Pass the Fortinet Fortinet Certified Solution Specialist FCSS_NST_SE-7.6 Questions and answers with CertsForce

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-Static-URL-filter-actions-explained/ta-p/206632

To establish a functional Security Fabric, specific network and configuration prerequisites must be met to ensure nodes can communicate, authorize, and share telemetry data:

A. You must ensure that TCP port 8013 is not blocked along the way:

TCP port 8013 is the dedicated port for FortiTelemetry (Fabric) communication. If firewalls (intermediate or local) block this port, the Fabric connection between the root and downstream FortiGates will fail.

D. You must authorize the downstream FortiGate on the root FortiGate:

Security Fabric relies on a trust relationship. When a downstream device attempts to join, it appears in the Root FortiGate's dashboard. The administrator must manually authorize this device (unless pre-authorized via serial number) to allow it to join the Fabric topology.

E. You must enable FortiTelemetry on the receiving interface of the upstream FortiGate:

The interface on the Root (upstream) FortiGate that faces the downstream devices must have the "Security Fabric Connection" (formerly CAPWAP/FortiTelemetry) administrative access setting enabled. Without this, the interface will not listen for or accept Fabric connection requests.

Why other options are incorrect:

B: Neighbor Discovery uses standard multicast/broadcast or static settings; changing the port is not a standard requirement.

C: FortiGates can participate in the Security Fabric in either NAT or Transparent mode; Transparent mode is not a mandatory requirement for the Fabric itself.

According to RFC 7296 (IKEv2) and Fortinet's official documentation, the IKE_SA_INIT exchange is responsible for negotiating cryptographic parameters, performing the initial Diffie-Hellman exchange, and implementing the cookie challenge mechanism for DoS protection. When the responder suspects a DoS attack (such as mass requests by the same source), it includes a cookie in the IKE_SA_INIT response. The initiator must return the cookie in its next request to prove that it truly exists at the IP address it claims, thereby mitigating resource exhaustion attacks.

This two-step exchange ensures the responder only allocates resources after successful proof of address, aligning with best security practices. Fortinet documentation confirms that this process occurs strictly in the IKE_SA_INIT phase, not in subsequent IKE_Auth or CHILD_SA exchanges.

The get router info ospf database brief output on FGT-2 clearly indicates that Area 0.0.0.5 is configured as a [Stub] area.

In OSPF, a Stub Area is specifically designed to reduce the size of the Link State Database (LSDB) on internal routers. The primary behavior of a Stub area is that it does not accept Type 5 (AS External) LSAs.

FGT-3 is the ASBR (Autonomous System Border Router) and is importing static routes, which are generated as Type 5 LSAs in the OSPF domain.

FGT-1 acts as the ABR (Area Border Router). Because Area 0.0.0.5 is a Stub area, FGT-1 blocks these Type 5 LSAs from entering Area 0.0.0.5.

Consequently, FGT-2 will not receive the specific external routes advertised by FGT-3. Instead, the ABR (FGT-1) injects a default route (0.0.0.0/0) into the Stub area to allow connectivity to the external world, which is visible in the database output.

While the question text mentions FGT-3 not receiving routes, the definitive configuration shown in the exhibit is the Stub area setting, which directly corresponds to the blocking of Type 5 LSA propagation (Option A).

To determine the behavior, we must analyze the memory thresholds and the current status shown in the exhibit:

Analyze the Thresholds (The Three States):

Green (Exit): 82% (Memory usage is safe).

Red (Enter Conserve Mode): 88% (Memory usage is high; action is required).

Extreme (Kernel Conserve Mode): 95% (Memory is critical; drastic action is required).

Determine the Current State:

Current Memory Used: 89%.

Since 89% is greater than the Red threshold (88%) but lower than the Extreme threshold (95%), the FortiGate is in Red Conserve Mode (User-space conserve mode), not Extreme mode.

Evaluate the Behavior in "Red" Mode:

In Red Conserve Mode, the FortiGate's primary goal is to prevent memory exhaustion while still processing traffic if possible.

Proxy-based inspection (handled by the WAD process) is memory-intensive because it buffers content. To save memory, the system stops accepting new sessions that require proxy-based inspection.

Flow-based inspection (handled by the IPS engine) streams data and consumes significantly less memory. Therefore, in Red mode, the system typically continues to allow and inspect flow-based sessions.

Option A correctly describes this split behavior: allowing flow-based (lighter) but blocking proxy-based (heavier).

Why other options are incorrect:

B: If memory increases another 6% (89% + 6% = 95%), the device hits the Extreme threshold. At 95%, the kernel begins dropping all new sessions to prevent a system crash. Thus, it will not continue to allow sessions.

C: This describes "Fail-Open" behavior (passing traffic without inspection). While configurable (set av-failopen pass), the default is usually "Fail-Close" (blocking). More importantly, the distinction between flow and proxy availability is the key architectural feature of Red mode.

D: Blocking all new sessions regardless of type is the behavior of Extreme Conserve Mode (95%). Since the device is only at 89%, this drastic measure is not yet active.

Analyze the "Send to Application Layer" Message:

The most critical line in the debug output is: id=65308 ... func=av_receive ... msg="send to application layer"

Meaning: This message indicates that the FortiGate kernel is handing the packet over to a user-space daemon (specifically the WAD/Proxy process, indicated by av_receive handlers) for deep inspection.

Implication: This behavior is the hallmark of Proxy-based inspection. In Flow-based inspection, the traffic is handled by the IPS engine (often within the kernel or via specific IPS handlers like ips_measure), and you would not typically see a "send to application layer" message for standard web filtering.

Evaluate Option B (Firewall Policy Mode):

Since the traffic is being sent to the application layer proxy, the Firewall Policy controlling this traffic (Policy ID 1, as seen in Allowed by Policy-1) must be configured with Inspection Mode = Proxy. If it were Flow-based, the traffic would stay in the flow path. Thus, Option B is correct.

Evaluate Option C (Web Filter Profile Mode):

In FortiOS, when a firewall policy is set to Proxy-based inspection, the security profiles (like Web Filter) applied to that policy also operate in Proxy-based inspection mode. The presence of the av_receive function confirms that the content inspection (Web Filter/AV) is being performed by the proxy engine. Thus, Option C is correct.

Why Option A is Incorrect (NPU Offload):

The output shows npu_state=0x100. In the context of a flow trace where traffic is being "sent to application layer," this confirms the session is not fully offloaded to the NPU (Network Processor). Offloaded traffic (Fast Path) is handled by the hardware and would not generate these specific CPU-level debug logs for the payload inspection phase. The proxying process requires CPU intervention.

Why Option D is Incorrect (Port Mapping):

While valid protocol mapping is necessary for inspection, the specific debug output shown is a direct result of the Inspection Mode (Proxy vs. Flow). The observation of the traffic moving to the application layer is primarily caused by the policy and profile mode settings, making B and C the direct "observations" derived from the log data.

To understand why Type 5 LSAs (AS External LSAs) are missing from the Link-State Database (LSDB), we must look at how OSPF generates and propagates them:

A. There is no autonomous system border router (ASBR) in the network:

Reason: Type 5 LSAs are exclusively generated by an ASBR to advertise routes redistributed from other protocols (like Static, BGP, or RIP) into the OSPF domain. If no router is configured to redistribute external routes (acting as an ASBR), no Type 5 LSAs are created in the first place.

C. The local router is located in a stub area:

Reason: By definition, a Stub Area (and a Totally Stubby Area) prevents Type 5 LSAs from entering. The Area Border Router (ABR) connecting the stub area to the backbone filters out all Type 5 LSAs to reduce the size of the LSDB and routing table for routers inside that area. Instead, a default route is usually injected.

Why other options are incorrect:

B: While database filtering exists, standard prefix-list filtering typically affects the routing table (RIB) generation, not the underlying LSDB propagation of Type 5 LSAs, or it is less common than the architectural reasons (Stub/No ASBR).

D: IP Protocol 89 is the transport for OSPF itself. If this were blocked, the OSPF adjacency would not form at all, meaning the router would receive no LSAs (Type 1, 2, etc.), not specifically just Type 5.