FCSS_NST_SE-7.6 Exam Dumps - Fortinet NSE 6 - Network Security 7.6 Support Engineer

The correct answer is D. Assertion dump .

The study guide states that: “SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP as part of the authentication process.”

It also shows the real-time SAML debug output under “ ** Assertion Dump ****”**, where the SAML attributes appear inside the assertion, such as:

< saml:Attribute Name= " username " >

< saml:Attribute Name= " groups " >

The same study-guide page explicitly labels this area as “Attributes sent by IdP”

So, although the IdP sends an authentication response overall, the actual section that contains the SAML attributes is the Assertion dump

The correct answers are B and D .

The study guide explains that in the SP Login Dump section, FortiGate is acting as the service provider (SP) , and that you should read these fields:

“The IdP SSO URL, from the setting idp-single-sign-on-url in the FortiGate configuration”

“The SP SSO URL, from the setting single-sign-on-url in the FortiGate configuration”

“The IdP Entity ID, from the setting id-entity-id in the FortiGate configuration”

“The SP Entity ID, from the setting entity-id setting in the FortiGate configuration”

In the exhibit:

Destination= " https://10.1.10.2/saml-idp/nst/login/ " → this is the IdP SSO URL

< lasso:RemoteProviderID > http://10.1.10.2/samlidp/nst/metadata/ < /lasso:RemoteProviderID > → this is the IdP Entity ID

AssertionConsumerServiceURL= " https://10.1.10.254:1003/remote/saml/login/ " → this is the SP SSO URL

< saml:Issuer > https://10.1.10.254:1003/remote/saml/metadata/ < /saml:Issuer > → this is the SP Entity ID

The same study-guide example shows this exact mapping pattern, where:

Destination points to the IdP

AssertionConsumerServiceURL and Issuer point to the SP

Therefore:

10.1.10.2 is the IdP → D

10.1.10.254 is the SP → B

So the verified answers are: B, D .

Parallel Path Processing (PPP) in FortiOS refers to the system’s ability to evaluate and select among multiple processing paths—often involving dedicated network processors, content processors, or CPU-based workflows—to optimally process packets. The official documentation highlights that the PPP engine dynamically selects which hardware or software path to use for each session based on session characteristics, policy configuration, and traffic type. This dynamic selection results in optimal throughput and resource utilization.

The document specifies that PPP assesses several processing paths in parallel, using decision logic to determine whether a session should be offloaded to specialist hardware (like NP6, CP9, etc.) or stay in the CPU path, ensuring that each packet is handled by the most efficient available method under current load and policy. Hardware and software configurations both influence this outcome, but it is the PPP engine ' s decision-making that defines the optimal path per session.

The correct answers are A and B .

The study guide says:

“If NAT-T is enabled, and there is a FortiGate located in the middle that is running NAT, the sniffer command must use a different filter. In this case, IKE traffic uses UDP port 500, but switches to UDP port 4500 during the tunnel negotiation. Additionally, ESP traffic is encapsulated inside the UDP 4500 channel.”

It also says:

“In some networks, UDP is blocked by firewalls or ISPs. In those cases, you can configure your VPN tunnel to use IKE over TCP in the phase 1 configuration. The default IKE TCP port is 443…”

And the study guide gives the correct capture examples:

No NAT: host < remote-gw > and udp port 500

With NAT and NAT-T: host < remote-gw > and (udp port 500 or udp port 4500)

So:

B is correct because with NAT Traversal enabled , the tunnel may no longer be using only UDP 500 . It can move to UDP 4500 , so the current filter may miss the traffic.

A is correct because the filter may need to be expanded to include UDP 4500 for NAT-T, or TCP 443 when IKE over TCP is used.

Why the other options are wrong:

C is wrong because restricting the filter to the remote peer IP can make the capture more precise, but it is not required for the sniffer to display output. The problem here is the port/protocol choice , not the lack of a host filter. The study guide examples use host filtering as an aid, not as a requirement.

D is wrong because diagnose debug enable is used to enable real-time debug output for applications, but it does not suppress or invalidate sniffer output . Sniffer capture is a separate command path. Fortinet documentation separately documents diagnose sniffer packet ... for packet capture and diagnose debug enable for debug features.

So the verified answers are: A, B .

To display debug output on FortiGate devices, you must always run both the application-specific debug command and the global debug enable command. The command diagnose debug application ike -1 sets up the detail level for the IKE daemon debug, but it does not display any debug output on its own. As described in the FortiOS CLI debugging manuals, the command diagnose debug enable activates debug output on the console, making all previously set debugs visible. This is especially important for VPN troubleshooting—without the enable command, no output appears even if there is VPN traffic.

The correct diagnostic sequence is:

diagnose debug application ike -1

diagnose debug enable

This procedure is found in every FortiOS CLI debug tutorial and troubleshooting workflow.

The 8.8.8.8/32 route is visible in the OSPF database on FGT-B but not installed into the routing table—the most likely explanation is that FGT-B is filtering it from being installed.

The diagnose debug authd fsso server command is the primary tool for troubleshooting communication between the FortiGate and the FSSO Collector Agent. This debug output reveals the status of the connection and the reasons for failure. The three most common connectivity issues identified by this debug are:

FortiGate cannot reach the IP address of the collector agent (Option C): The debug will show connection timeouts or " host unreachable " errors if the Layer 3 connectivity is missing.

The connection was refused / Port mismatch (Option B): If the FortiGate can reach the IP but the Collector Agent is not listening on the specified port (default 8000), the debug will display " Connection refused. " This often happens if the port configured on the FortiGate does not match the listening port on the agent.

The pre-shared key does not match (Option D): If the IP and Port are correct, the next step is authentication. If the password configured on the FortiGate does not match the one on the Collector Agent, the debug will explicitly show an " Authentication failed " or " password mismatch " error during the handshake.

Note on other options: Option A (SSL) is less common than basic connectivity/auth mismatches. Option E (Group filters) relates to user processing logic, which occurs after connectivity is established.