매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Fortinet NSE 6 - LAN Edge 7.6 Architect 온라인 연습
최종 업데이트 시간: 2026년04월21일
당신은 온라인 연습 문제를 통해 Fortinet FCSS_LED_AR-7.6 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 FCSS_LED_AR-7.6 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 38개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
In a LAN Edge deployment:
FortiSwitch is managedthrough FortiGate via FortiLink.
FortiAIOps integrates withFortiGateas the single managed device; from there it gains visibility intoall Fabric and LAN-edge devices(FortiSwitch, FortiAP) that are registered to that FortiGate.
Once the FortiGate is successfully added to FortiAIOps (as shown in the exhibit, statusOnline /
Successfully Discovered), all FortiSwitches managed by that FortiGate are:
Discovered automatically through the FortiGateCFortiAIOps connection
Shown under the appropriate inventory / switch views withno separate onboarding stepfor each switch.
This is why no extra IP, serial number, or credential entry is required for FortiSwitch.
So:
AandBsuggest manual per-switch onboarding, which is not how FortiAIOps works with LAN Edge.
Dsimilarly assumes direct FortiSwitch management, but FortiAIOps talks toFortiGate, not the switch.
Therefore the correct behavior is that theFortiSwitch is added automatically (C)once its managing FortiGate is connected to FortiAIOps.
정답:
Explanation:
From the exhibits and text:
FortiGate →RADIUS→ FortiAuthenticator
FortiAuthenticator →LDAP→ Windows AD
diagnose test authserver radius ... papsucceeds
diagnose test authserver radius ... mschap2fails
This behavior matches a classic limitation documented in FortiOS:
When usingLDAPas the back-end, the RADIUS server must usePAP. CHAP/MS-CHAPv2 arenot supportedwith plain LDAP because the server cannot validate the challengeCresponse without access to password hashes.
In the Remote LDAP server config on FortiAuthenticator, the option“Windows Active Directory Domain Authentication” is disabled.When this feature isenabled, FortiAuthenticator can talk to AD usingKerberos/NTLMinstead of a simple LDAP bind, whichdoes support MS-CHAPv2for incoming RADIUS authentications.
So to allow MS-CHAPv2 all the way from FortiGate to AD, you must:
Keep FortiGate using RADIUS with MS-CHAPv2 → FortiAuthenticator
EnableWindows Active Directory Domain Authenticationso FortiAuthenticator can properly validate MS-CHAPv2 against AD.
Why the other options are wrong:
A. Change to CHAPC CHAP still cannot be validated over LDAP; docs say LDAP back-ends must usePAP.
C. Manually add users to local DBC That would allow local-DB auth but does not fix MS-CHAPv2 against AD.
D. Use RADIUS attributes on FortiGateC Attributes do not influence the EAP inner method; they don’t fix MS-CHAPv2 failures.
Therefore the configuration change that can realistically fix the MS-CHAPv2 problem isenabling Windows Active Directory Domain Authentication on FortiAuthenticator (B).
정답:
Explanation:
In FortiLink NAC for LAN Edge:
When a device first connects, it is placed into theonboarding VLAN.
NAC policies then classify the device (by MAC, OS, user, EMS tag, etc.).
If a NAC policy matches, the device may be moved to anaccess VLANorquarantine VLAN.
Ifno NAC policy matches, the device simplystays in the onboarding VLAN.
FortiOS / LAN Edge documentation describes the onboarding VLAN as thedefault VLAN for unknown or unclassified devices, until NAC policy evaluation moves them elsewhere.
정답:
Explanation:
Goal: enforce captive portal authentication overHTTPSfor guests.
On FortiGate/FortiAuthenticator captive portal setups:
HTTP redirectis used so that when a guest browses to any HTTP site, their request is redirected to theportal URL.
Theportal URLitself must beHTTPSif you want a secure login page.
FortiOS captive portal and firewall authentication guidelines recommend:
EnablingHTTP redirectso unauthenticated HTTP traffic is transparently sent to the portal.
Configuring theportal URL with HTTPS, often referencing a certificate on FortiGate or FortiAuthenticator.
Therefore:
A. Enable HTTP redirect in the user authentication settings.
✔ This ensures unauthenticated HTTP requests are redirected to the (now HTTPS) portal.
D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator.
✔ This makes the login itself secure (TLS-protected).
Incorrect:
BC You don’t need a new SSID; the same SSID can use HTTPS portal.
CC Disabling HTTP admin access on the SSID doesn’t control the captive portal scheme; HTTPS enforcement is done by the portal configuration and redirect, not by admin-access flags.
정답:
정답:
Explanation:
From the exhibits:
Interface“APs”is a VLAN sub-interface onfortilinkwith IP10.10.100.254/24and a DHCP server scope 10.10.100.1C10.10.100.253.
This VLAN is assigned toport1on the managed FortiSwitch for FortiAPs.
The interface config showsonly allowaccess ping―Security Fabric Connection is not enabled.
In LAN Edge designs, FortiAPs connected through FortiSwitch are discovered and managed asLAN edge devices of the Security Fabric. FortiOS documentation states that FortiAPs and FortiSwitches appear in the Fabric topologyonly when connected on an interface with Security Fabric Connection enabled.
If the VLAN/AP management interface lacksSecurity Fabric Connection:
FortiGate does not treat that network as aFabric connection segment.
CAPWAP discovery from FortiAPs on that VLAN will not result in the AP being onboarded and shown for management.
Therefore the key misconfiguration is:
✔ A C Security Fabric is disabled on the VLAN interface used for AP management.
Why the others are not the root cause:
B. Firmware incompatibilityC would usually show as a “Managed (upgrade required)” or similar status after discovery, not complete non-detection. The scenario specifically points to a configuration issue, not firmware.
C. VLAN not tagged correctly on uplinkC The FortiSwitch uplink to FortiGate is the FortiLink trunk, and the VLAN sub-interface APs is already bound to fortilink, so tagging on the uplink is correct by definition.
D. CAPWAP ports not openC CAPWAP (UDP 5246/5247) is terminated locally on FortiGate and does not depend on any firewall policy; these ports are open on the FortiGate itself by default.
정답:
Explanation:
Auto TX power control on FortiAP is an RF-optimization feature:
FortiGate (as wireless controller) continuously evaluatesRSSI of associated clientson each FortiAP radio.
The algorithm focuses on theweakest client(the one with the worst signal) and adjusts the AP’s transmit power so that this client’s signal level stays within a configured / target range.
This helps balance coverage and limit co-channel interference: APs don’t transmit at maximum power when clients are close, but will increase power when the weakest client signal drops too low.
Therefore the correct behavior description is:
✔ CC AP power is adjusted based on the weakest associated client’s signal.
Why the others are wrong:
AandBtalk about matching nearby APs’ power or forcing everything to C70 dBm, which is not how FortiAP auto TX works.
Dincorrectly states the AP “evaluates its own transmission from the client perspective”; the AP can only infer client-side conditions from theclient’s RSSI at the AP, not the inverse.
정답:
Explanation:
In this design, FortiAuthenticator receivesRADIUS accounting (RSSO) messages, looks up the user in LDAP to get group information, theninjects FSSO logon eventstoward all FortiGate devices.
From the exhibits we know:
FortiAuthenticatoris receiving RADIUS accountingfrom the RADIUS server.
LDAP queries are successful and return group membership.
But FortiGatedoes not receive FSSO logons, so identity-based policies are not applied.
For FortiAuthenticator to create an FSSO logon, the RADIUS accounting record must be correctlyparsed into at least:
Username
Client IP address
These are mapped from the RADIUS attributes in theRADIUS Accounting SSO clientconfiguration (for example, User-Name and Framed-IP-Address). If these are not defined or mapped incorrectly, FortiAuthenticator can see the accounting packet butcannot build a valid FSSO session, so no update is sent to FortiGate.
Thus the most likely root cause is:
✔ The RADIUS Username and Client IPv4 attributes are not correctly definedfor that RADIUS Accounting SSO client (optionA).
Other options conflict with the scenario:
BC LDAP is already successfully returning groups.
CC FSSO user group attribute is separate; even without it, FSSO logons would still be created (just without group mapping).
DC The interfaceisreceiving RADIUS accounting, so it is clearly enabled.
정답:
Explanation:
In user certificates used with FortiGate / FortiAuthenticator / SSL-VPN / 802.1X, the following attributes are important:
Subject field & UPN
Provide a unique identity for the user (CN and/or UPN).
FortiGate can use theSAN/UPNfield for LDAP-integrated certificate authentication.
Expiration date
Limits how long the certificate is valid, enforcing lifecycle and rotation.
CRL URL & OCSP URL
Tell FortiGate (or any relying party)where to check if the certificate has been revoked.
Enablesnear real-time revocationusing OCSP or periodic CRL downloads instead of relying only on expiration.
By carefully configuring these fields:
The certificate uniquely and correctly identifies the user.
Relying systems can performaccurate and timely revocation checks, improving security.
Why other options are wrong:
A: It does the opposite―CRL/OCSP increase automation, not manual revocation.
B: These attributes do not inherently limit a cert to specific devices; that’s done via key usage, EKU, or device certs.
D: They don’t “ensure universal validity”; they make the certprecisely boundto one identity with enforceable lifetime and revocation.
정답:
Explanation:
When FortiAuthenticator is used as anFSSO agentbased onsyslog, it must:
Parse incoming syslog messagesfrom devices (firewalls, WLAN controllers, VPN concentrators, etc.).
Extract identity fieldssuch as:
Username
IP address
Login/logout event indicators
Syslogmatching ruleson FortiAuthenticator define:
Which syslog messages are relevant (by facility, message pattern, or regex).
How to capture specific fields (username, IP, group, event type).
FortiAuthenticator then uses this parsed data toinject logon sessions into FSSO, so FortiGate can apply identity-based policies.
Thus, the role of syslog matching rules is exactly as described inC.
A: Group mapping is handled separately via directory groups / FSSO config, not directly by matching rules.
B: Enforcement of authentication policies is done on FortiGate, not directly by the matching rules.
D: While irrelevant logs can be ignored via rules, the primary purpose isparsing and extraction, not generic filtering.
정답:
Explanation:
In FortiLink topologies, a managed FortiSwitch normally gets itsmanagement IP automaticallyfrom theDHCP server on the FortiLink interface. If the switch does not receive an IP:
It cannot form the FortiLink CAPWAP/DTLS control channel.
Therefore it doesnot appearunderWiFi & Switch Controller > FortiSwitch.
FortiOS documentation states that FortiLink uses abuilt-in DHCP serveron the FortiLink interface for onboarding switches.
So thefirst troubleshooting stepis to confirm:
The FortiLink DHCP server is enabled.
Leases are being handed out to the FortiSwitch MAC.
Other options:
A: Security policies do not affect the L2 FortiLink control channel.
B: Static IP may be used but is not the normal first step.
D: Internet access is not required for FortiGate to see the switch.
정답:
Explanation:
From the FortiManager NAC policy:
Category =Device
Match criteria includeMAC addressandOperating System = Linux
Action =Assign VLAN “Students”
From the FortiGate CLI:
diagnose switch-controller switch-info mac-table ...
MAC: 70:88:6b:8c:4a:ce VLAN: 4089 Port: port2
diagnose switch-controller mac-device mac onboarding
VLAN 4089 MAC 70:88:6b:8c:4a:ce
So the device is stuck inVLAN 4089, which is theonboarding VLAN. No NAC policy is matched.
For a NAC policy to match, FortiGate needsdevice-identity information, which comes fromdevice detection on the VLAN / FortiLink interfaceplus theattributes that the policy expects(OS, MAC, etc.).
A. Device detection is not enabled on VLAN 4089.
If device detection is disabled on the interface/VLAN where the endpoint lives, FortiGate cannot learn OS / device info.
Without this, the NAC engine cannot compare against the NAC policy (which relies on OS and other attributes), so the device remains in the onboarding VLAN. ✅ This is a valid root cause.
B. The device operating system detected by FortiGate is not Linux.
The NAC policy explicitly requiresOperating System = Linux.
If the endpoint is actually Windows/macOS, or the OS fingerprint is still “Unknown”, the policy will never match, and the device stays in onboarding. ✅ Also a valid reason.
C. Management communication between FortiGate and FortiSwitch is down.
CLI output (switch-info mac-table and mac-device) proves FortiGate is talking to the switch and sees MAC/VLAN/port information. ❌ Not a valid reason.
D. The MAC address configured on the NAC policy is incorrect.
The exhibits show the MAC in the NAC policy matches the MAC appearing in the MAC table. ❌ Not the cause here.
정답:
Explanation:
The SSL-VPN configuration hasRequire Client Certificateenabled. When this is enabled, FortiOS performs two checks:
Normal user authentication(username/password or PKI user)
Additional client certificate checkC the client certificatemust be signed by a CA that FortiGate trusts
FortiOS documentation for “SSL VPN with certificate authentication” states:
“The client certificate only needs to be signed by a known CA in order to pass authentication.”
“The CA certificate is the certificate that signed both the server certificate and the user certificate… The CA certificate is available to be imported on the FortiGate.”
The debug output shows key lines:
__quick_check_peer-CA does not match.
Issuer of cert depth 0 is not detected in CMDB.
This tells us:
FortiGatedoes see the user’s certificate,
Butcannot find the issuing CAin its local CA certificate store (“CMDB” = configuration database).
This means theCA that signed the user certificate has not been importedinto FortiGate.
Now evaluate the options:
A. Enable Redirect HTTP to SSL-VPNC affects only redirection from HTTP to HTTPS; it has nothing to do with certificate validation.
B. Import the CA that signed the SSL VPN Server CertificateC the server certificate is already working (the portal comes up) and its CA is not what the debug complains about; the error is about thepeer (user) certificate. Often the same CA signs both, but the failing check specifically says the issuer of the client cert is not in CMDB.
C. Set the user certificate as the Server CertificateC incorrect; server and client certificates serve different roles.
D. Import the CA that signed the user certificate to FortiGateC this directly addresses the debug error and aligns with the documented requirement that the CA which issued the user certificate must be known to FortiGate.
정답:
Explanation:
From the exhibit, LDAP on FortiGate is correctly configured and tested:
diagnose test authserver ldap FAC-LDAP wifi101 password authenticate 'wifi101' against 'FAC-LDAP' succeeded! Group membership(s) - CN=Domain Users,... So:
LDAP connectivity works
Bind DN, DN, CNID, and credentials are correct(so optionCis eliminated).
Firewall policies do not affect the802.1X / Wi-Fi authentication stepitself, soAis not the root cause.
Nothing in the scenario indicates that AD is enforcing LDAPS-only; the LDAP test already succeeds using the configured parameters, soBis also excluded.
The Wi-Fi supplicant is configured forPEAP with inner authentication = MSCHAPv2.
MSCHAPv2 is achallengeCresponse mechanism designed for RADIUS, not for LDAP simple bind. FortiGate’s LDAP implementation uses asimple bind (username/password) over LDAP or LDAPS, and it doesnotimplement MSCHAPv2 against LDAP backends.
In Fortinet’s design, if you needPEAP-MSCHAPv2 with Active Directory, you must use:
ARADIUS server(such as Windows NPS or FortiAuthenticator), and
Have FortiGate use RADIUS,notLDAP, as the authentication backend for 802.1X / Wi-Fi users.
Because FortiGate cannot process MSCHAPv2 exchanges directly against an LDAP server, authentication fails when the inner method is MSCHAPv2, even though LDAP works when tested with a simple bind from the CLI.
정답:
Explanation:
FortiAnalyzer requires a specific license to evaluateIndicators of Compromise (IOC).
From theFortiAnalyzer 7.4.1 Administration Guide:
IOC identification requires theThreat Detection Servicelicense on FortiAnalyzer.
This license enables:
IOC database updates
Compromised host detection
Event correlation based on FortiGuard threat intelligence
Fabric-wide IOC automation triggers
Why the other answers are incorrect:
A: IoT Security add-on is unrelated to IOC rules.
B: There isnoIOC subscription license type for FortiAnalyzer.
C: FAZ-Basic license doesNOTinclude IOC detection.