not fully offloaded to the NPU (Network Processor). Offloaded traffic (Fast Path) is handled by the hardware and would not generate these specific CPU-level debug logs for the payload inspection phase. The proxying process requires CPU intervention.

Why Option D is Incorrect (Port Mapping):

While valid protocol mapping is necessary for inspection, the specific debug output shown is a direct result of the Inspection Mode (Proxy vs. Flow). The observation of the traffic moving to the application layer is primarily caused by the policy and profile mode settings, making B and C the direct " observations " derived from the log data.

The output of the diagnose sys session list command provides the critical evidence needed to determine the behavior during a failover:

Session Synchronization (synced):

The most important indicator in the exhibit is the synced flag located in the state= line (state=may_dirty synced none app_ntf).

In FortiOS HA (High Availability), the synced flag confirms that this specific session has been successfully synchronized from the primary device to the secondary (backup) device.

Session synchronization (Session Pickup) ensures that if the primary unit fails, the secondary unit already has the session in its table and can resume traffic processing immediately.

TCP State (proto_state=01):

The output shows proto=6 (TCP) and proto_state=01.

In the FortiGate session table, proto_state=01 for TCP indicates that the session is in the ESTABLISHED state (post-three-way handshake).

This invalidates Option B, which claims the TCP session is not fully established.

Failover Outcome:

Because the session is ESTABLISHED and SYNCED, the secondary device will seamlessly take over the session upon primary failure.

The traffic continues to flow through the new primary without requiring the user/client to restart the connection. This is the primary function of HA Session Pickup.

Why other options are incorrect:

A: While the output shows app_ntf (Application Control notification) and may_dirty, the presence of the synced flag overrides this concern regarding failover. If the session type were not supported for failover (e.g., certain proxy sessions in older versions), it would not be marked as synced. Since it is synced, it persists.

B: As noted, proto_state=01 means established, not " not fully established " .

D: While the kernel updates routing tables, the purpose of syncing the session is to preserve the state so it does not need to be re-evaluated as a new packet would, preventing traffic drops.

The diagnose debug authd fsso server command is the primary tool for troubleshooting communication between the FortiGate and the FSSO Collector Agent. This debug output reveals the status of the connection and the reasons for failure. The three most common connectivity issues identified by this debug are:

FortiGate cannot reach the IP address of the collector agent (Option C): The debug will show connection timeouts or " host unreachable " errors if the Layer 3 connectivity is missing.

The connection was refused / Port mismatch (Option B): If the FortiGate can reach the IP but the Collector Agent is not listening on the specified port (default 8000), the debug will display " Connection refused. " This often happens if the port configured on the FortiGate does not match the listening port on the agent.

The pre-shared key does not match (Option D): If the IP and Port are correct, the next step is authentication. If the password configured on the FortiGate does not match the one on the Collector Agent, the debug will explicitly show an " Authentication failed " or " password mismatch " error during the handshake.

Note on other options: Option A (SSL) is less common than basic connectivity/auth mismatches. Option E (Group filters) relates to user processing logic, which occurs after connectivity is established.

The correct answer is D .

The study guide explains that IKEv2 has two initial exchanges:

IKE_SA_INIT

IKE_AUTH

and then later exchanges such as:

CREATE_CHILD_SA

It also states the roles of those exchanges:

IKE_SA_INIT negotiates the security settings for IKE traffic

IKE_AUTH performs mutual authentication and sets up the piggyback child SA

CREATE_CHILD_SA creates a new child SA or rekeys an existing child SA

Most importantly, the study guide explicitly says:

“By IKEv2 design, no Diffie-Hellman public key is exchanged during an IKE_AUTH exchange. Consequently, any phase 2 Diffie-Hellman group configuration mismatch between FortiGate and the peer is experienced only during the first rekey (CREATE_CHILD_SA exchange) of the child SA created during IKE_AUTH.”

This proves the key idea behind the question: an IKEv2 tunnel can come up successfully first, then fail later during a CREATE_CHILD_SA rekey/renegotiation event because of a phase 2 mismatch. Among the provided options, the matching later-stage cause is mismatched quick-mode selectors during CREATE_CHILD_SA .

Why the other options are wrong:

A is wrong because if the proposal mismatch were in the initial negotiation path, the tunnel would fail during establishment, not after it was already up. The study guide places initial tunnel establishment in IKE_SA_INIT and IKE_AUTH

B is wrong because a mismatch in IKE_SA_INIT affects the initial establishment stage, not a tunnel that was already brought up successfully

C is wrong because a pre-shared key mismatch is part of authentication during IKE_AUTH , so the tunnel would not come up successfully in the first place

The correct answer is A .

The study guide explains the IKEv2 exchange order very clearly:

“The initial exchanges are: IKE_SA_INIT and IKE_AUTH.”

“Create_Child_SA exchange: Creates a new child SA or rekeys an existing child SA.”

It also states:

“After successful IKE_SA_INIT and IKE_AUTH exchanges, the CHILD_SA exchange takes place. In this exchange, the peers negotiate the CHILD_SA and the traffic selectors — traffic selector responder (TSr) and traffic selector initiator (TSi).”

That is why A is correct: if the tunnel was initially brought up successfully , then the initial exchanges already succeeded. A later problem during CREATE_CHILD_SA , especially with traffic selectors/phase 2 selectors , can cause the tunnel to fail during rekey or child-SA renegotiation.

Why the other options are wrong:

B is wrong because proposal mismatch for the IKE SA is handled during IKE_SA_INIT , not after the tunnel is already up. The study guide says IKE_SA_INIT negotiates the security settings to protect the IKE traffic

C is wrong because a pre-shared key mismatch is part of authentication and would prevent successful initial establishment during IKE_AUTH . The study guide shows that after IKE_AUTH, “authentication succeeded” and “established IKE SA” when it works

D is wrong because a Diffie-Hellman mismatch belongs to IKE_SA_INIT , which happens before the tunnel comes up. The study guide also states: “By IKEv2 design, no Diffie-Hellman public key is exchanged during an IKE_AUTH exchange.”

So the verified answer is: A .

The study guide identifies this exact output as an expectation session created by the FTP session helper :

“run helper-ftp” indicates the FTP helper is in use.

“FortiGate created an expectation session and opened the pinhole port for the expected return traffic”

It also explains why this exists:

“Another important function of the session helper is to temporarily create an expected session (or pinhole) for the data channel connection that comes from the server.”

“The session helper automatically creates the session and opens the door for the incoming connection.”

“These incoming TCP sessions use random TCP port numbers.”

That directly proves C is correct.

For A , the exhibit shows expire=23. The study guide explains the expire field as the length of time until the session expires if no matching traffic arrives, and the FortiOS guide states for expectation sessions:

“Expectation sessions usually have a timeout value of 30 seconds. If the communication from the server is not initiated within 30 seconds the expectation session times out and traffic will be denied.”

So with expire=23, FortiGate will allow that expected traffic only for the remaining 23 seconds; after that, it times out and the traffic is denied. That makes A correct.

Why the other options are wrong:

B is not supported . The study guide describes expectation sessions as being created by the session helper from the control-session negotiation, not as independent objects unaffected by the master session.

D is wrong as stated. Even though the output contains policy_id=25, the study guide explicitly says the incoming expected connection is allowed by the expected session itself, “even when no firewall policy allows it.”