FCSS_LED_AR-7.6 Exam Dumps - Fortinet NSE 6 - LAN Edge 7.6 Architect

The DHCP configuration shows:

set vci-match enable

set vci-string " FortiSwitch " " FortiExtender "

What this means

VCI = Vendor Class Identifier (DHCP option 60)

When vci-match is enabled, the DHCP server will only respond to DHCP requests from clients whose VCI string matches the configured vendor identifiers.

FortiSwitch and FortiExtender both send DHCP option 60 with:

" FortiSwitch "

" FortiExtender "

This is used in FortiLink deployments so only these devices receive IP addresses on the FortiLink network.

Therefore:

C. To connect, devices must match the VCI string; otherwise, they will not receive an IP address.

✔Correct.

This perfectly matches FortiGate FortiLink DHCP behavior.

Summary of incorrect options

A — Ignore FortiSwitch/FortiExtender

❌Opposite behavior.

B — Restrict based on hostname

❌VCI does NOT check hostname.

D — Reserve IPs

❌No reservation occurs; it ' s filtering, not reserving.

In user certificates used with FortiGate / FortiAuthenticator / SSL-VPN / 802.1X, the following attributes are important:

Subject field & UPN

Provide a unique identity for the user (CN and/or UPN).

FortiGate can use theSAN/UPNfield for LDAP-integrated certificate authentication.

Expiration date

Limits how long the certificate is valid, enforcing lifecycle and rotation.

CRL URL & OCSP URL

Tell FortiGate (or any relying party)where to check if the certificate has been revoked.

Enablesnear real-time revocationusing OCSP or periodic CRL downloads instead of relying only on expiration.

By carefully configuring these fields:

The certificate uniquely and correctly identifies the user.

Relying systems can performaccurate and timely revocation checks, improving security.

Why other options are wrong:

A: It does the opposite—CRL/OCSP increase automation, not manual revocation.

B: These attributes do not inherently limit a cert to specific devices; that’s done via key usage, EKU, or device certs.

D: They don’t “ensure universal validity”; they make the certprecisely boundto one identity with enforceable lifetime and revocation.

The SSL-VPN configuration hasRequire Client Certificateenabled. When this is enabled, FortiOS performs two checks:

Normal user authentication(username/password or PKI user)

Additional client certificate check– the client certificatemust be signed by a CA that FortiGate trusts

FortiOS documentation for “SSL VPN with certificate authentication” states:

“The client certificate only needs to be signed by a known CA in order to pass authentication.”

“The CA certificate is the certificate that signed both the server certificate and the user certificate… The CA certificate is available to be imported on the FortiGate.”

The debug output shows key lines:

__quick_check_peer-CA does not match.

Issuer of cert depth 0 is not detected in CMDB.

This tells us:

FortiGatedoes see the user’s certificate,

Butcannot find the issuing CAin its local CA certificate store (“CMDB” = configuration database).

This means theCA that signed the user certificate has not been importedinto FortiGate.

Now evaluate the options:

A. Enable Redirect HTTP to SSL-VPN– affects only redirection from HTTP to HTTPS; it has nothing to do with certificate validation.

B. Import the CA that signed the SSL VPN Server Certificate– the server certificate is already working (the portal comes up) and its CA is not what the debug complains about; the error is about thepeer (user) certificate. Often the same CA signs both, but the failing check specifically says the issuer of the client cert is not in CMDB.

C. Set the user certificate as the Server Certificate– incorrect; server and client certificates serve different roles.

D. Import the CA that signed the user certificate to FortiGate– this directly addresses the debug error and aligns with the documented requirement that the CA which issued the user certificate must be known to FortiGate.

From the exhibits:

FortiSwitch Ports viewshows:

port2

Mode: Static

Native VLAN: Students

Allowed VLANs: quarantine.fortilink (quarantine)

NAC policy “Training”:

Switch FortiLink: fortilink

Category:Device

Matching criteria:

MAC Address: 70:88:6b:8c:4b:0e (enabled)

Operating System:Linux(enabled)

Switch Controller Action:

Assign VLAN = Students

Bounce Port = enabled

Design intent:

Device with that MAC + OS Linux, when plugged intoport2, should be dynamically moved to VLANStudentsby the NAC policy.

Why it doesn’t work now

On FortiLink NAC,dynamic NAC decisions only apply on ports whose “Access Mode” is set to NAC:

NAC mode = FortiGate controls theonboarding VLAN, evaluates NAC policies, and then dynamically reassigns the switch port VLAN (access, quarantine, etc.).

Static mode(what we see on port2) means the port just uses its configurednative/allowed VLANs, andno NAC classificationhappens.

Right now:

port2 is astatic access portwith Native VLAN = Students.

The NAC policy exists, butFortiSwitch is not in NAC enforcement mode on that port, so the policy is never evaluated for traffic on port2.

Therefore, themissing configurationis:

Setport2toNAC mode(sometimes called “Access mode: NAC” or “NAC LAN edge port”).

Once port2 is changed to NAC mode:

Device initially lands in the onboarding/quarantine VLAN.

FortiGate collects device info (MAC, OS, etc.).

NAC policy “Training” matches MAC + Linux.

Switch controller actionAssign VLAN = Studentsis applied.

Port is bounced (if configured), bringing the device back up in VLAN Students.

Why the other options are wrong

B. MAC or OS misconfigured

Possible in general, but the question asks forwhich configuration is missing, and the exhibits clearly focus on port mode. Also, even with wrong MAC/OS, the port would still be in NAC mode; here NAC isn’t even active.

C. Port Policy mode

Port policy (edge/trunk) is separate from NAC; NAC requires the specificNAC access mode.

D. Students VLAN should be Allowed VLANs instead of Native VLAN

For an access port, having Students as thenative VLANis correct. NAC policy’s Assign VLAN will set that as access VLAN; no need to make it an allowed trunk VLAN.

The correct answer is C.

The LAN Edge 7.6 Architect study guide states: “If you are using an external captive portal server, you must configure a firewall policy and exempt web traffic to the external captive portal IP address.”

It also states: “Just selecting and applying the address object and selecting the services is not enough to allow the traffic to pass through FortiGate. You must also have a corresponding firewall policy in place that allows the pinhole traffic to pass through FortiGate.”

The guide further explains: “An alternative method to exempt captive portal traffic is to create a firewall policy and enable the Exempt from Captive Portal option.”

In this case, the external captive portal URL is correct, but users still cannot reach the login page. That means the traffic needed to reach the external captive portal is not being exempted properly through the firewall policy. Therefore, the missing correction is to use the firewall policy with the captive-portal-exempt option.

Why the other options are incorrect:

A. Incorrect. The study guide refers to exempting traffic to the external captive portal destination, not adding FortiAuthenticator and WindowsAD as exempt sources

B. Incorrect. External captive portal authentication does not require WPA2 Enterprise. The SSID can remain open and use captive portal authentication instead

D. Incorrect. The guest user group is used on the policy that allows authenticated users onward access after login, not on the exempt policy that lets unauthenticated users reach the portal first

The correct answer is A.

The LAN Edge 7.6 Architect study guide explicitly explains the difference between the two quarantine actions:

“IP ban: Traffic from the compromised device IP address is blocked on FortiGate, but intra-VLAN traffic is still allowed.”

It also states:

“Access-layer quarantine: Inter-VLAN and intra-VLAN traffic from the compromised device MAC address is blocked using FortiGate and FortiSwitch.”

That exactly matches the symptom in the question. The device has lost internet and inter-VLAN access, but it can still communicate with devices in the same VLAN. That behavior is the expected result of an IP Ban action, not full access-layer quarantine.

The study guide further explains MAC-based quarantine behavior:

“Isolation means that a quarantined device can communicate only with FortiGate. If the device tries to communicate with any other host on the network, the communication is blocked.”

And it adds:

“In both modes: Intra-VLAN traffic is blocked automatically by FortiGate.”

So to block same-VLAN communication as well, the automation action must use Access Layer Quarantine instead of IP Ban.

Why the other options are incorrect:

B. Incorrect. There is no separate “IP Ban settings to the Quarantine action” correction described in the study guide. The fix is to use the correct automation action type, which is Access Layer Quarantine

C. Incorrect. The IOC has already worked well enough to trigger the stitch. The issue is not IOC detection, but the wrong quarantine action being used, as shown by the behavior and the log/widget evidence.

D. Incorrect. The study guide does not describe a separate setting to “enable intra-VLAN traffic blocking” for Security Fabric quarantine. Instead, intra-VLAN blocking is achieved by using Access Layer Quarantine, not IP Ban

Final verified conclusion:

Because the current behavior matches IP Ban, and same-VLAN traffic is still allowed, the required fix is to replace the IP Ban action with Access Layer Quarantine.

So the correct answer is A.