Refer to the exhibit. A pre-run CLI template that is used in zero-touch provisioning (ZTP) and low-touch provisioning (LTP) with FortiManager is shown. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Fortinet_FCSS_EFW_AD-7.6/page_26_img_1.jpg The template is not assigned even though the configuration has already been installed on FortiGate. What is true about this scenario?

Pre-run CLI templates are automatically unassigned after their initial installation

The administrator did not assign the template correctly when adding the model device because pre-CLI templates remain permanently assigned to the firewall

Pre-run CLI templates are automatically unassigned after their initial installation

Pre-run CLI templates for ZTP and LTP must be unassigned manually after the first installation to avoid conflicting error objects when importing a policy package

The administrator must use post-run CLI templates that are designed for ZTP and LTP

Refer to the exhibit, which shows an ADVPN network https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Fortinet_FCSS_EFW_AD-7.6/page_24_img_1.jpg An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2. What two options must the administrator configure in BGP? (Choose two.)

set ebgp-enforce-multrhop enable

Refer to the exhibit, which contains a partial command output. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Fortinet_FCSS_EFW_AD-7.6/page_29_img_1.jpg The administrator has configured BGP on FortiGate. The status of this new BGP configuration is shown in the exhibit. What configuration must the administrator consider next?

Configure a static route to 100.65.4.1.

Configure the local AS to 65300.

Contact the remote peer administrator to enable BGP

Refer to the exhibit. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Fortinet_FCSS_EFW_AD-7.6/page_56_img_1.jpg An administrator is deploying a hub and spokes network and using OSPF as dynamic protocol. Which configuration is mandatory for neighbor adjacency?

Set network-type point-to-multipoint in the hub interface

View FCSS_EFW_AD-7.6 Exam Questions

Q: 1

How will configuring set tcp-mss-sender and set tcp-mss-receiver in a firewall policy affect the size and handling of TCP packets in the network?

Options

Discussion

Luna N. Feb 22, 2026 5:11 am

Option B

Nathan G. Mar 3, 2026 12:56 am

C tbh, seems like a reasonable answer since the MSS config should consider headers and payload to avoid fragmentation. Trap is that C makes it sound more manual than how FortiGate handles MSS adjustment, but I still think thinking about header size matters here. Not super confident though.

Logan Feb 19, 2026 10:52 pm

Its B, but gotta say Fortinet loves to complicate these MSS settings. Setting tcp-mss-sender and receiver just tells the firewall the max TCP data it can handle per segment, that's it really. Sometimes feels like they're just trying to trip us up!

QuietLearner9586 Feb 27, 2026 7:58 am

B is right. Configuring tcp-mss-sender/receiver sets the max TCP payload per segment, not about headers in this context.

Anita U. Feb 14, 2026 3:28 am

Maybe B. Setting tcp-mss-sender and receiver basically controls the largest payload the device handles per segment, letting FortiGate manage packet sizing. I could see C if you were doing weird manual header stuff, but that's not typical. Thoughts?

Ravi M. Mar 1, 2026 12:57 pm

B or C? B explains how MSS limits the max payload per segment, which matches what I've seen on other exams. But in rare custom tunnel setups you do have to think about header size like C says. FortiGate usually handles headers automatically though. Leaning B but not 100% sure.

Arjun S. Feb 28, 2026 2:29 am

Yeah it's B here

Amelia Q. Feb 18, 2026 6:27 am

Its B for this. Most official Fortinet docs and some practice questions describe set tcp-mss-sender/receiver as controlling the max TCP payload per segment. I think that's what they're getting at, not manual header math like C. But if anyone has found something different in the exam or labs, let us know.

LiamC Feb 17, 2026 6:35 pm

B vs C, but pretty sure it's B. The tcp-mss-sender and receiver just set the max TCP payload per segment that devices can handle. C gets tempting because sometimes you have to factor in headers when tunneling, but here it's about a firewall policy with no tunnel context. Anyone else see B tripping people up for this kind of question?

Aisha M. Feb 19, 2026 6:50 am

Hard to say, it's B here. The tcp-mss-sender/receiver settings just cap the max TCP payload the device will allow in a segment, headers are automatically taken care of under normal configs. C is tempting since header size matters in rare custom tunnel cases, but not for standard policies. Open if anyone disagrees!

Be respectful. No spam.

Correct Answer:

Explanation

The set tcp-mss-sender and set tcp-mss-receiver commands in a FortiGate firewall policy are used to implement TCP Maximum Segment Size (MSS) clamping. The MSS value, exchanged during the TCP three-way handshake, defines the largest TCP payload size that an endpoint can receive in a single segment. By configuring these values, the FortiGate intercepts TCP SYN packets and, if necessary, lowers the advertised MSS. This ensures that the resulting IP packets (TCP payload + TCP/IP headers) do not exceed the Path Maximum Transmission Unit (PMTU), thereby preventing IP fragmentation, which is a common issue in networks with tunnels like IPsec VPNs.

Why Incorrect

A. MSS clamping is a traffic modification mechanism that alters TCP parameters to prevent fragmentation; it does not act as a security filter to allow or deny packets based on their size.

C. The administrator calculates the appropriate MSS value based on the path's MTU, not the other way around. The goal is to control the payload size to fit within the MTU.

D. The FortiGate modifies the MSS value in the TCP SYN packet only if the packet's original MSS is greater than the value configured, in order to reduce it.

---

References

1. Fortinet FortiOS 7.0.0 CLI Reference:

Document: FortiOS 7.0.0 CLI Reference

Section: config firewall policy

Page: 1018

Content: The reference defines tcp-mss-sender and tcp-mss-receiver as commands to configure the "TCP maximum segment size in bytes." It states

"When set to a non-zero value

the FortiGate unit will replace the MSS value in the TCP SYN packet with the value you specify if the original MSS is larger." This confirms the mechanism modifies the maximum payload size.

2. Fortinet FortiOS 7.0.0 Networking Guide:

Document: FortiOS 7.0.0 Networking Guide

Section: Packet fragmentation

Page: 338

Content: "The FortiGate can also perform TCP MSS clamping to reduce the MSS of TCP packets to prevent them from being fragmented... The MSS is the size of the data portion of a TCP packet." This directly supports that the commands determine the largest payload (data portion) of a TCP segment.

3. Fortinet FortiOS 7.0.0 Administration Guide:

Document: FortiOS 7.0.0 Administration Guide

Section: IPsec VPN advanced settings

Page: 518

Content: The guide explains the need for MSS clamping in VPNs: "If the TCP MSS is not set correctly

the TCP packets may need to be fragmented after being encrypted. The FortiGate unit can reduce the MSS in the TCP SYN packet to avoid this." This highlights the function of controlling segment size to prevent fragmentation.

Q: 2

Refer to the exhibit. A pre-run CLI template that is used in zero-touch provisioning (ZTP) and low-touch provisioning (LTP) with FortiManager is shown.

The template is not assigned even though the configuration has already been installed on FortiGate. What is true about this scenario?

Options

Discussion

Emma M. Feb 18, 2026 10:24 pm

Option B, they get auto-unassigned after the first install. Pretty sure that’s how ZTP/LTP pre-run templates work with FortiManager.

NinaV Mar 1, 2026 3:44 am

Wouldn't C be correct if you had to prevent config conflicts by unassigning manually in some scenarios?

Piya T. Feb 18, 2026 11:59 pm

Why would B not need a manual step here? Doesn't it always need some admin intervention on pre-run templates?

Anita I. Mar 5, 2026 3:42 am

I think C fits better for this, since you sometimes have to manually unassign pre-run CLI templates to avoid policy package import issues. Pretty sure that's how it works on some setups, but maybe I'm missing something small here. Agree?

Jason J. Feb 20, 2026 9:41 pm

Yeah that fits with what I've seen too-it's B. FortiManager just unassigns the pre-run CLI template automatically after initial use in ZTP or LTP. If you're not on a much older version, you don't have to do anything extra.

AvaG Feb 27, 2026 6:54 pm

B not C. FortiManager now unassigns pre-run CLI templates automatically after they're pushed out in ZTP or LTP flows. You used to have to do it by hand but on current versions that's handled for you. Correct me if I'm off for a weird firmware build.

Sofia G. Feb 27, 2026 4:25 pm

Feels like B, since FortiManager auto-unassigns pre-run templates after they're used once for ZTP/LTP scenarios. Pretty sure that's always the case unless a custom workflow overrides it, but let me know if someone saw otherwise.

Noah A. Feb 15, 2026 6:00 pm

Makes sense to me, I'd pick B too. FortiManager unassigns pre-run templates automatically after first use.

MethodicalReviewer9861 Mar 6, 2026 2:52 am

Hannah H. Feb 17, 2026 9:19 am

I’d say it's B since FortiManager unassigns pre-run CLI templates automatically after they're installed, that's what the doc and hands-on labs show. Saw a similar question in practice tests, so I'd stick with B unless there's an odd version caveat. Agree?

Be respectful. No spam.

Correct Answer:

Explanation

Pre-run CLI templates used for Zero-Touch Provisioning (ZTP) and Low-Touch Provisioning (LTP) are designed for the initial bootstrapping of a FortiGate. They configure essential settings like interface IP addresses and static routes, enabling FortiManager to establish a connection and perform the first configuration installation. By design, FortiManager automatically unassigns these specific pre-run templates from the device after the first successful installation. This is a deliberate one-time action to prevent the initial bootstrap configuration from being re-applied during subsequent policy package installations, which could cause conflicts or revert intended changes.

Why Incorrect

A. This is incorrect. The template was assigned correctly for ZTP; its unassignment is an expected, automatic behavior, not a permanent assignment failure.

C. The unassignment process is automatic for ZTP/LTP pre-run templates, not manual. This automation is a key feature of the provisioning workflow.

D. Post-run CLI templates are executed after a policy package installation, making them unsuitable for the initial bootstrap configuration required for ZTP/LTP.

References

1. Fortinet FortiManager Administration Guide 7.6:

In the section Device Manager > Provisioning Templates > Creating a provisioning template

the guide states: "When a pre-run CLI template is used for zero-touch or low-touch provisioning

the template is automatically unassigned from the device after the template is run on the device. This prevents the template from being run on the device again during subsequent installations." This directly confirms the automatic unassignment behavior.

2. Fortinet FortiManager Administration Guide 7.4:

The same behavior is documented in the Device Manager > Provisioning Templates > Creating a provisioning template section

confirming this is a standard feature: "When a pre-run CLI template is used for zero-touch or low-touch provisioning

the template is automatically unassigned from the device after the template is run on the device."

Q: 3

Refer to the exhibit, which shows an ADVPN network

An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2. What two options must the administrator configure in BGP? (Choose two.)

Options

Discussion

SkepticalConsultant372 Feb 17, 2026 9:20 pm

Hmm, I think it should be C and B. IBGP multihop (C) sounds necessary since overlays might not be directly connected, and next-hop-self (B) is usually required. A could be a trap if we're not using eBGP across multiple hops. Happy to be corrected if I'm missing a nuance.

EmmaP Feb 21, 2026 8:20 pm

A is wrong, B and A. Needed for multihop eBGP and next-hop-self on iBGP in ADVPN.

Ivy Q. Feb 26, 2026 3:54 pm

Pretty sure A and B. Had something like this in a mock, those options cover eBGP multihop for non-direct peers and next-hop-self for iBGP which is needed in ADVPN topologies. Let me know if you think otherwise.

Luna R. Feb 25, 2026 1:02 pm

Not totally sold on A here. C, since ibgp-enforce-multihop looks more specific for ADVPN overlays.

RowanJ Feb 25, 2026 4:58 am

I don’t think it's A and B. C and D.

Vikram J. Feb 14, 2026 4:27 am

Seen this in some practice labs, it's A and B from what the official Fortinet guide shows.

Zoe U. Mar 4, 2026 10:51 pm

A and B tbh. You need ebgp-enforce-multihop for eBGP sessions that aren't directly connected, and next-hop-self to make the hub properly reflect routes in iBGP overlays. That's what I've seen in practice but open to correction if I've missed a nuance.

Amelia I. Feb 27, 2026 10:43 pm

B , but only if every peer is iBGP. If the ADVPN mesh runs both IBGP and EBGP (like most full ADVPN overlays), you really need A too because EBGP won't come up otherwise over multi-hop. It's a sneaky requirement that throws people sometimes.

NoahD Mar 4, 2026 11:09 pm

Is there any scenario where you'd need "set attribute-unchanged next-hop" (D) for ADVPN overlays connecting with both iBGP and eBGP? From what I've seen, A and B are usually enough for these designs. Always curious if folks have hit a weird edge case though.

ThoughtfulTester7014 Feb 21, 2026 2:28 pm

A and B makes sense here. You'll see both listed in the official config guide for ADVPN with mixed iBGP/eBGP setups. Worth reviewing Fortinet's admin guide and lab scenarios if you're prepping for this part of the test, just to get a feel for how these commands work together.

Be respectful. No spam.

Correct Answer:

A, B

Explanation

In an ADVPN configuration that uses both iBGP and eBGP, specific BGP settings are required on the hub FortiGate.

1. set next-hop-self enable: This command is essential for the iBGP peering between the hub and its spokes. The hub acts as a route reflector. When it receives routes from one spoke, it must advertise them to other spokes with itself as the next hop. This action is the trigger for the spokes to initiate the on-demand shortcut tunnel.

2. set ebgp-enforce-multihop enable: This command is required for the eBGP peering. By default, eBGP peers must be directly connected. In a WAN or VPN environment, eBGP peers are typically multiple network hops apart. This setting allows the BGP session to be established between peers that are not on the same subnet.

Why Incorrect

C. set ibgp-enforce-multihop advpn: iBGP peers are not required to be directly connected by default, so enforcing multihop is generally unnecessary. The advpn keyword for this command is not a standard configuration for this scenario.

D. set attribute-unchanged next-hop: This command would prevent the hub from changing the next-hop attribute, which is the opposite of the required behavior. It would break the ADVPN shortcut mechanism.

References

1. Fortinet FortiOS 7.4.0 Administration Guide

VPN > IPsec VPN > Auto-Discovery VPN (ADVPN) > BGP configuration for the hub.

This section explicitly shows the command set next-hop-self enable as a required part of the iBGP neighbor group configuration on the hub. It states

"The hub must be configured as a route reflector for iBGP."

2. Fortinet FortiOS 7.4.0 Administration Guide

Routing > BGP > BGP concepts > eBGP multihop.

The documentation states: "By default

eBGP requires neighbors to be directly connected. If they are not

you must configure eBGP multihop routing... config router bgp ... config neighbor ... set ebgp-multihop enable". This confirms the necessity of the command for non-directly connected eBGP peers

as is the case in this ADVPN scenario.

3. Fortinet Cookbook

ADVPN with BGP as the routing protocol (2023/11/21).

In the "Configuring the Hub" section

under the BGP configuration for the neighbor group that includes the spokes

the command set next-hop-self enable is listed as a mandatory step. The explanation notes that this allows the hub to advertise itself as the next hop for routes learned from other spokes.

Q: 4

Refer to the exhibit, which contains a partial command output.

The administrator has configured BGP on FortiGate. The status of this new BGP configuration is shown in the exhibit. What configuration must the administrator consider next?

Options

Discussion

Meera N. Mar 4, 2026 9:32 am

Option D since eBGP by default doesn't allow multihop. Here the peer isn't directly connected, so enabling ebgp-enforce-multihop should fix it. Pretty common BGP issue on FortiGates, but let me know if I'm missing a detail.

Amelia Feb 17, 2026 9:36 pm

I gotta say B here. Local AS config can cause sessions not to establish, so that's what I'd check before tweaking multihop.

LiamB Feb 16, 2026 1:29 pm

Yeah, D here. The scenario needs ebgp-enforce-multihop for non-directly connected eBGP neighbors.

Reese W. Feb 16, 2026 5:27 am

Probably D, since static route (A) is a common trap here, but "next" points to enabling multihop for eBGP neighbors not directly connected.

Nora Feb 24, 2026 5:02 pm

C/D? I keep second-guessing since the static route could also help, but multihop is usually the key for eBGP with indirect neighbors.

QuietAuditor5854 Mar 4, 2026 5:39 pm

You sure it's not just D? Without ebgp-enforce-multihop, FortiGate won't let that BGP session establish if the peer's more than one hop away.

Skyler O. Feb 19, 2026 10:22 pm

I don't think it's A, since a static route might help reachability but won't solve the BGP session not forming when the neighbor isn't directly connected. D makes sense here because FortiGate defaults block multihop eBGP. Pretty sure that's what the output is showing, unless I missed another config clue.

Logan Mar 5, 2026 9:25 am

B , because local AS is often missed as a misconfig, but maybe that's not the real issue here if eBGP multihop is needed.

Ishaan M. Feb 23, 2026 6:58 pm

Its D. The common trap is A but since the neighbor isn't directly connected, ebgp-enforce-multihop is the necessary next step. Pretty sure that's what FortiGate expects in this config, but open to other takes.

Liam Z. Mar 1, 2026 9:06 am

D , trap is A since static routes matter for initial reachability, but the question asks what's needed next. Pretty sure enabling ebgp-enforce-multihop is required when the neighbor isn't directly connected. Disagree?

Be respectful. No spam.

Q: 5

An administrator is checking an enterprise network and sees a suspicious packet with the MAC address e0:23:ff:fc:00:86. What two conclusions can the administrator draw? (Choose two.)

Options

Discussion

Ethan D. Feb 17, 2026 10:20 pm

A and C here. The MAC prefix is unique to HA with VDOMs, and decoding the group-id lands under 255. Disagree?

Owen B. Feb 18, 2026 1:27 pm

B and D maybe? That MAC could look like it's tied to FGSP setups (B) and something port specific (D) if you don't pay attention to the octet breakdown. I think FortiGate clustering protocols can get confusing with these addresses. Not totally sure, feel free to show me where I'm off.

Quinn Feb 15, 2026 4:31 am

A and C imo. That MAC prefix (e0:23:ff) is FortiGate HA with VDOMs, pretty standard in cluster setups. For C, the math on the group-id works out to less than 255 after decoding the last three octets. Not 100% on D because port mapping via MAC isn't really a thing here. Let me know if someone interprets it differently.

Ravi E. Mar 1, 2026 3:51 am

A and C. Pretty sure official Fortinet docs and HA cluster practice labs back this up, seen similar logic in exam sets.

Casey P. Feb 28, 2026 2:19 am

Option B and D

Ethan Feb 15, 2026 1:04 am

A and C tbh. That MAC prefix is all about HA clusters with VDOMs on, and group-ids less than 255 fits the format. The rest don't line up from what I know but if I'm missing anything, let me know.

QuickReviewer6056 Feb 23, 2026 9:20 am

Why not B? FGSP protocol doesn't use that MAC prefix, it's all about HA clusters with VDOMs. Am I missing something?

Luke V. Mar 2, 2026 10:05 pm

A and C. No extra info needed here.

Cameron Mar 2, 2026 3:57 am

Option A and C

Avery P. Mar 1, 2026 9:14 pm

A and C imo

Be respectful. No spam.

Correct Answer:

A, C

Explanation

The MAC address prefix e0:23:ff is specifically used by FortiGate High Availability (HA) clusters when Virtual Domains (VDOMs) are enabled. This immediately confirms that the packet originates from a cluster with VDOMs.

The last three octets of the MAC address (fc:00:86) encode the HA group ID, virtual cluster ID, and interface index. The value is calculated using the formula: Last 3 Octets = 0xFFFFFF - ((groupid << 16) | (vclusterid << 8) | ifindex).

By reversing the calculation (0xFFFFFF - 0xFC0086), we get 0x03FF79. This result indicates a groupid of 0x03 (decimal 3). Since 3 is less than the maximum possible value of 255, this conclusion is also correct.

Why Incorrect

B. The FortiGate Session Life Support Protocol (FGSP) is used for session synchronization between standalone devices and does not generate this virtual MAC address for traffic forwarding.

D. The calculation derives the interface index as 0x79 (decimal 121), not 7. Furthermore, the interface index is an internal value and does not directly map to a physical port number.

References

1. FortiOS Handbook - High Availability 7.2.1

Page 36

Section: "HA cluster virtual MAC addresses".

This document states: "When VDOMs are enabled

FortiGate generates a different set of virtual MAC addresses. The first three octets are e0:23:ff. The last three octets are calculated based on the HA group ID

the virtual cluster ID

and the interface index. The formula is (0xffffff - (groupid << 16 | vclusterid << 8 | ifindex))." This directly supports the explanation for answers A and C.

2. Fortinet Knowledge Base - Technical Tip: FortiGate HA virtual MAC address details (Article ID: FD36109).

This article provides a detailed breakdown of HA virtual MAC address calculation. It confirms that for FortiOS 5.4 and later with VDOMs enabled

the prefix is e0:23:ff and explicitly provides the formula 0xffffff - ((groupid << 16) + (vclusterid << 8) + ifindex) for the remaining octets. This validates the entire analysis.

Q: 6

An administrator must minimize CPU and RAM use on a FortiGate firewall while also enabling essential security features, such as web filtering and application control for HTTPS traffic. Which SSL inspection setting helps reduce system load while also enabling security features, such as web filtering and application control for encrypted HTTPS traffic?

Options

Discussion

PracticalSec1231 Feb 16, 2026 9:09 am

D . Cert inspection mode barely touches CPU/RAM since it skips decrypting everything, but you can still do domain-based filtering and app control on HTTPS. Full SSL would kill performance. Pretty sure this is what they’re asking but open to pushback.

Quinn B. Mar 1, 2026 2:02 am

C vs D here. C sounds right at first with the 'efficient' bit, but it's vague and doesn't mean a specific FortiGate setting. D is literal-certificate inspection mode is way less resource-heavy and still does basic HTTPS filtering. Pretty sure D is what the exam wants, but I get why C looks tempting.

Zoe L. Feb 26, 2026 9:13 pm

C/D? C talks about handling HTTPS "efficiently," which kinda fits the resource-saving part, and some questions use wording tricks like that. D is correct for cert inspection, but C felt like a trap here.

Taylor X. Feb 18, 2026 12:01 pm

Yeah, D fits here. You keep basic filtering and app control without the decrypt overhead.

Sofia W. Mar 2, 2026 11:34 am

D , certificate inspection mode uses way less resources and still gets the job done for filtering HTTPS traffic.

QuietOps6650 Feb 20, 2026 12:48 pm

D imo. Certificate inspection does enough for web filtering and app control by checking certs and SNI, without chewing up resources like full SSL inspection. You lose some deep inspection, but that's the tradeoff for saving CPU/RAM. Seen similar wording on practice tests-D's the efficient option here.

SkepticalLead5816 Mar 5, 2026 3:28 am

Why does C keep coming up? On FortiGate, "efficient HTTPS handling" isn't an actual setting, it's just vague wording.

Olivia A. Feb 24, 2026 5:10 pm

Pretty sure it's D. Certificate inspection mode checks the SNI and cert without full decryption, which keeps resource usage low but still lets you do web filtering on HTTPS. C sounds reasonable, but it's too generic and not a real FortiGate config option. Anyone see a scenario where C would actually be correct?

ThoughtfulLead4923 Mar 1, 2026 5:23 am

D (seen similar on practice, always certificate inspection for low system use with required HTTPS filtering)

Sanjay M. Feb 16, 2026 1:57 am

C tbh, since it's the only one mentioning handling HTTPS efficiently, that sounds right for saving resources.

Be respectful. No spam.

Correct Answer:

Explanation

SSL certificate inspection mode allows the FortiGate to inspect the Server Name Indication (SNI) and the server certificate presented during the initial TLS handshake. This enables security features like web filtering (based on domain name/category) and application control (based on the certificate's subject) without decrypting the entire encrypted payload. Because it avoids the computationally expensive decryption and re-encryption process, this mode consumes significantly less CPU and RAM compared to full SSL inspection, directly addressing the administrator's goal of minimizing system load while maintaining essential security visibility.

Why Incorrect

A. Full SSL inspection is the most resource-intensive method as it decrypts and re-encrypts all traffic, which contradicts the requirement to minimize CPU and RAM use.

B. Disabling SSL inspection entirely would prevent the FortiGate from identifying the destination domain or application within the encrypted stream, rendering web filtering and application control ineffective.

C. This option is too generic. While the goal is efficient handling, it does not specify a concrete setting or mode, unlike certificate inspection, which is a specific, low-impact configuration.

References

1. FortiGate Infrastructure 7.2 Study Guide

p. 218: "SSL Inspection Modes" section states

"Certificate inspection: FortiGate only inspects the server certificate to confirm its validity and the subject. It does not decrypt the traffic. This mode consumes the least amount of resources." It also clarifies that web filtering and application control can use the information from the certificate.

2. FortiOS 7.2 Administration Guide

"SSL & SSH Inspection > Inspection modes" section: "In certificate inspection mode

FortiGate only inspects the header information of the packets. This is the least resource-intensive inspection mode... Based on the information in the certificate

FortiGate can determine if the traffic should be allowed or blocked."

3. FortiGate Security 7.2 Study Guide

p. 130: "SSL Inspection Modes" section explains

"Certificate inspection only looks at the certificate of the web server... This allows FortiGate to perform web filtering based on the category of the website

but it does not allow FortiGate to inspect the actual content for threats." This highlights its capability for web filtering with low overhead.

Q: 7

Refer to the exhibit.

An administrator is deploying a hub and spokes network and using OSPF as dynamic protocol. Which configuration is mandatory for neighbor adjacency?

Options

Discussion

Adam R. Feb 22, 2026 2:53 pm

Makes sense to go with B here. In hub and spoke OSPF, setting network-type to point-to-multipoint on the hub ensures neighbors come up without extra configs for DR/BDR. I think that's what's required but let me know if you see it differently.

Cameron Feb 18, 2026 2:07 am

Option B

Sam W. Feb 20, 2026 7:45 am

Maybe D, since virtual-link is needed for some OSPF scenarios in hub and spoke setups.

Reese Feb 23, 2026 7:41 pm

Reese H. Mar 4, 2026 12:36 pm

I don’t think it’s D, pretty sure it should be B. Virtual-link is a classic trap for OSPF multi-area stuff but not for hub-and-spoke neighbor formation. Open to other takes if I missed a detail.

Vikram B. Feb 20, 2026 10:17 am

B is the only required config here to form OSPF adjacencies in hub-and-spoke. Others are optional or for different setups.

Riley B. Feb 16, 2026 5:11 am

B , setting network-type to point-to-multipoint on the hub is usually what makes adjacencies work in a hub-and-spoke OSPF setup. The others aren't required just to get neighbors up. Pretty sure it's B but open to corrections if someone's seen otherwise.

Grace Feb 17, 2026 4:51 am

B fits here, since for OSPF to form proper neighbor adjacencies in hub and spoke setups, you need the network-type set to point-to-multipoint. The others aren't required just for adjacency. Pretty sure I'm right but always open to more input.

Cameron Feb 23, 2026 6:15 am

Luke S. Feb 24, 2026 7:27 am

C/D? I saw similar scenarios in official practice, so check the admin guide too.

Be respectful. No spam.

Correct Answer:

Explanation

In a hub-and-spoke topology, particularly over a Non-Broadcast Multi-Access (NBMA) network such as a typical IPsec VPN overlay, OSPF requires a specific network type to establish adjacencies correctly. Setting the network type to point-to-multipoint on the hub's interface is the standard and recommended configuration. This mode eliminates the need for a Designated Router (DR) and Backup Designated Router (BDR) election. Instead, the hub establishes a separate point-to-point adjacency with each spoke router, which is the intended behavior for this topology. This ensures stable neighbor relationships and proper route propagation without requiring manual neighbor configuration.

Why Incorrect

A. Set bfd enable in the router configuration

BFD (Bidirectional Forwarding Detection) is used for rapid link failure detection but is not a prerequisite for forming an OSPF neighbor adjacency.

C. Set rfc1583-compatible enable in the router configuration

This setting controls the calculation method for summary routes (Type 3 LSAs) for compatibility with older standards and does not affect neighbor adjacency formation.

D. Set virtual-link enable in the hub interface

Virtual links are used to connect a disconnected OSPF area to the backbone area (Area 0). The exhibit shows all devices are within Area 0, making a virtual link unnecessary.

References

1. Fortinet FortiOS 7.6.0 Administration Guide

Networking > OSPF > OSPF network types

p. 1031: "Point-to-multipoint: This mode is a set of point-to-point links. There is no DR or BDR. This mode is useful for partial-mesh NBMA networks." This directly applies to the hub-and-spoke scenario.

2. Fortinet FortiOS 7.6.0 Administration Guide

Networking > OSPF > OSPF configuration examples > OSPF point-to-multipoint configuration example

p. 1040: This section provides a step-by-step configuration for a hub-and-spoke topology

explicitly demonstrating the use of set network-type point-to-multipoint on the hub's interface. The example topology is identical to the one shown in the question's exhibit.

Q: 8

An administrator must standardize the deployment of FortiGate devices across branches with consistent interface roles and policy packages using FortiManager. What is the recommended best practice for interface assignment in this scenario?

Options

Discussion

EmmaO Feb 27, 2026 4:39 pm

Its A, D looks good but it's a bit of a trap since metadata variables are what let you standardize across branches.

Drew L. Mar 1, 2026 9:53 am

A not D, D just auto-identifies interface types but A (metadata variables) actually makes configs consistent per branch.

Leo G. Feb 16, 2026 3:36 pm

A not D. Trap here is assuming D does per-device mapping, but metadata variables (A) actually solve that for standardization.

Arjun U. Feb 17, 2026 2:09 am

A tbh

AlexA Feb 13, 2026 5:16 pm

A is right here imo. Metadata variables let you use one policy package and swap out values per branch, so config stays clean and flexible. Install On doesn’t solve the variable interface problem as easily. Someone let me know if they’ve made B or D work for this.

Liam R. Feb 17, 2026 11:45 am

A imo. Using metadata variables lets you push a single standard config but still handle each branch's unique details (like IPs or VLANs). Pretty common best practice, seen it in several official guides.

JasonE Feb 18, 2026 6:14 pm

A tbh, because with metadata variables you can set standard configs and the unique details for each site automatically fill in. It's scalable and Fortinet's docs push that method. Not 100 percent if D works as seamlessly but open to counterpoints.

Sanjay R. Feb 14, 2026 1:31 am

Its D, since normalized interface types help when there are lots of naming inconsistencies, not just metadata.

Sean V. Feb 17, 2026 8:40 am

A is the way to go since metadata variables let you keep one policy package and just plug in branch-specific details. Makes deployments cleaner and less manual editing. Pretty sure that's what Fortinet recommends for this scenario but open if someone saw different in production.

Logan K. Mar 4, 2026 12:24 am

Nah, I think A is correct, not D-using metadata variables covers dynamic configs even with some name variation.

Be respectful. No spam.

Correct Answer:

Explanation

The recommended best practice for standardizing FortiGate deployments with consistent configurations across multiple branches is to use provisioning templates combined with metadata variables. Metadata variables act as placeholders for device-specific values, such as IP addresses, hostnames, or VLAN IDs. An administrator creates a single, standardized provisioning template for interface configurations. During deployment to each branch FortiGate, FortiManager dynamically replaces the metadata variables in the template with the unique values assigned to that specific device. This approach allows for the use of a consistent configuration base while accommodating the necessary per-device variations, fulfilling the requirement for standardization.

Why Incorrect

B: The Install On feature is used to target which devices or groups receive a policy package; it does not configure the interfaces or assign their settings.

C: Using scripts is a viable but less efficient method. The recommended best practice involves using FortiManager's built-in template and metadata features for better scalability and management.

D: Normalized interfaces are essential for creating consistent interface roles (e.g., LAN, WAN) across different hardware models, enabling the use of a single policy package. However, metadata variables (A) perform the dynamic assignment of configuration settings (like IP addresses) to those interfaces, which is the core of standardizing the device-level configuration.

References

1. FortiManager Administration Guide 7.2

"Provisioning Templates" > "Using metadata in provisioning templates" section.

Quote: "Metadata allows you to define custom variables that you can use to dynamically configure managed devices. You can reference the metadata variables in provisioning templates... When the template is applied to a device

the metadata variables are replaced with the values defined for the device." This directly supports using metadata for dynamic configuration assignment.

2. FortiManager Administration Guide 7.2

"Best Practices" > "Device and policy management" section.

Quote: "Use provisioning templates with metadata to standardize device settings across multiple devices." This explicitly states that the combination of provisioning templates and metadata is the best practice for standardization.

3. Fortinet Certified Professional - Network Security Study Guide for FortiManager 7.2

Chapter "Provisioning"

Section "Using Metadata in Provisioning Templates".

This section provides examples of creating a provisioning template for a system interface and using a metadata variable

such as $(ipaddress)

to assign a unique IP address to each managed device. This illustrates the practical application of the concept in option A.

Q: 9

An administrator needs to install an IPS profile without triggering false positives that can impact applications and cause problems with the user's normal traffic flow. Which action can the administrator take to prevent false positives on IPS analysis?

Options

Discussion

Casey Feb 23, 2026 2:30 pm

My pick: A since narrowing the IPS profile to your actual OS, protocol, and app reduces signatures checked, so you get way less risk of false positives. Makes sense from what I've seen in real config. If someone had different lab results, happy to hear it.

Amelia W. Feb 20, 2026 8:00 am

Probably A here. Filtering the IPS profile by OS, protocol, and app minimizes unnecessary signatures, which cuts down on false positives. That's what admin guides push for too. Pretty sure about this but let me know if I'm missing something.

Taylor K. Feb 24, 2026 3:06 am

Option A had almost the same scenario during mock practice. Targeting OS and protocols with profile extension really helps minimize those annoying false positives. Confident it's A here.

Daniel D. Feb 27, 2026 4:30 pm

Yeah, I'm with A here. Filtering the IPS profile to match only your actual OS, protocols, and apps just means fewer unnecessary signatures, so way less chance of false positives messing with legit traffic. That’s what Fortinet suggests too I think. Someone correct me if they’ve had a different experience.

Mason D. Mar 4, 2026 11:17 am

Option A But, if the network has a bunch of non-standard apps or custom protocols, filtering by OS/app could miss stuff, right?

Sam Feb 24, 2026 7:22 am

A comes up in official admin guides and practice sets. Using the IPS profile extension lets you filter for just your real OS and app context, so false positives drop a lot. Pretty sure that's what they're looking for here but open to other input.

Ishaan J. Mar 3, 2026 5:27 pm

C isn't right here, A is. Fine-tuning the IPS profile for your actual OS, protocols, and applications means fewer false positives because you skip unnecessary signatures. Pretty sure that's what Fortinet recommends for minimizing alert noise.

Riley Mar 2, 2026 6:32 pm

Its C. I get why people go with A, but monitor mode means the IPS will just log traffic instead of blocking, so even if you get a false positive it won’t disrupt users. That feels like the safer way to avoid impact on normal traffic. Could be wrong if they’re asking for more targeted tuning though.

Sam Q. Mar 3, 2026 7:59 pm

C or A but I went with C since monitor mode means it doesn't actually block anything, so it shouldn't disrupt user traffic even if something's flagged wrong. Seen this logic in some practice tests and labs. Not 100% sure though, official guide goes deep on tuning IPS profiles.

Hannah K. Feb 26, 2026 1:53 am

I don't think it's D. C makes more sense to me since monitor mode avoids blocking traffic, so you won't get false positives affecting users. A seems like a trap for over-restricting the profile.

Be respectful. No spam.

Correct Answer:

Explanation

To prevent false positives, an administrator can use IPS filters (referred to as the profile extension in the question) to tailor the IPS profile to the specific network environment it protects. By specifying the target operating systems, protocols, and applications, the FortiGate only loads and applies the relevant IPS signatures. This significantly reduces the number of signatures evaluated against the traffic, which not only improves performance but also minimizes the risk of a signature incorrectly identifying legitimate traffic as malicious, thereby preventing false positives.

Why Incorrect

B: Enabling Scan Outgoing Connections is for detecting compromised hosts communicating outbound. It increases the scope of inspection and could potentially increase, not prevent, false positives if not tuned properly.

C: Using a monitor action does not prevent false positives; it only logs them without blocking traffic. This is a strategy to identify false positives without impacting users, but it allows potentially malicious traffic to pass, compromising network integrity.

D: SSL/TLS certificate issues on a client PC are related to SSL inspection and web access problems. They are not a direct cause of IPS false positive detections, which analyze traffic content for malicious patterns.

References

1. Fortinet Certified Solution Specialist - Enterprise Firewall 7.0 Advanced Study Guide

Chapter 3: Intrusion Prevention System (IPS)

Section: IPS Tuning

Page 10: "You can use IPS filters to narrow down the signatures that are included in an IPS profile. This is useful for improving performance and reducing the number of false positives. For example

if you know that you don't have any Linux servers on your network

you can create a filter to exclude all Linux signatures from the IPS profile." This directly supports using filters based on OS to prevent false positives.

2. FortiOS 7.4.0 Administration Guide

Section: Security Profiles > Intrusion Prevention > IPS Signatures

Sub-section: Filters: "You can use filters to narrow the list of IPS signatures that are displayed... You can also use filters to narrow the signatures that are included in an IPS sensor." This confirms the mechanism for narrowing down signatures.

3. FortiOS 7.4.0 Administration Guide

Section: Security Profiles > Intrusion Prevention > Best practices for IPS deployment: "Start by using an IPS sensor that monitors traffic and generates logs... After you have determined that the IPS sensor is not causing any problems

you can change the action to block." This describes the process related to option C

highlighting that monitoring is for identifying false positives

not preventing them

and carries the risk of not blocking real attacks.

Q: 10

Refer to the exhibit, which shows a network diagram.

An administrator would like to modify the MED value advertised from FortiGate_1 to a BGP neighbor in the autonomous system 30. What must the administrator configure on FortiGate_1 to implement this?

Options

Discussion

Hannah E. Feb 21, 2026 2:44 pm

Probably A for this one. Only a route-map-out lets you actually tweak BGP attributes like MED on outgoing advertisements.

Nina F. Feb 17, 2026 7:39 pm

LunaX Mar 1, 2026 7:38 pm

A . Only route-map-out (A) lets you actually set or modify the MED value in BGP announcements, not just filter prefixes. Prefix-list-out and distribute-list-out are for filtering routes based on prefix or access list but can't adjust route attributes like MED. Seen similar logic in other BGP configs, but correct me if I missed a FortiGate nuance here.

Riley U. Feb 22, 2026 6:25 pm

C or D. Both sound like they could filter outbound, not sure which would actually let you adjust the MED though.

FriendlyLead2454 Feb 13, 2026 5:49 pm

Probably A. Only route-map-out lets you update BGP attributes like MED, the others just filter routes. Pretty sure C and D are easy traps here if you're thinking about prefix matching instead.

Casey E. Mar 6, 2026 2:01 am

Don't think it's C or D since those just filter routes, not change metrics. Route-map-out (A) is what actually lets you set MED on outgoing BGP updates. I think that's the only valid choice here, correct me if I'm missing some detail.

Nina L. Mar 3, 2026 8:49 pm

C or D? I get why you'd think those since they both can filter outbound routes, but only A (route-map-out) actually lets you alter attributes like MED. Pretty sure it's A, unless there's some hidden FortiGate feature I'm missing.

Adam U. Feb 15, 2026 5:44 pm

Don't think B or D are right for modifying MED, so A here.

Riley R. Feb 28, 2026 2:25 pm

Not if the neighbor's in a different AS, then only A will actually set MED outbound.

Quinn Feb 20, 2026 7:36 pm

A. that's what I'd pick here. None of the others let you change the MED directly.

Be respectful. No spam.

Correct Answer:

Explanation

To modify BGP attributes for routes being advertised to a neighbor, a route-map-out is the correct mechanism. A route map is a policy tool that allows an administrator to match specific routes and then apply actions, such as modifying attributes. In this case, a route map would be created to set the desired Multi-Exit Discriminator (MED) value using the set metric command. This route map is then applied to the BGP neighbor configuration in the outbound direction (route-map-out) to influence the routing decisions of the receiving autonomous system (AS 30).

Why Incorrect

B. network-import-check: This command only validates if a network configured for advertisement via the network command exists in the routing table; it does not modify BGP attributes.

C. prefix-list-out: A prefix list is used to filter routes based on network prefixes. While it can be used within a route map to match routes, it cannot modify attributes by itself.

D. distribute-list-out: A distribute list uses an access list to permit or deny routes being advertised. It is a filtering tool and lacks the capability to modify BGP attributes like MED.

References

1. FortiOS Administration Guide 7.4

BGP > Route maps: "Route maps are used to control and modify routing information that is exchanged between routing protocols... You can define which routes are controlled by matching on a given route and then modify information for that route by setting certain values." This section explicitly states that route maps are the tool for modifying attributes.

2. FortiOS CLI Reference 7.4

config router route-map: The command set metric is documented here with the description "Set MED." This confirms that the metric parameter within a route map directly corresponds to the BGP MED attribute.

3. FortiOS CLI Reference 7.4

config router bgp: Within the config neighbor context

the command set route-map-out is available. Its description is "Apply a route map to outbound routes." This shows how the created route map is applied to affect advertised routes.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE