Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. NSE5_FSW_AD-7.6

Fortinet NSE5_FSW_AD-7.6 Exam Questions
Fortinet NSE 5 - FortiSwitch 7.6 Administrator (Page 11 )

Updated On: 20-Mar-2026
Page 4 of 24
PDF with 34 Questions

Which drop policy mode, if assigned to a congested port, will drop incoming packets until there is no congestion on the egress port?

  1. Tail-drop mode
  2. Weighted round robin mode.
  3. Random early detection mode
  4. Strict mode

Answer(s): A

Explanation:

Tail-drop mode is a congestion management technique used in network devices, including FortiSwitches, to handle congestion on network ports:

Tail-Drop Mode (A):

Behavior:When a queue reaches its maximum capacity on a congested port, tail-drop mode simply drops any incoming packets that arrive after the buffer is full. This continues until the congestion is alleviated and there is space in the queue to accommodate new packets.

Application:This is a straightforward approach used when the device's buffer allocated to the port becomes full due to sustained high traffic, preventing buffer overflow and maintaining system stability.


Reference:

For more details on congestion management techniques and settings on FortiSwitch, you can refer to the configuration manuals available on:Fortinet Product Documentation



On supported FortiSwitch models, which access control list (ACL) stage is recommended for applying actions before the switch performs any layer 2 or layer 3 processing? (Choose one answer)

  1. Ingress
  2. Forwarding
  3. Egress
  4. Prelookup

Answer(s): D

Explanation:

According to theFortiSwitchOS 7.6 Administration Guideand theNSE 5 FortiSwitch 7.6 Administrator Study Guide, FortiSwitch supports a multi-stage ACL pipeline that allows for granular traffic control at different points in a packet's journey through the switch.1The documentation identifies three primary stages for ACL application:Prelookup,Ingress, andEgress.

Prelookup (Option D):This is the earliest stage in the switching pipeline. The documentation explicitly states thatPrelookup ACLsare processedbefore any Layer 2 or Layer 3 lookupsare performed by the switch hardware. This stage is highly recommended for high-performance security actions, such as dropping unwanted traffic immediately upon arrival, because it prevents the switch from wasting internal resources (CPU and ASIC lookup cycles) on frames that are destined to be discarded anyway.

Ingress (Option A):This stage occursafterthe switch has completed its Layer 2 (MAC table) and Layer 3 (routing table) lookups butbeforethe packet is queued for the egress port.
While powerful, actions here occur after initial processing has already taken place.

Egress (Option C):This stage is processed just before the frame leaves the switch through the destination port. It is typically used for final modifications or filtering based on the outgoing interface context.

Therefore, to achieve the goal of applying actionsbeforeany Layer 2 or Layer 3 processing occurs, thePrelookupstage is the technically correct and recommended choice in FortiSwitchOS 7.6.Forwarding (Option B)is a general functional stage of a switch but is not a specific ACL stage type in the FortiSwitch configuration hierarchy.



(Full question statement start from here)

How does FortiSwitch determine the route for traffic traversing its interfaces? (Choose one answer)

  1. Hardware-based routing on FortiSwitch is handled by the CPU.
  2. ASIC hardware routing can handle only dynamic routing, if supported.
  3. FortiSwitch looks up the hardware routing table and then the forwarding information base (FIB).
  4. FortiSwitch forwards all traffic to FortiGate for routing decisions.

Answer(s): C

Explanation:

FortiSwitch determines how traffic is routed by leveraging atwo-tier routing lookup mechanismthat prioritizes hardware-based forwarding before software-based processing. According to theFortiSwitchOS 7.6 Administrator Guide, FortiSwitch first checks thehardware routing table, which is populated with a subset of routes installed from the Forwarding Information Base (FIB) and programmed directly into the switch ASIC.

The hardware routing table contains routes that are eligible for ASIC acceleration.
When a packet arrives on a FortiSwitch interface, the switch performs a lookup in this hardware routing table. If a matching route is found, the packet is forwarded at wire speed using ASIC-based forwarding, which provides optimal performance and minimal latency. This process is referred to ashardware-based routing.

If no matching route exists in the hardware routing table, FortiSwitch then performs a lookup in theForwarding Information Base (FIB), which resides in the kernel. Routes in the FIB are handled by the CPU and processed throughsoftware-based routing. This fallback mechanism ensures correct forwarding behavior even when routes cannot be offloaded to hardware.

The FortiSwitchOS documentation explicitly states that the hardware routing table indicates which routes in the FIB are installed in hardware. This confirms that routing decisions are not exclusively offloaded to FortiGate, nor are they limited to CPU-based processing alone. Instead, FortiSwitch uses ahierarchical lookup order: hardware routing table first, followed by the FIB.

Therefore, the correct and fully documented answer isC. FortiSwitch looks up the hardware routing table and then the forwarding information base (FIB).



Which statement about the use of the switch port analyzer (SPAN) packet capture method is true?

  1. Mirrored traffic can be sent across multiple switches.
  2. SPAN can be configured only on a standalone FortiSwitch.
  3. Traffic on the management interface can be mirrored and captured by the monitoring device.
  4. The monitoring device must be connected to the same switch where the traffic is being mirrored

Answer(s): A

Explanation:

The correct statement about using the Switch Port Analyzer (SPAN) packet capture method on FortiSwitch is that "Mirrored traffic can be sent across multiple switches (A)." This feature allows for extensive traffic analysis as it enables network administrators to configure SPAN sessions that span across different switches, thereby providing the capability to monitor traffic across a broad segment of the network infrastructure.



When Dynamic Host Configuration Protocol (DHCP) snooping is enabled on a FortiSwitch VLAN, which two statements are true? (Choose two answers)

  1. DHCP replies are accepted only on trusted ports.
  2. DHCP snooping blocks all unicast traffic.
  3. Option 82 can be inserted into DHCP requests.
  4. DHCP requests are dropped if sent from trusted ports.

Answer(s): A,C

Explanation:

According to theFortiSwitchOS 7.6 Administration Guideand theFortiLink 7.6 Study Guide, DHCP snooping is a security feature that prevents rogue DHCP servers from distributing incorrect IP addresses on a network. Once enabled for a specific VLAN, the switch differentiates betweentrustedanduntrustedports to regulate DHCP traffic.

Trusted Ports and DHCP Replies (Option A):In a managed FortiSwitch environment, all ports areuntrusted by default. To allow a DHCP server (such as a FortiGate or an external server) to provide IP addresses, the administrator must explicitly set the connecting port astrusted. DHCP snooping validates incoming packets; it allowsDHCP server messages(such as DHCPOFFER and DHCPACK) only on these trusted ports. Any DHCP server reply arriving on an untrusted port is identified as coming from a potentially rogue source and is discarded by the switch.

Option 82 Data Insertion (Option C):FortiSwitch supportsDHCP Option 82(also known as the Relay Information Option), which provides additional security by appending location-specific information (such as the Circuit ID and Remote ID) toDHCP request packets.
When DHCP snooping is active, the switch can be configured to insert this data into client requests as they enter untrusted ports. This allows the upstream DHCP server to identify the specific physical port or VLAN from which the request originated, even if the server is located in a different subnet.

Regarding the incorrect options:Option Bis false as DHCP snooping only inspects and filters DHCP-

specific traffic, not general unicast data.Option Dis incorrect because DHCP requests (client-to- server) are generally permitted on all ports to ensure clients can find a server, though some configurations allow dropping requests from untrusted sources if they do not meet specific security criteria.



Viewing page 11 of 24
Viewing questions 51 - 34 out of 34 questions



Post your Comments and Discuss Fortinet NSE5_FSW_AD-7.6 exam dumps with other Community members:

NSE5_FSW_AD-7.6 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!