Pass the Fortinet Fortinet Certified Solution Specialist FCSS_NST_SE-7.6 Questions and answers with CertsForce

When FortiGate performs SSL certificate inspection with default settings, it checks if the Server Name Indication (SNI) matches either the Common Name (CN) or any Subject Alternative Name (SAN) in the server certificate. If there is no match, FortiGate does not block the connection; instead, it uses the CN value from the certificate ' s subject field to continue web filtering and categorization.

This behavior is described in the official Fortinet 7.6.4 Administration Guide:

“Check the SNI in the hello message with the CN or SAN field in the returned server certificate: Enable: If it is mismatched, use the CN in the server certificate.” This is the default (Enable) mode, which differs from the Strict mode that would block the mismatched connection.

By default, this policy ensures service continuity and prevents disruptions due to certificate mismatches, allowing FortiGate to log and inspect based on the CN even when the requested SNI does not match. It provides a balance between connection reliability and the accuracy of filtering by certificate identity, allowing security policies to remain functional without unnecessary blocks. This approach is recommended by Fortinet to maintain usability for end-users while still supporting granular inspection.

The correct answer is D .

The study guide shows the ipsmonitor test usage exactly:

1: Display IPS engine information

2: Toggle IPS engine enable/disable status

5: Toggle bypass status

99: Restart all IPS engines and monitor

So diagnose test application ipsmonitor 5 is used to toggle bypass status , which corresponds to enabling IPS bypass mode .

Why the other options are wrong:

A is wrong because disabling the IPS engine is option 2 , not 5.

B is wrong because the study guide does not define option 5 as IPS session information.

C is wrong because restarting all IPS engines and monitors is option 99 , not 5.

So the verified answer is: D .

The correct answers are C and D .

The key clue is the command itself:

diagnose debug application fssod -1

The study guide explicitly states: “There is a specific FortiGate daemon that handles the polling mode. It is the fssod daemon. To enable agentless polling mode real-time debug use the command: diagnose debug application fssod -1.”

That directly proves D. FSSO is using agentless polling mode to detect logon events .

The study guide also states: “In agentless polling mode, FortiGate frequently polls all workstations (as a standalone collector agent does) to check which users are still logged in. You can sniffer this traffic on port 445.”

That directly proves C. FortiGate is frequently polling the workstation in case the user has logged out .

Why the other options are wrong:

A is wrong because the “cannot verify if the user is still logged in” / Not Verified condition is described for the collector agent workstation status, not as a conclusion from this FortiGate fssod debug line. The study guide says: “A user goes to not verified status when they log out, or when there is a problem in the polling done by the collector agent to the workstation.”

B is wrong because DC Agent mode is part of agent-based FSSO , where DC agents send events to a collector agent. This output is from the fssod daemon, which the study guide ties to agentless polling mode , not DC Agent mode.

E is wrong because TCP port 8000 is used for communication between the collector agent and FortiGate , while in agentless polling mode FortiGate polls workstations and that traffic can be sniffed on TCP port 445 .

So the verified answers are: C, D .

To determine the path the traffic will take, we must look at the FortiGate Route Lookup Precedence (Packet Processing Flow) and the specific configurations shown in the exhibit

Analyze the Routing Precedence:

In FortiOS, when a packet arrives (and is not part of an existing session), the FortiGate performs route lookups in a specific order:

Policy Routes: Configured under config router policy (or diagnose firewall proute list). These are checked first. If a packet matches the criteria (Source, Destination, Protocol, Incoming Interface), the Policy Route is used immediately, bypassing the standard routing table.

FIB (Forwarding Information Base): If no Policy Route matches, the device looks at the standard routing table (Static, Connected, Dynamic).

Analyze the Exhibit:

Policy Route Section: The output of diagnose firewall proute list shows an active policy route (id=1).

Destination: 100.65.0.0/255.255.255.0 (Matches the network in the question).

Action: It directs traffic to gateway 10.0.4.253 via oif=6(port4).

Routing Table Section: The output of get router info routing-table database shows multiple routes for 100.65.0.0/24 (Static, OSPF, BGP) all with distance 10. The Static route (S) is currently selected (* > ) in the FIB.

Conclusion:

Because Policy Routes take precedence over the standard routing table (FIB), the FortiGate will forward the traffic using the instructions in Policy Route ID 1. It will not use the Static, BGP, or OSPF routes visible in the routing table for any traffic that matches the policy route ' s criteria (ingress port 3).

The exhibit displays the output from the diagnose debug rating command on a FortiGate device. This command is used to display information about FortiGuard Web Filtering or other security-related queries performed by FortiGate to FortiGuard servers. Official Fortinet documentation outlines the meaning of each field in the server list. The FortiGate maintains a list of available FortiGuard servers, selecting the optimal server based on factors such as weight, round-trip time (RTT), and regional settings.

The very first entry in the server list after " Server List " is the server FortiGate initially uses, prioritized by factors such as proximity and RTT. Here, 64.26.151.37 is listed first, and the FortiGuard-requests value confirms that this server handled the highest number of requests.

The IPs, weights, and lost/failed counters are monitored for server performance and selection over time. FortiGate ' s default operational logic is to try the first entry for contract validation and use the next in the list if the first is unavailable or has high latency or packet loss.

There is no direct correlation between the Weight and the number of FortiGuard-requests. The servers with higher or lower weights may still handle different request volumes based on availability and performance.

The TZ (time zone) value ' s sign (positive or negative) does not affect server preference; it is informational, showing the server ' s location relative to UTC, not a rating metric.

DNS query results for FortiGuard servers are not shown here, and the provided servers are not returned in DNS query order.

This command and interpretation are detailed in the FortiOS Administration Guide’s section describing FortiGuard server selection and contract validation processes.

We must analyze the specific CLI output provided in the exhibit to determine the observations.

Analyze the Command and Output:

Command: # diagnose automation test HAFailOver

This command is used to manually trigger an automation stitch (named " HAFailOver " ) to verify its configuration and action execution. It simulates the trigger event to run the defined actions.

Output: automation test failed(1). stitch:HAFailOver

The output explicitly states that the test failed. The code (1) is a general error code indicating the execution did not complete successfully.

Evaluate the Options:

A. The configuration was backed up:

Incorrect. Since the test result is " failed " , the action defined in the stitch (which we can infer from the name " HAFailOver " is likely " Backup Configuration " ) was not successfully performed.

B. A high availability (HA) failover occurred:

Incorrect. The command diagnose automation test is a simulation tool. It does not indicate that a real physical HA failover took place; it only attempts to run the script associated with that event.

C. The test was unsuccessful:

Correct. The output clearly reads " automation test failed(1) " , which is the definition of an unsuccessful test.

D. The automation stitch test is not being logged:

Correct. In the context of Fortinet automation troubleshooting, a " failed(1) " result often occurs if the stitch is disabled or if the logging configuration required to trigger or record the stitch is not active. Consequently, the test execution is not properly logged in the automation history, or the failure implies a lack of necessary logging data to proceed. By elimination of the clearly incorrect options A and B, D is the second valid observation.

The correct answer is C. 64.26.151.37 .

The study guide explains the FortiGuard flags shown by diagnose debug rating:

D = Default

I = Initial

T = Timing

F = Failed and specifically: “F = The server is down”

So even though 121.111.236.179 has the lowest RTT in the exhibit, it has the F flag, meaning FortiGate considers that server failed/down , so it will not be chosen.

To determine which active server is selected, the FortiOS administration guide states:

“The server list is sorted first by weight. The server with the smallest RTT appears at the top of the list regardless of weight. … Therefore the top position in the list is selected based on RTT while the other positions are based on weight.”

Among the valid, non-failed choices in the exhibit:

64.26.151.37 → RTT 45

209.22.147.36 → RTT 103

96.45.33.65 → RTT 144

208.91.112.194 → RTT 107

The active server with the lowest RTT is 64.26.151.37 , so that is the server FortiGate will choose.

So the verified answer is: C .