What FCSS_LED_AR-7.6 Questions and Answers feature?

The SSL-VPN configuration hasRequire Client Certificateenabled. When this is enabled, FortiOS performs two checks:

Normal user authentication(username/password or PKI user)

Additional client certificate check– the client certificatemust be signed by a CA that FortiGate trusts

FortiOS documentation for “SSL VPN with certificate authentication” states:

“The client certificate only needs to be signed by a known CA in order to pass authentication.”

“The CA certificate is the certificate that signed both the server certificate and the user certificate… The CA certificate is available to be imported on the FortiGate.”

The debug output shows key lines:

__quick_check_peer-CA does not match.

Issuer of cert depth 0 is not detected in CMDB.

This tells us:

FortiGatedoes see the user’s certificate,

Butcannot find the issuing CAin its local CA certificate store (“CMDB” = configuration database).

This means theCA that signed the user certificate has not been importedinto FortiGate.

Now evaluate the options:

A. Enable Redirect HTTP to SSL-VPN– affects only redirection from HTTP to HTTPS; it has nothing to do with certificate validation.

B. Import the CA that signed the SSL VPN Server Certificate– the server certificate is already working (the portal comes up) and its CA is not what the debug complains about; the error is about thepeer (user) certificate. Often the same CA signs both, but the failing check specifically says the issuer of the client cert is not in CMDB.

C. Set the user certificate as the Server Certificate– incorrect; server and client certificates serve different roles.

D. Import the CA that signed the user certificate to FortiGate– this directly addresses the debug error and aligns with the documented requirement that the CA which issued the user certificate must be known to FortiGate.

In FortiLink NAC for LAN Edge:

When a device first connects, it is placed into theonboarding VLAN.

NAC policies then classify the device (by MAC, OS, user, EMS tag, etc.).

If a NAC policy matches, the device may be moved to anaccess VLANorquarantine VLAN.

Ifno NAC policy matches, the device simplystays in the onboarding VLAN.

FortiOS / LAN Edge documentation describes the onboarding VLAN as thedefault VLAN for unknown or unclassified devices, until NAC policy evaluation moves them elsewhere.

Observed behavior:

Devices in the VLANcan ping FortiGate→ gateway reachability OK.

FortiGatecan ping devicesin that VLAN → return path OK.

Inter-VLAN routingworks → FortiGate’s L3 and policies are fine.

Devices in the same VLAN cannot ping each other→ problem is on theL2 switching plane, not L3.

On FortiSwitch (managed by FortiGate), there is a feature calledAccess VLAN(sometimes described in NAC/dynamic segmentation context):

WhenAccess VLANis enabled on a VLAN, the switchdoes not perform normal L2 forwardingbetween hosts in that VLAN.

Instead, all traffic from endpoints in that VLAN isforced upstream to FortiGate, as if every frame were destined for the gateway.

This is used for designs where you wantall intra-VLAN traffic inspected by the firewall, implementing micro-segmentation.

Resulting behavior:

Host → FortiGate: works (frames are forwarded to FortiGate).

FortiGate → Host: works (routed back).

Host A → Host B (same VLAN):

Frame from A goes to FortiGate.

FortiGate seessource and destination in same subnet; depending on policy, it may drop or not have a policy allowing that traffic.

Even if allowed, certain designs still break pure L2 expectations.

In the exam scenario, the key point is:

IfAccess VLAN is enabled,local L2 communication within that VLAN is disabled, so hosts in the same VLAN cannot communicate directly.

That perfectly explains:

Same VLAN hosts can’t ping each other

But they can both reach FortiGate and beyond

Why the other options are less likely / incorrect

B. FortiSwitch MAC address table is missing entries

If MAC table were empty/bad,nothingin that VLAN would work properly, including pinging FortiGate.

C. FortiGate ARP table is missing entries

Then FortiGate couldn’t ping the devices either; but it can.

D. Native VLAN misconfigured on ports

That would affect connectivity to FortiGate too, not only host-to-host.