매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Fortinet NSE 6 - LAN Edge 7.6 Architect 온라인 연습
최종 업데이트 시간: 2026년02월14일
당신은 온라인 연습 문제를 통해 Fortinet FCSS_LED_AR-7.6 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 FCSS_LED_AR-7.6 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 38개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
In FortiLink topologies, a managed FortiSwitch normally gets itsmanagement IP automaticallyfrom theDHCP server on the FortiLink interface. If the switch does not receive an IP:
It cannot form the FortiLink CAPWAP/DTLS control channel.
Therefore it doesnot appearunderWiFi & Switch Controller > FortiSwitch.
FortiOS documentation states that FortiLink uses abuilt-in DHCP serveron the FortiLink interface for onboarding switches.
So thefirst troubleshooting stepis to confirm:
The FortiLink DHCP server is enabled.
Leases are being handed out to the FortiSwitch MAC.
Other options:
A: Security policies do not affect the L2 FortiLink control channel.
B: Static IP may be used but is not the normal first step.
D: Internet access is not required for FortiGate to see the switch.
정답:
Explanation:
From the FortiManager NAC policy:
Category =Device
Match criteria includeMAC addressandOperating System = Linux
Action =Assign VLAN “Students”
From the FortiGate CLI:
diagnose switch-controller switch-info mac-table ...
MAC: 70:88:6b:8c:4a:ce VLAN: 4089 Port: port2
diagnose switch-controller mac-device mac onboarding
VLAN 4089 MAC 70:88:6b:8c:4a:ce
So the device is stuck inVLAN 4089, which is theonboarding VLAN. No NAC policy is matched.
For a NAC policy to match, FortiGate needsdevice-identity information, which comes fromdevice detection on the VLAN / FortiLink interfaceplus theattributes that the policy expects(OS, MAC, etc.).
A. Device detection is not enabled on VLAN 4089.
If device detection is disabled on the interface/VLAN where the endpoint lives, FortiGate cannot learn OS / device info.
Without this, the NAC engine cannot compare against the NAC policy (which relies on OS and other attributes), so the device remains in the onboarding VLAN. ✅ This is a valid root cause.
B. The device operating system detected by FortiGate is not Linux.
The NAC policy explicitly requiresOperating System = Linux.
If the endpoint is actually Windows/macOS, or the OS fingerprint is still “Unknown”, the policy will never match, and the device stays in onboarding. ✅ Also a valid reason.
C. Management communication between FortiGate and FortiSwitch is down.
CLI output (switch-info mac-table and mac-device) proves FortiGate is talking to the switch and sees MAC/VLAN/port information. ❌ Not a valid reason.
D. The MAC address configured on the NAC policy is incorrect.
The exhibits show the MAC in the NAC policy matches the MAC appearing in the MAC table. ❌ Not the cause here.
정답:
Explanation:
The SSL-VPN configuration hasRequire Client Certificateenabled. When this is enabled, FortiOS performs two checks:
Normal user authentication(username/password or PKI user)
Additional client certificate checkC the client certificatemust be signed by a CA that FortiGate trusts
FortiOS documentation for “SSL VPN with certificate authentication” states:
“The client certificate only needs to be signed by a known CA in order to pass authentication.”
“The CA certificate is the certificate that signed both the server certificate and the user certificate… The CA certificate is available to be imported on the FortiGate.”
The debug output shows key lines:
__quick_check_peer-CA does not match.
Issuer of cert depth 0 is not detected in CMDB.
This tells us:
FortiGatedoes see the user’s certificate,
Butcannot find the issuing CAin its local CA certificate store (“CMDB” = configuration database).
This means theCA that signed the user certificate has not been importedinto FortiGate.
Now evaluate the options:
A. Enable Redirect HTTP to SSL-VPNC affects only redirection from HTTP to HTTPS; it has nothing to do with certificate validation.
B. Import the CA that signed the SSL VPN Server CertificateC the server certificate is already working (the portal comes up) and its CA is not what the debug complains about; the error is about thepeer (user) certificate. Often the same CA signs both, but the failing check specifically says the issuer of the client cert is not in CMDB.
C. Set the user certificate as the Server CertificateC incorrect; server and client certificates serve different roles.
D. Import the CA that signed the user certificate to FortiGateC this directly addresses the debug error and aligns with the documented requirement that the CA which issued the user certificate must be known to FortiGate.
정답:
Explanation:
From the exhibit, LDAP on FortiGate is correctly configured and tested:
diagnose test authserver ldap FAC-LDAP wifi101 password authenticate 'wifi101' against 'FAC-LDAP' succeeded! Group membership(s) - CN=Domain Users,... So:
LDAP connectivity works
Bind DN, DN, CNID, and credentials are correct(so optionCis eliminated).
Firewall policies do not affect the802.1X / Wi-Fi authentication stepitself, soAis not the root cause.
Nothing in the scenario indicates that AD is enforcing LDAPS-only; the LDAP test already succeeds using the configured parameters, soBis also excluded.
The Wi-Fi supplicant is configured forPEAP with inner authentication = MSCHAPv2.
MSCHAPv2 is achallengeCresponse mechanism designed for RADIUS, not for LDAP simple bind. FortiGate’s LDAP implementation uses asimple bind (username/password) over LDAP or LDAPS, and it doesnotimplement MSCHAPv2 against LDAP backends.
In Fortinet’s design, if you needPEAP-MSCHAPv2 with Active Directory, you must use:
ARADIUS server(such as Windows NPS or FortiAuthenticator), and
Have FortiGate use RADIUS,notLDAP, as the authentication backend for 802.1X / Wi-Fi users.
Because FortiGate cannot process MSCHAPv2 exchanges directly against an LDAP server, authentication fails when the inner method is MSCHAPv2, even though LDAP works when tested with a simple bind from the CLI.
정답:
Explanation:
FortiAnalyzer requires a specific license to evaluateIndicators of Compromise (IOC).
From theFortiAnalyzer 7.4.1 Administration Guide:
IOC identification requires theThreat Detection Servicelicense on FortiAnalyzer.
This license enables:
IOC database updates
Compromised host detection
Event correlation based on FortiGuard threat intelligence
Fabric-wide IOC automation triggers
Why the other answers are incorrect:
A: IoT Security add-on is unrelated to IOC rules.
B: There isnoIOC subscription license type for FortiAnalyzer.
C: FAZ-Basic license doesNOTinclude IOC detection.
정답:
Explanation:
FortiGate and FortiSwitchmust share synchronized timewhen operating in FortiLink mode.
Documented reasons in FortiOS:
Accurate time synchronization is required for logs, authentication events, and fabric correlations.
Why it’s critical:
정답:
Explanation:
The FortiOS documentation explicitly states that a CSR used for certificate signing must contain accurate and valid fields, especially:
Common Name (CN)
Organization (O)
Country (C)
Public key parameters
According to the FortiGate certificate section:
Incorrect CSR field information can cause the CA to reject the request.
Reasons include:
The CA validates identity and organizational information.
Missing or malformed data invalidates PKI requirements.
The CSR is not corrected automatically by the CA.
Therefore:
✔ A is correct.
Options BCD contradict PKI principles:
B is false: CAs do not issue certificates with mismatched identity fields for public trust.
C is false: CSR fields are not only for internal use; they define certificate identity.
D is false: CAs do not auto-correct CSR fields.
정답:
Explanation:
When a device’sMAC address is quarantinedon a FortiSwitch (via FortiLink NAC, fabric automation, or manual quarantine), FortiSwitch enforces quarantine using thequarantine VLAN, also called theaccess VLANinside FortiSwitch NAC operations.
FortiSwitch behavior is defined in LAN Edge documentation:
Quarantined devices are moved into an"access VLAN" reserved for isolation.
This VLAN isstatically defined on the FortiGate NAC policy, and switch ports dynamically reassign the quarantined MAC into that VLAN.
All egress traffic from the quarantined MAC is forced into this VLAN, preventing access to the production network.
Thus, the correct description is:
✔ Traffic is sent to an access VLAN.
Options B, C, and D are incorrect because:
Quarantine doesnotreassign to native VLAN.
It doesnotsend untagged traffic arbitrarily.
It doesnotforward traffic to allowed VLANs
정답:
Explanation:
In this scenario:
FortiGate + FortiAnalyzer are part of theSecurity Fabric
AnAutomation Stitchis configured:
Trigger:Compromised Host C High(IOC from FortiAnalyzer)
Action:Quarantine on FortiSwitch + FortiAP
A test device10.0.2.1visits a malicious website.
FortiAnalyzer logs show the event, butFortiGate does NOT quarantine the device.
This means theautomation did not receive an IOC trigger, OR theFabric did not classify it as a compromise.
Let's evaluate each answer option.
✅ C. The malicious website is not recognized as an indicator of compromise (IOC) by FortiAnalyzer.
✔ Correct.
For FortiGate to quarantine a device:
FortiAnalyzer must classify the event as aCompromised Host → High / Medium / Critical
FortiAnalyzer must generate anIOC event
FortiGate must receive that IOC through the Fabric
Even though the FAZ log shows:
Action = blocked
Category = Malicious Websites
→ That doesNOTautomatically mean an IOC was generated. A blocked website event isnot always an IOCunless:
It is included in theIOC database
FAZ’sAnalytics / UTM / IOCengine marks it as a compromise
Thus, if FAZ only logs a “Malicious Website” event butdoes not classify it as an IOC,
정답:
Explanation:
FortiLink NACis the NAC (Network Access Control) engine built into FortiGate when it manages FortiSwitch devices.
It performs:
✔ Automated device onboarding
Automatically detects new devices connecting to switches.
Uses MAC, vendor, DHCP fingerprinting, or IoT database to classify devices.
No manual VLAN assignment required.
✔ Security posture verification
Works with FortiClient EMS, ZTNA tags, IoT detection.
Applies policies based on:
Device type
User role
Endpoint compliance
IoT vulnerability status
✔ Dynamic VLAN assignment
Automatically moves devices into proper VLANs, quarantine networks, or guest zones.
✔ Integration with LAN Edge & Zero Trust
Uses FortiGate + FortiSwitch + FortiAP to enforce zero-trust access.
This matches the LAN Edge 7.6 Architect explanation of FortiLink NAC.
❌ Why other answers are wrong
A. Extend security policies across FortiGate firewalls
Not NAC. That refers to Security Fabric or SD-WAN.
C. Apply manual firewall rules
FortiLink NAC is specifically designed toautomateaccess control.
D. Manually place devices in VLANs
NAC eliminates manual VLAN assignment ― it is dynamic.
정답:
Explanation:
The problem states:
FortiGate receivesRADIUS accounting messagesonport3.
User-Nameattribute contains the username.
Classattribute contains the group membership.
Goal: authenticate users through RSSO and map them to the correct user groups.
To achieve this, three critical components must be configured:
✔ A. RADIUS Attribute Value in the RSSO group must match the Class attribute
This is mandatory because:
RSSO user groups on FortiGate match users based onthe value inside the RADIUS attribute(usually Class).
For group assignment to work, FortiGate must compare:
RSSO User Group → RADIUS Class Attribute Value
This isexactly how FortiGate maps RSSO users to groups.
✔ D. RSSO agent’s sso-attribute must be set to Class Thesso-attributedefineswhich RADIUS attribute contains the group information. Because group membership is carried in: ➡ Class attribute
You must configure:
config user radius
set sso-attribute Class
end
This tells FortiGate:
"Use the Class attribute to derive user group membership."
✔ E. rsso-endpoint-attribute must be set to User-Name
This identifieswhich RADIUS attributecarries the actualusername.
In this scenario:
RADIUS accounting messages contain the username inUser-Name.
So the correct setting is:
config user radius
set rsso-endpoint-attribute User-Name
end
This ensures the RSSO user object uses the correct username.
❌ Incorrect Options Explained
B. Assign RSSO user groups to all firewall policies
Not required.
You only assign them to policies where RSSO authentication is used.
C. Device detection and Security Fabric Connection should be enabled on port3 Totally irrelevant to RSSO.
RSSO only needs RADIUS accounting, not device detection or Fabric services.
정답:
Explanation:
The DHCP configuration shows:
set vci-match enable
set vci-string "FortiSwitch" "FortiExtender"
What this means
VCI = Vendor Class Identifier (DHCP option 60)
When vci-match is enabled, the DHCP server will only respond to DHCP requests from clients whose VCI string matches the configured vendor identifiers.
FortiSwitch and FortiExtender both send DHCP option 60 with:
"FortiSwitch"
"FortiExtender"
This is used in FortiLink deployments so only these devices receive IP addresses on the FortiLink network.
Therefore:
C. To connect, devices must match the VCI string; otherwise, they will not receive an IP address.
✔ Correct.
This perfectly matches FortiGate FortiLink DHCP behavior.
Summary of incorrect options
A ― Ignore FortiSwitch/FortiExtender
❌ Opposite behavior.
B ― Restrict based on hostname
❌ VCI does NOT check hostname.
D ― Reserve IPs
❌ No reservation occurs; it's filtering, not reserving.
정답:
Explanation:
The VAP configuration clearly showsVLAN pooling using WTP-groups:
set vlan-pooling wtp-group
config vlan-pool
edit 101
set wtp-group "Floor_1"
edit 102
set wtp-group "Office"
How VLAN assignment works in this mode
VLAN-pooling with wtp-group modemeans:
Each AP group (WTP group) is tied to exactly one VLAN in the pool.
The FortiGate doesnot load balanceVLANs.
Instead, VLANs are mappedper AP group, not per client.
Now verify each answer option:
A. FortiGate will load balance clients using VLAN 101 and 102...
❌ Incorrect.
FortiGatedoes NOT load-balance clientswhen vlan-pooling is set towtp-group.
Each AP group receivesonly the VLAN mapped to it.
B. All clients in the Corp zone get IPs from 10.0.20.0/24
❌ Incorrect.
In the Wi-Fi zone table, onlyCorp.102has an IP subnet:
Corp.101 →0.0.0.0/0.0.0.0(no IP assigned → clients get no DHCP)
Corp.102 →10.0.20.1/255.255.255.0
Thus, clients associated to VLAN 101cannotget IPs.
C. Clients connecting to APs in the Floor_1 group cannot receive an IP address
✔ Correct.
Reason:
Floor_1 WTP-group → VLAN101
VLAN 101 hasno IPin the Wi-Fi table →0.0.0.0/0.0.0.0
No DHCP =Clients receive no IP address
D. Clients connecting to APs in the Office group will be assigned to VLAN 102
✔ Correct.
Reason:
Office WTP-group maps to VLAN102
VLAN 102 has subnet10.0.20.0/24
So Office group clients get an IP in that range
정답:
Explanation:
FortiLink device detection relies on FortiGate'sDevice IdentificationandIoT Detectioncapabilities to classify devices connected to FortiSwitch ports.
To enabledevice identificationandvulnerability detectionfor IoT/endpoint devices in LAN Edge deployments, FortiGate must subscribe to the correct FortiGuard services.
정답:
Explanation:
Zero-Touch Provisioning (ZTP) for FortiGate devices is handled throughFortiDeploy, which automatically connects a FortiGate toFortiManagerso the device can download configuration templates and be centrally managed.
For ZTP to work, the newly booted FortiGate must successfully reach FortiManager. One of thecritical requirementsis connectivity over theFGFM (FortiGateCFortiManager) management protocol, which uses:
TCP Port 541
This is clearly stated in multiple Fortinet documents:
FortiGate Cloud Admin Guidelists port541as the management channel used for FortiGate → FortiManager / FortiGate Cloud communications:“Management... Protocol: TCP, Port:541”
FortiOS Administration Guidealso confirms this:“FortiManager provides remote management of FortiGate devices overTCP port 541.”
Since ZTP uses FortiDeploy to push the FortiManager IP to the device and relies on FGFM (port 541) for registration and configuration delivery,any failure on this port breaks the entire ZTP workflow.
Why option D is correct
If the FortiGate cannot reach FortiManager onTCP/541, itcannot register, cannot be authorized, and cannot receive its configuration ― leading to a ZTP failure.
This is themost common causein real deployments:
Firewall blocking TCP/541
Upstream NAT device not forwarding 541
ISP restrictions
Incorrect FortiManager IP or routing issue
ZTP device behind a network that does not allow outbound 541
Why the other options are incorrect
A. The FortiGate device requires manual intervention to accept the FortiManager connection.
Incorrect.
ZTP is built specifically to avoid manual intervention. Once the FortiDeploy key is used, the device auto-connects to FortiManager without needing local acceptance.
B. ZTP works only when devices are connected using a console cable.
Incorrect.
ZTP requiresno console cable― that's the whole point. It relies on DHCP, WAN connectivity, and FortiDeploy auto-join.
C. The FortiGate device must be preloaded with a configuration file before ZTP can function.
Incorrect.
Preloading configuration defeats the purpose of ZTP.
ZTP delivers the initial configuration automatically from FortiManager using FortiDeploy.
LAN Edge 7.6 Architect Context
LAN Edge deployments often use FortiManager as the central orchestrator for:
FortiSwitch management via FortiLink
FortiAP wireless provisioning
SD-Branch configuration templates
Security Fabric automation
For all of this, ZTP enables remote sites to deploy FortiGate, FortiSwitch, and FortiAP withno on-site expertise.
If TCP/541 to FortiManager is blocked, the entire LAN Edge deployment pipeline fails, making optionDthe only valid and document-supported answer