Cisco®
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
ServiceNow®
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. FCSS_NST_SE-7.6

FCSS_NST_SE-7.6: FCSS - Network Security 7.6 Support Engineer
Free Practice Exam Questions (Page 11 )
Updated On: 10-Jan-2026

Page 4 of 20
PDF with 95 Questions

In which two slates is a given session categorized as ephemeral? (Choose two.)

  1. A UDP session with only one packet received
  2. A UOP session with packets sent and received
  3. A TCP session waiting for the SYN ACK
  4. A TCP session waiting for FIN ACK

Answer(s): A,C



Refer to the exhibit, which shows the output of get router info bgp summary.



Which two statements are true? (Choose two.)

  1. The local ForliGate has received one prefix from BGP neighbor 100.64.1.254.
  2. The TCP connection with BGP neighbor 100.64.2.254 was successful.
  3. The local FortiGate has received 18 packets from a BGP neighbor.
  4. The local FortiGate is still calculating the prefixes received from BGP neighbor 100.64.2.264

Answer(s): A,C

Explanation:

The get router info bgp summary output lists BGP neighbor status:

Prefix Reception: The "State/PfxRcd" column shows the number of prefixes received from the neighbor--neighbor 100.64.1.254 has "1", confirming option A.

Received Message Count: Under "MsgRcvd", 18 packets have been received from neighbor 100.64.1.254. This matches option C.

The second neighbor 100.64.2.254 is in "Active" state and has received/sent 0 packets, indicating that its TCP connection is NOT established, disproving option B.

There is no indication anywhere that the router is "still calculating" prefixes; "Active" just means no session is established, so option D is incorrect.


Reference:

FortiOS BGP Command
BGP Neighbor States, PfxRcd, and Counters



Which exchange lakes care of DoS protection in IKEv2?

  1. Create_CHILD_SA
  2. IKE_Auth
  3. IKE_Req_INIT
  4. IKE_SA_NIT

Answer(s): C

Explanation:

The IKE_SA_INIT exchange in IKEv2 is responsible for DoS protection measures. During IKE_SA_INIT, before authentication and further exchange, the responder can use cookie challenges (per RFC 7296 and Fortinet VPN documentation). If a DoS attack is suspected (many requests from the same source), the responder replies with a cookie. Only after the initiator returns the correct cookie does the exchange proceed, protecting the responder from state exhaustion and certain forms of DoS traffic at the handshake stage.


Reference:

FortiOS VPN Manual: IKEv2 Exchange Process and DoS Protections

IKEv2 RFC 7296: Description of IKE_SA_INIT and DoS Cookie Mechanism



Refer to the exhibit, which shows a partial output of the fssod daemon real-time debug command.



What two conclusions can you draw from the output? (Choose two.)

  1. The workstation with IP 10.124.2.90 will be polled frequently using TCP port 445 to see if the user is still logged on.
  2. The logon event can be seen on the collector agent installed on Windows.
  3. FSSO is using DC agent mode to detect logon events.
  4. FSSO is using agentless polling mode to detect logon events.

Answer(s): A,D

Explanation:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO- agentless-polling/ta-p/214349

From the snippet we can see that FortiGate (via the fssod daemon) is directly detecting the user logon rather than relying on a separate "collector" or "DC agent." This indicates agentless polling-- FortiGate polls the DC's event logs over TCP 445 to discover logons. So: - FSSO is using agentless polling mode to detect logon events - In agentless mode, FortiGate will periodically poll the same IP (the DC) on port 445 to see if the user is still logged on



An administrator wants to capture encrypted phase 2 traffic between two FotiGate devices using the built-in sniffer.

If the administrator knows that there Is no NAT device located between both FortiGate devices, which command should the administrator run?

  1. diagnose sniffer packet any 'udp port 500'
  2. diagnose sniffer packet any 'lp proto 50'
  3. diagnose sniffer packet any 'udp port 4500'
  4. diagnose sniffer packet any 'ah'

Answer(s): B

Explanation:

To capture encrypted IPsec phase 2 (ESP) traffic between two FortiGate devices, the correct protocol filter to use is ip proto 50. According to the Fortinet official sniffing and debugging documentation, ESP (Encapsulating Security Payload) is used for encrypted phase 2 payload transfer and always uses IP protocol number 50. Running the command diagnose sniffer packet any 'ip proto 50' captures only ESP packets, which represent the encrypted traffic--whether originating or transiting the device.

If there is no NAT device between FortiGates, ESP is not encapsulated in UDP (thus not on UDP port 4500; if NAT-T were required, packets would be UDP-encapsulated, but the scenario explicitly says

NAT is not in use). UDP port 500 is for IKE control (negotiation) traffic, and AH (Authentication Header, ip proto 51) is not used for encryption in standard IPsec phase 2 with ESP.

This matches the official CLI reference from Fortinet for VPN and traffic analysis.

**


Reference:

FortiOS CLI
diagnose sniffer packet, ESP, IP Protocol Numbers

FortiGate VPN Administration Guide: Traffic Capture and Analysis of IPsec Traffic



Viewing page 11 of 20
Viewing questions 51 - 55 out of 95 questions



Post your Comments and Discuss Fortinet FCSS_NST_SE-7.6 exam prep with other Community members:

FCSS_NST_SE-7.6 Exam Discussions & Posts