Refer to the exhibit, which contains the partial output of an OSPF command. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Fortinet_FCSS_EFW_AD-7.6/page_28_img_1.jpg An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit. What two conclusions can the administrator draw? (Choose two.)

The FortiGate device is connected to multiple areas

The FortiGate device injects external routing information

The FortiGate device is a backup designated router

The FortiGate device is connected to multiple areas

The FortiGate device injects external routing information

The FortiGate device has OSPF ECMP enabled

Refer to the exhibit, which shows a LAN interface connected from FortiGate to two FortiSwitch devices. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Fortinet_FCSS_EFW_AD-7.6/page_32_img_1.jpg What two conclusions can you draw from the corresponding LAN interface? (Choose two.)

The LAN interface must use a 802.3ad type interface.

This connection is using a FortiLInk to manage VLANs on FortiGate.

You must enable STP or RSTP on FortiGate and FortiSwitch to avoid layer 2 loopbacks.

The LAN interface must use a 802.3ad type interface.

This connection is using a FortiLInk to manage VLANs on FortiGate.

FortiGate is using an SD-WAN-type interface to connect to a FortiSwitch device with MCLAG.

View FCSS_EFW_AD-7.6 Exam Questions

Q: 11

What action can be taken on a FortiGate to block traffic using IPS protocol decoders, focusing on network transmission patterns and application signatures?

Options

Discussion

Jason Mar 4, 2026 10:03 pm

B. Saw nearly the same question in my exam and B was correct there too.

Ivy R. Mar 2, 2026 1:51 am

B. official admin guide and practice labs both highlight application control profiles for signature-based blocking.

Olivia D. Feb 17, 2026 10:34 pm

Its B. Application control uses the IPS engine for protocol decoders and signatures, not tied to just web traffic like D. Pretty sure that's what the question's getting at, correct me if I'm missing something.

Jack F. Feb 19, 2026 12:43 pm

Probably B. Application control uses IPS decoders and can block based on signatures, not just for web traffic.

Logan Y. Feb 22, 2026 2:03 pm

Probably D since if flow mode is active and you're filtering HTTP, the protocol decoder could work there too.

Noah A. Feb 14, 2026 2:55 am

I've seen similar questions in practice, B is correct.

Drew A. Mar 4, 2026 8:29 am

Its B. Practice tests and Fortinet docs cover how application control uses signatures and protocol decoders for this. Seen similar on exams.

Ben H. Feb 19, 2026 3:58 pm

D . If you focus on web traffic, configuring a web filter profile in flow mode can block signatures and patterns using protocol decoders for HTTP(S). I've seen similar points in some of the official Fortinet docs and practice tests. Might be missing something, but that's what makes sense to me right now. Anyone else also use labs to test this scenario?

Nathan Feb 18, 2026 8:10 pm

Had something like this in a mock, and B was right. Application control is what uses those IPS protocol decoders to spot/block app signatures, not just web stuff like D. Pretty sure that's what they're after here, but correct me if you think otherwise.

Adam G. Feb 22, 2026 3:29 pm

B vs D - I think B is right here. Application control actually ties into the IPS engine and its decoders, so it can block based on protocol patterns for all kinds of apps, not just web. D is more for web filtering only. Anyone disagree?

Be respectful. No spam.

Correct Answer:

Explanation

Application Control is the FortiGate feature designed to identify and control applications using signatures from the FortiGuard service. It leverages the Intrusion Prevention System (IPS) engine and its protocol decoders to analyze network traffic patterns and accurately detect thousands of applications, including those that are not web-based (non-URL). By configuring an Application Control profile and applying it to a firewall policy, an administrator can explicitly block specific applications or categories of applications, thereby controlling traffic based on its application signature and behavior.

Why Incorrect

A. DNS filter operates by inspecting Domain Name System (DNS) requests and blocking access based on domain ratings and categories, not by using IPS protocol decoders for general application signatures.

C. SD-WAN rules use application detection to make intelligent routing and path selection decisions, not primarily to block traffic as a security enforcement action.

D. Web filter is used to control access to web traffic (HTTP/HTTPS) based on URLs and content categories, not for identifying and blocking the wide range of non-web applications that Application Control handles.

References

1. Fortinet FortiOS 7.4.0 Administration Guide

Security Profiles > Application Control

Page 1018: "Application control uses IPS protocol decoders to identify the applications that generate network traffic. It can be used to create policies that allow

deny

or restrict access to applications." This statement directly links Application Control with IPS decoders for the purpose of controlling applications.

2. Fortinet FortiOS 7.4.0 Administration Guide

Security Profiles > Intrusion Prevention

Page 1001: "The IPS engine also provides the application detection that powers the application control feature." This confirms that the underlying technology for application detection

which involves analyzing transmission patterns and signatures

is the IPS engine.

Q: 12

Refer to the exhibit, which contains the partial output of an OSPF command.

An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit. What two conclusions can the administrator draw? (Choose two.)

Options

Discussion

Jason G. Mar 5, 2026 9:38 pm

B/C tbh. Some might pick D by mistake if they see ECMP mentioned, but the output directly proves B and C (multiple areas, ASBR).

Sofia R. Feb 25, 2026 2:11 am

Looks pretty clear to me. B and C, since the output says it's an area border router (so multiple areas) and an ASBR (so injecting external routes). ECMP isn't mentioned at all. I think that's solid, unless I'm missing something small.

Casey Y. Feb 21, 2026 7:08 pm

Nah, looks like A is a trap. B.

HelpfulArchitect164 Mar 4, 2026 7:20 pm

Similar question came up in official docs and practice exams, the right combo is B, C.

Mia J. Feb 14, 2026 4:15 pm

C/B. The status in the output is pretty direct about multi-area and external routes, so not D. Tricky part is D seems tempting if you miss that ECMP isn't actually shown.

Mia R. Mar 1, 2026 7:40 am

C/B. Output says it's both an area border router and an ASBR so I'm pretty sure it's B and C, not D. The ECMP mention always tricks people with these FortiGate OSPF questions though.

RileyL Mar 6, 2026 2:36 am

Yeah, I'm seeing B and C here too. Output shows it's an area border router (so multiple areas) and also ASBR, which means external route injection. Not totally confident since FortiGate wording can be tricky but that's my take.

Morgan G. Feb 18, 2026 1:51 pm

I’m going with D and B here. If the OSPF output mentions ECMP, that's typically a sign that equal cost multipath is active, which FortiGate supports. Option B fits if it's acting as an area border router. I don't see clear evidence for external route injection in these kinds of summaries, so C seems less likely. Let me know if you spot something I missed.

ZoeE Feb 20, 2026 6:43 am

B and C

Amelia G. Feb 16, 2026 11:06 pm

Option B C. Not totally sure since the output details sometimes get tricky on FortiOS.

Be respectful. No spam.

Correct Answer:

B, C

Explanation

The command output provides two key statements that directly support the correct answers. First, the lines "It is an area border router" and "Number of areas in this router is 2" explicitly confirm that the FortiGate device is connected to more than one OSPF area. Second, the line "It is an autonomous system boundary router" indicates that the FortiGate is configured to redistribute routes from an external routing protocol or static routes into the OSPF autonomous system, thereby injecting external routing information.

Why Incorrect

A. The output does not contain information about the Designated Router (DR) or Backup Designated Router (BDR) status, which is specific to an interface and not the overall OSPF process.

D. The provided output is a summary of the OSPF process status and does not include details about the Equal-Cost Multi-Path (ECMP) configuration.

References

1. FortiOS Administration Guide 7.0.0

Page 1030

"OSPF router types". This section defines an Area Border Router (ABR) as a router with interfaces in more than one area. It also defines an Autonomous System Boundary Router (ASBR) as a router that connects the OSPF network to a non-OSPF network (an external autonomous system) and injects external routes. The exhibit's output directly identifies the FortiGate as both an ABR and an ASBR.

2. FortiGate CLI Reference 7.0.0

Page 1598

get router info ospf status. The documentation for this command confirms that the output fields "It is an area border router" and "It is an autonomous system boundary router" are displayed to indicate the router's configured OSPF roles. This directly validates the interpretation of the exhibit.

Q: 13

Why does the ISDB block layers 3 and 4 of the OSI model when applying content filtering? (Choose two.)

Options

Discussion

Anita H. Feb 18, 2026 4:44 pm

Its A and B. D might seem tempting but that's more about URL filtering at layer 7, not how ISDB actually works for L3/L4. C's mention of proxy mode is a distractor here imo.

Piya K. Feb 26, 2026 8:15 pm

Option C and D for me. ISDB sounds like it's tied to proxy mode and limiting things by URL/domain, which fits content filtering. Not convinced A is right here, feels like a textbook trap.

Aisha Mar 5, 2026 7:26 pm

A/B for sure. ISDB blocks services based on IPs and ports from FortiGuard's database, which is L3 and L4. Not about proxy or URLs here. I've seen a similar question in some practice sets.

RileyP Feb 21, 2026 4:43 am

Option A and B here. ISDB is all about matching against IPs and ports from FortiGuard's list, which lines up with layers 3 and 4. It's not doing URL/domain filtering like D, that's more for web filtering modules. Pretty sure this is right but open to other interpretations.

MasonN Mar 2, 2026 1:37 pm

C and D tbh

Liam Q. Feb 21, 2026 4:46 am

For me, C and D, had something like this in a mock. Didn't see any mention of FortiGuard's IP/port lists.

QuietAnalyst7064 Feb 15, 2026 3:35 am

A/B imo. ISDB is all about using FortiGuard's updated IP/port lists to block specific services at L3 and L4, not URLs or proxies. The question says "layers 3 and 4," so that's why D or C don't really fit here. Pretty sure it's A and B but open to pushback if someone sees it differently.

Emma B. Feb 15, 2026 2:56 am

Its A and B

Aaron Y. Mar 1, 2026 1:44 pm

C and D, not A. Had something like this in a mock and it pointed to proxy mode plus limiting by domain for content filtering.

Nina E. Feb 14, 2026 7:54 am

C/D? Proxy mode and URL/domain limit feel like what content filtering does, A looks like a trap.

Be respectful. No spam.

Correct Answer:

A, B

Explanation

The Fortinet Internet Service Database (ISDB) is a feature that simplifies firewall policy creation by grouping all IP addresses, protocols, and port numbers associated with a specific internet service (like Microsoft 365 or Google Services). FortiGuard Labs continuously maintains and updates this database, which the FortiGate downloads. When an ISDB object is used in a firewall policy with a 'deny' action, the FortiGate blocks traffic at OSI Layers 3 (IP addresses) and 4 (TCP/UDP ports) that matches the entries in the database for that specific service. This provides an efficient way to control access without manually tracking all of a service's network endpoints.

Why Incorrect

C. The ISDB is a database of network endpoints, not an inspection mode. It can be used in firewall policies operating in either flow or proxy mode; it is not exclusive to proxy mode.

D. Limiting access by URL and domain is a Layer 7 function performed by the Web Filter security profile, not the ISDB, which operates primarily at Layers 3 and 4.

References

1. FortiOS 7.4.0 Administration Guide

Page 1010

Section: Internet Service Database.

"The FortiGuard Internet Service Database is a comprehensive

up-to-date list of all public IP addresses used by popular internet services... Each Internet Service can contain multiple entries

and each entry consists of an IP address or range

and a protocol and port number." This statement directly supports options A and B by defining the ISDB as a list of IPs and ports provided by FortiGuard.

2. FortiOS 7.4.0 Administration Guide

Page 1011

Section: Internet Service Database.

"When an Internet Service is selected as the source or destination in a firewall policy

traffic matching any of the IP addresses and port numbers in the service will have the policy's action applied to it." This confirms that the ISDB's mechanism is to match and block (or allow) based on the predefined IP addresses and ports (Layers 3 and 4).

3. FortiOS 7.4.0 Administration Guide

Page 1178

Section: Web filter.

"The web filter security profile can inspect HTTP

HTTPS

and FTP traffic... You can configure the web filter profile to block or allow access to web sites by matching their URLs against lists of URLs..." This clearly distinguishes the function of Web Filtering (URL/domain-based) from the ISDB (IP/port-based)

invalidating option D.

Q: 14

Refer to the exhibit, which shows an enterprise network connected to an internet service provider.

An administrator must configure a loopback as a BGP source to connect to the ISP. Which two commands are required to establish the connection? (Choose two.)

Options

Discussion

Sean K. Feb 25, 2026 8:54 am

A and B here. eBGP with loopback needs ebgp-enforce-multihop to let the connection work, and update-source points BGP to use the loopback IP. D is for next hop recursion which isn’t required in this ask. Pretty sure about this combo but correct me if you’ve done it differently in practice.

JackI Feb 14, 2026 11:58 pm

Its A and B. Both needed when you set up BGP neighbors via loopback so the session can come up.

Sean Mar 4, 2026 5:08 pm

A and B tbh. Loopback peering with eBGP needs update-source to pick the loopback IP, and ebgp-enforce-multihop so TTL lets the session form. D looks relevant but isn't for this use case. Anyone disagree?

Luna D. Feb 25, 2026 3:57 pm

Feels like A and B. Using loopback for eBGP peering always needs you to set update-source and allow multihop, or it won't bring up the session. D looks tempting but that's not needed here. Let me know if anyone's seen a case where this didn't work.

Neha Feb 20, 2026 12:37 pm

A is wrong, B and A. Both are needed for BGP peering via loopback, pretty sure that's in the official admin guide and shows up in practice labs too.

Rowan Feb 25, 2026 12:05 am

I don’t think it’s C/D. BGP with loopback as the source needs A (ebgp-enforce-multihop) and B (update-source), otherwise the session won’t form. D is a trap, for recursive next hop only. Pretty sure but open if I missed something.

Hannah A. Feb 19, 2026 10:55 pm

A/B makes sense. Whenever BGP uses loopback as source, you need update-source to specify it, and ebgp-enforce-multihop since eBGP expects directly connected peers otherwise. That’s what I saw in the admin guide and labs too, but could be missing something minor.

Jordan Feb 19, 2026 6:06 pm

C/D? I always get tripped up when it's loopback as BGP source, thought recursive-next-hop might be needed.

Avery T. Feb 25, 2026 12:56 am

A/B imo. You need ebgp-enforce-multihop and update-source for this setup with a loopback, that's from official guide and some similar lab tasks I saw. If you want a reference, practice labs or the config examples in the admin guide cover this.

Priya K. Mar 2, 2026 12:43 pm

I think it should be A and B, since for eBGP with a loopback you need to allow multihop and set update-source. Not 100% but I don't see C or D fitting here, since they're for iBGP or recursive next hop situations. Agree?

Be respectful. No spam.

Correct Answer:

A, B

Explanation

To establish an eBGP session using loopback interfaces, two specific configurations are required. First, the update-source command must be used to change the source IP address of the BGP packets from the physical egress interface to the loopback interface's IP address.

Second, by default, eBGP peers are expected to be directly connected (TTL=1), a rule enforced by ebgp-enforce-multihop. Since loopback interfaces are not physically connected, this enforcement must be disabled (set ebgp-enforce-multihop disable) to allow the BGP session to establish between these non-adjacent IP addresses.

Why Incorrect

ibgp-enforce-multihop: This command applies to internal BGP (iBGP) sessions within the same autonomous system, not to an external (eBGP) session with an ISP.

recursive-next-hop: This setting relates to the resolution of the next-hop attribute in BGP route advertisements, not the establishment of the BGP peering session itself.

References

1. FortiOS 7.6.0 CLI Reference

config router bgp section

page 1789.

update-source : "Enable/disable use of the interface as the source IP address of BGP connections." This confirms the need to specify the loopback interface.

ebgp-enforce-multihop {enable | disable}: "Enable/disable enforcement of single-hop for EBGP neighbors." The default is enable. This confirms the need to disable this setting for loopback peering.

2. Fortinet Cookbook

"eBGP configuration using loopback interfaces" recipe.

This guide explicitly details the configuration steps for establishing an eBGP session using loopback interfaces

stating: "On both routers

it is necessary to configure set update-source to use the loopback interface as the source of the BGP traffic

and set ebgp-multihop enable [or set ebgp-enforce-multihop disable in modern FortiOS] because the peer is not directly connected."

Q: 15

Refer to the exhibit, which shows a LAN interface connected from FortiGate to two FortiSwitch devices.

What two conclusions can you draw from the corresponding LAN interface? (Choose two.)

Options

Discussion

Aaron Q. Feb 20, 2026 5:50 am

B and C for sure. You need 802.3ad LAG for connecting to MCLAG peers, and that interface is always used for FortiLink when managing downstream switches/VLANs from FortiGate. Pretty standard setup unless something's changed in recent firmware, right?

Layla G. Feb 24, 2026 1:43 pm

I don’t think A fits, it’s B and C. FortiGate needs 802.3ad for MCLAG and FortiLink manages the VLANs, not SD-WAN.

MasonG Feb 28, 2026 11:08 am

B/C work here. The picture basically shows an 802.3ad LAG, and FortiLink is always what's used for FortiGate switch management. Not seeing anything that points to SD-WAN or STP config being needed in this context.

Quinn M. Feb 22, 2026 9:49 pm

B and C tbh. That's what pops up in both the official docs and most practice sets covering FortiLink and switch stacking stuff, no SD-WAN in this one. Let me know if you saw anything different in other exam reports.

Kevin Feb 26, 2026 3:20 pm

From what I've seen in the official guide and a couple of practice tests, it's B and C here. 802.3ad is a must for MCLAG, and FortiLink does the VLAN management. Pretty sure-let me know if there's a different config.

Riley Feb 15, 2026 9:37 am

B and C match what's in the official guide and practice tests for FortiLink with MCLAG. The LAG has to be 802.3ad, and FortiLink manages VLANs. Not 100% sure unless they ask about loop prevention, though. Disagree?

Hannah W. Feb 26, 2026 3:19 am

Kinda feel like A is valid here. Since you have multiple switches, enabling STP or RSTP seems important to prevent loops at L2. I've seen network loops in similar setups if STP isn't enabled. Not completely sure though, maybe I'm missing something about how FortiLink handles redundancy? Agree?

Rowan E. Feb 20, 2026 2:11 am

Option D looks tempting since SD-WAN gets mixed up with multi-link stuff, but here it's just a regular LAG with FortiLink, not SD-WAN. I think D is a trap, but I could see why someone might pick it.

Aisha V. Feb 16, 2026 9:03 pm

B/C make sense here. The interface needs to be 802.3ad (B) for aggregation and FortiLink is used to centrally manage VLANs (C). Not seeing any SD-WAN or STP requirement in this context. Anyone disagree?

Nina J. Mar 3, 2026 1:47 pm

Pretty sure it's B and C, saw a similar question on a practice exam. Matches the 802.3ad and FortiLink setup.

Be respectful. No spam.

Correct Answer:

B, C

Explanation

The exhibit shows a FortiGate connected to a pair of FortiSwitch devices using a single logical interface. This topology represents a Multi-Chassis Link Aggregation (MCLAG) configuration, which provides link and device redundancy.

To connect to an MCLAG peer group, the FortiGate must use a Link Aggregation Group (LAG) interface, which is standardized as IEEE 802.3ad. This bundles the physical links to each switch into one logical interface.

This integrated deployment is managed using FortiLink, where the 802.3ad aggregate interface on the FortiGate is configured as the FortiLink interface. This allows the FortiGate to act as the switch controller, centrally managing the FortiSwitch units and provisioning VLANs across the switched network.

Why Incorrect

A. MCLAG is specifically designed to provide a loop-free, active-active topology, making Spanning Tree Protocol (STP) on the aggregate links unnecessary.

D. SD-WAN is a feature for aggregating and managing multiple Wide Area Network (WAN) links for internet and private network access, not for LAN-side switch connectivity.

References

1. FortiSwitch—Managed by FortiOS 7.4.0

Administration Guide

Page 51

Section: "FortiLink split interface and MCLAG".

The documentation states: "On the FortiGate unit

you create an 802.3ad aggregate interface with at least two member interfaces." This directly supports that an 802.3ad interface type is required (Answer B).

The same section describes this exact topology as a FortiLink configuration for managing an MCLAG peer group

which includes VLAN management (Answer C).

2. FortiSwitchOS 7.4.0

Administration Guide

Page 183

Section: "Configuring MCLAG".

The guide explains: "MCLAG provides Layer-2 redundancy by preventing the spanning-tree protocol (STP) from blocking the redundant links between the MCLAG peer group and the client network device." This confirms that STP is not the required loop-prevention mechanism (Refutes Answer A).

3. FortiOS 7.4.0

Administration Guide

Page 1789

Section: "SD-WAN".

The guide defines SD-WAN: "SD-WAN simplifies the management of multiple WAN connections...". This confirms SD-WAN is a WAN technology

not used for LAN switch connections (Refutes Answer D).

Question 11 of 20 · Page 2 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE