Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Fortinet
  5. NSE5_FSW_AD-7.6

Fortinet NSE5_FSW_AD-7.6 Exam Questions
Fortinet NSE 5 - FortiSwitch 7.6 Administrator (Page 3 )

Updated On: 20-Mar-2026
Page 3 of 24
PDF with 34 Questions

Refer to the exhibits. An IP phone is connected to port1 of FortiSwitch Access-1. The IP phone tags its traffic with VLAN ID 20. On FortiGate, VLAN IP_Phone (VLAN ID 20) has been configured, and port1 of Access-1 is set with VLAN 20 as the native VLAN. However, the IP phone cannot reach the network. The exhibit shows the partial VLAN configuration and the port1 configuration on Access-1.

Which configuration change must you make on FortiSwitch to allow ingress and egress traffic for the IP phone? (Choose one answer)

  1. On VLAN IP_Phone, enable vlanforward
  2. On VLAN IP_Phone, enable l2forward
  3. On port1, add VLAN 20 to the allowed_vlans list
  4. On port1, disable the edge_port

Answer(s): C

Explanation:

According to theFortiSwitchOS 7.6 Administration GuideandFortiOS 7.6 FortiLink Guide, the processing of Ethernet frames on a managed FortiSwitch port depends on whether the frame is tagged or untagged upon arrival (ingress) and how the port's VLAN membership is defined.

In the provided exhibit,port1is configured with set vlan "IP_Phone" (VLAN 20) as itsnative VLAN. By definition, the native VLAN handles untagged traffic; any untagged frame arriving at the port is assigned to VLAN 20, and any egress traffic from VLAN 20 is sent out of the port without a tag. However, the scenario specifically states that theIP phone tags its traffic with VLAN ID 20.

When a FortiSwitch receives atagged frame, it checks the VLAN ID against theallowed-vlanslist configured on that port. Although VLAN 20 is the native VLAN, the exhibit shows that the port has been explicitly configured with set allowed-vlans "quarantine". This creates a restrictive filter that permits only tagged frames belonging to the "quarantine" VLAN to enter or exit the port. Because VLAN 20 (IP_Phone) is not present in the allowed-vlans list, the switch drops the tagged frames from the IP phone during ingress processing.

To resolve this, the administrator must modify theFortiSwitch port configurationby adding VLAN 20 to the allowed_vlans list (e.g., set allowed-vlans "quarantine" "IP_Phone" or set allowed-vlans-all enable). This ensures that the switch recognizes and permits tagged traffic for VLAN 20 on that physical interface. Option B is incorrect because l2forward is a Layer 3 interface setting on the FortiGate and does not address the physical port's ingress filtering logic on the switch. Disabling the edge_port (Option D) relates to Spanning Tree Protocol (STP) convergence and would not impact VLAN tag filtering.



Refer to the exhibit.



The profile shown in the exhibit is assigned to a group of managed FortiSwitch ports, and these ports are connected to endpoints which are powered by PoE.

Which configuration action can you perform on the LLDP profile to cause these endpoints to exchange PoE information and negotiate power with the managed FortiSwitch?

  1. Create new a LLDP-MED application type to define the PoE parameters.
  2. Assign a new LLDP profile to handle different LLDP-MED TLVs.
  3. Define an LLDP-MED location ID to use standard protocols for power.
  4. Add power management as part of LLDP-MED TLVs to advertise.

Answer(s): D

Explanation:

To cause endpoints to exchange PoE information and negotiate power with the managed FortiSwitch via LLDP, you should configure the LLDP profile to include power management in the advertised LLDP-MED TLVs. Here are the steps:

Access the LLDP Profile Configuration:Start by entering the LLDP profile configuration mode with the command:

config switch-controller lldp-profile edit "LLDP-PROFILE"

Enable MED-TLVs:Ensure that MED-TLVs (Media Endpoint Discovery TLVs) are enabled. These TLVs are used for extended discovery relating to network policies, including PoE, and are essential for PoE negotiation. They include power management which is crucial for the negotiation of PoE parameters between devices. The command to ensure network policies are set might look like:

set med-tlvs network-policy

Add Power Management TLV:Specifically add or ensure the power management TLV is part of the configuration. This will advertise the PoE capabilities and requirements, enabling dynamic power allocation between the FortiSwitch and the connected devices (like VoIP phones or wireless access points). This can typically be done within the network-policy settings:

config med-network-policy edit <policy_index>

set poe-capability next end

Save and Apply Changes:Exit the configuration blocks properly ensuring changes are saved:

End

Verify Configuration:It's always good practice to verify that your configurations have been applied correctly. Use the appropriateshoworgetcommands to review the LLDP profile settings.

By adding the power management as part of LLDP-MED TLVs, the FortiSwitch will be able to communicate its power requirements and capabilities to the endpoints, thereby facilitating a dynamic power negotiation that is crucial for efficient PoE utilization.


Reference:

For more detailed information and additional configurations, you can refer to the FortiSwitch Managed Switches documentation available on Fortinet's official documentation site:Fortinet Product Documentation



Which two are valid traffic processing actions that a FortiSwitch access control list (ACL) can apply to matching traffic? (Choose two answers)

  1. Redirect frames to another port.
  2. Assign traffic to a high-priority egress queue.
  3. Encrypt frames.
  4. Drop frames.

Answer(s): A,D

Explanation:

According to theFortiSwitchOS 7.6 Administration Guideand theNSE 5 FortiSwitch Study Guide, Access Control Lists (ACLs) are used to provide granular control over the traffic entering or leaving a switch port. ACLs function by definingclassifiers(to match specific traffic based on criteria like MAC address, IP address, or VLAN ID) and then applying specificactionsto that matched traffic.

The documentation explicitly categorizes ACL actions into three distinct groups:

Traffic Processing:This category includes actions that dictate the physical handling of the frame. Valid actions listed in the official documents under this header includecount(to track packet volume),drop(to block the traffic),redirect(to forward the frame to a specific physical port or interface instead of its original destination), andmirror(to send a copy to a monitoring port).

Quality of Service (QoS):This category focuses on traffic prioritization and bandwidth management. It includes actions such asrate limiting,remarking CoS/DSCP values, andsetting the egress queue(e.g., assigning a packet to a specific queue number from 0 to 7).

VLAN:This allows for modifications such as setting anouter VLAN tagon frames.

The question specifically asks for "traffic processing actions." Based on the 7.6 documentation,Redirect frames to another port(Option A) andDrop frames(Option D) are explicitly defined under the "Traffic Processing" action header.
While "Assign traffic to a high-priority egress queue" (Option B) is a valid action an ACL can perform, it is technically categorized as aQoS action, not a traffic processing action.Encrypt frames(Option C) is not a supported ACL action on FortiSwitch hardware, as encryption is typically handled at higher layers or via dedicated MACsec configurations on specific models.



Which statement about the IGMP snooping querier when enabled on a VLAN is true?

  1. Active multicast receiver entries are aging on each IGMP query sent on the VLAN
  2. IGMP reports on the VLAN are forwarded to all switch ports.
  3. The setting can only be enabled using the FortiSwitch CLI.
  4. All other indirectly connected switches will be unable to get IGMP multicast traffic.

Answer(s): A

Explanation:

Active multicast receiver entries are aging on each IGMP query sent on the VLAN (A): When IGMP snooping querier is enabled on a VLAN, it functions to manage multicast traffic within the VLAN by keeping track of multicast group memberships. The IGMP querier sends queries to determine which ports require the multicast traffic. The multicast receiver entries, which are entries that indicate which devices have requested the multicast data, age or time out based on these IGMP queries. Each query refreshes active connections but ages out entries that no longer respond, helping to ensure that multicast traffic is only sent to ports with active receivers.



Refer to the exhibit.



The security port policy is configured as shown in the exhibit.
Which behavior occurs if a device connected to the port that does not support 802.1X? (Choose one answer)

  1. The device is blocked from accessing the network.
  2. The device is placed into the onboarding VLAN.
  3. The device is placed into the quarantine VLAN.
  4. The device is assigned to the default management VLAN.

Answer(s): B

Explanation:

According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, the interaction between a managed switch and a connected endpoint depends on whether the endpoint can participate in the 802.1X authentication process.
When a security policy is applied to a port, the switch sends EAP (Extensible Authentication Protocol) requests to the device to initiate the login.

The FortiSwitch handles two primary failure scenarios differently:

Non-supplicant (No 802.1X Support):If a device, such as a legacy PC or a basic printer, does not have an 802.1X supplicant, it will not respond to the switch's EAP requests. In this case, the switch waits for the duration specified in theGuest authentication delayfield (30 seconds in the exhibit). Once this timer expires without a response, the switch places the device into theGuest VLAN. As shown in the exhibit, the Guest VLAN is explicitly set to"onboarding.fortilink (onboarding)".

Authentication Failure:If a devicedoessupport 802.1X but the user provides incorrect credentials, the RADIUS server returns an Access-Reject message. In this scenario, the device is moved to theAuthentication fail VLAN, which the exhibit identifies as"quarantine.fortilink (quarantine)".

Note:BecauseMAC authentication bypass (MAB)is disabled in the exhibit, the switch will not attempt to authenticate the device's MAC address against the RADIUS server before defaulting to the Guest VLAN. Therefore, for any device lacking an 802.1X supplicant, the result is placement into theonboardingVLAN.



Viewing page 3 of 24
Viewing questions 11 - 15 out of 34 questions



Post your Comments and Discuss Fortinet NSE5_FSW_AD-7.6 exam dumps with other Community members:

NSE5_FSW_AD-7.6 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!