Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. FCSS_NST_SE-7.6

Free Fortinet FCSS_NST_SE-7.6 Exam Questions (page: 6)

Page 3 of 15
PDF with 66 Questions

Which statement about IKEv2 is true?

  1. Both IKEv1 and IKEv2 share the feature of asymmetric authentication.
  2. IKEv1 and IKEv2 have enough of the header format in common that both versions can run over the same UDP port.
  3. IKEv1 and IKEv2 use same TCP port but run on different UDP ports.
  4. IKEv1 and IKEv2 share the concept of phase1 and phase2.

Answer(s): D

Explanation:

IKEv1 (Internet Key Exchange version 1) and IKEv2 are protocols used for establishing IPsec VPN tunnels, and both protocols share the conceptual division into two phases, as clearly described in

Fortinet VPN documentation:

Phase 1 handles negotiation and establishment of a secure IKE Security Association (SA) between peers.

Phase 2 negotiates parameters for the IPsec Security Association, which secures actual data traffic between peers.

While IKEv2 streamlines and improves upon IKEv1 by merging some message exchanges and simplifying configuration, it maintains the same core two-phase concept: Phase 1 (IKE SA) and Phase 2 (IPsec SA). This is a foundational VPN concept referenced widely in both IKEv1 and IKEv2 literature.

Other statements are incorrect:

Asymmetric authentication is possible, but not mandatory for both.

Both protocols commonly use UDP port 500, sometimes 4500 for NAT traversal, but they are not designed to run on TCP.

The protocol feature compatibility over TCP/UDP is not correctly described in the other options.


Reference:

FortiOS Administration Guide: IPsec VPN, "IKEv1 vs. IKEv2 Concepts and Phase Negotiations"

RFCs and Fortinet VPN solution guides on phase structure



Exhibit 1.



Exhibit 2.



Refer to the exhibits, which show the configuration on FortiGate and partial internet session information from a user on the internal network.

An administrator would like to lest session failover between the two service provider connections.

Which two changes must the administrator make to force this existing session to immediately start using the other interface? (Choose two.)

  1. Change the priority of the port1 static route to 11.
  2. Change the priority of the port2 static route to 5.
  3. Configure unset snat-route-change to return it to the default setting.
  4. Configure set snat-route-change enable.

Answer(s): A,D

Explanation:

FortiOS Admin Guide: Static Routing, SNAT Route Change Feature



Refer to the exhibit, which shows the output of a debug command.



Which two statements about the output are true? (Choose two.)

  1. The interlace is part of the OSPF backbone area.
  2. There are a total of five OSPF routers attached to the vorz4 network segment
  3. One of the neighbors has a router ID of 0.0.0.4.
  4. In the network connected to port4, two OSPF routers are down.

Answer(s): A,B


Reference:

FortiOS Admin Guide: OSPF, Debug Outputs



Refer to the exhibit.



Which three pieces of information does the diagnose sys top command provide? (Choose three.)

  1. The miglogd daemon is running on CPU core ID 0.
  2. The diagnose sys top command has been running for 18 minutes.
  3. The miglogd daemon would be on top of the list, if the administrator pressed m on the keyboard.
  4. The cmdbsvr process is occupying 2.4% of the total user memory space.
  5. If the neweli daemon continues to be in the R state, it will need to be manually restarted.

Answer(s): A,C,D

Explanation:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-diagnose-sys-top-CLI- command/ta-p/190238



Refer to the exhibit, which shows the output o! the BGP database.



Which two statements are correct? (Choose two.)

  1. The advertised prefix of 10.20.30.0/24 was configured using the network command.
  2. The first four prefixes are being advertised using a legacy route advertisement.
  3. The advertised prefix of 10.20.30.0/24 is being advertised through the redistribution of another routing protocol.
  4. The output shows all prefixes advertised by all neighbors as well as the local router.

Answer(s): A,D

Explanation:

For Option A:
In Fortinet BGP (and standard BGP), when a prefix is displayed with an "i" (lowercase i) in the Path column, it represents an internal prefix that originated from the local router, typically configured via the BGP "network" command. In the exhibit, the prefix 10.20.30.0/24 is listed with a Path value of i, indicating it was injected into BGP by the local router using the network statement, not via redistribution from another routing protocol. The same logic applies to i as documented: "Origin code 'i' means the route was injected via the network command."

For Option D:
The get router info bgp network output is a summary table displaying both local and received BGP routes. It lists all known routes to the BGP process, whether received from peers or originated locally. The exhibit shows all BGP prefixes known to the local router, matching the official admin guide's description of this command's output.

Explanation for B and C:

The phrase "legacy route advertisement" is not formalized in BGP documentation or Fortinet's admin guide; the output uses standard BGP mechanics.

If a route was redistributed into BGP from another routing protocol, the Path field would display a "?" (question mark) for incomplete (redistributed) origin. Here the /24 route has "i" so it is NOT a redistribution.


Reference:

FortiOS Administration Guide: BGP Configuration and Route Table Interpretation

Official BGP Command

Show BGP Network, Path Codes, Route Origination Indicators



Viewing page 6 of 15
Viewing questions 26 - 30 out of 66 questions



Post your Comments and Discuss Fortinet FCSS_NST_SE-7.6 exam prep with other Community members:

FCSS_NST_SE-7.6 Exam Discussions & Posts