FCSS_LED_AR-7.6 Online Practice Questions

Home / Fortinet / FCSS_LED_AR-7.6

Latest FCSS_LED_AR-7.6 Exam Practice Questions

The practice questions for FCSS_LED_AR-7.6 exam was last updated on 2025-12-21 .

Viewing page 1 out of 2 pages.

Viewing questions 1 out of 13 questions.

Question#1

Refer to the exhibit.









Review the exhibits to analyze the network topology, SSID settings, and firewall policies.
FortiGate is configured to use an external captive portal for authentication to grant access to a wireless network. During testing, it was found that users attempting to connect to the SSID cannot access the captive portal login page.
What configuration change should be made to resolve this issue to allow users to access the captive portal?

A. Change the SSID security mode to WPA2-Enterprise for authentication.
B. Disable HTTPS redirection for the captive portal authentication page.
C. Exclude FortiAuthenticator and Windows AD address objects from filtering.
D. A firewall policy allowing Guest SSID traffic to reach FortiAuthenticator and Windows A

Explanation:
From the exhibits:
SSID “Guest”
Security mode:Open
Captive Portal: Enabled, portal typeAuthentication → External
External portal URL: https://fac.trainingad.training.lab/guest (FortiAuthenticator)
Exempt destinations/services:FortiAuthenticator and WindowsAD
Firewall policy
From theGuest interface/zonetoport1 (Internet)
Source user group:guest.portal(authenticated users)
The flow for anexternal captive portalis:
Client associates to theopen Guest SSID.
Client makes an HTTP(S) request.
FortiGate intercepts and redirects the client to theexternal portal.
Client must be able toreach FortiAuthenticator’s IP(and AD if the portal needs it)before authentication.
In this setup:
Theexempt destinationsetting tells the captive portal logicnot to require authenticationfor traffic going to FortiAuthenticator and WindowsAD.
However, there still must be a firewall policy that allows traffic from the Guest SSID subnet to those exempt destinations.
The existing firewall policy uses theguest.portal user groupas a source condition, which only matchesaftersuccessful portal authentication. Before login, the client has no user identity, so:
Traffic from the unauthenticated Guest client → FortiAuthenticator isnot matchedby that policy.
It hits theimplicit deny, so the browser never reaches the login page.
To fix this, the administrator must:
Create or modify a firewall policy thatallows traffic from the Guest SSID subnet/interface to FortiAuthenticator and WindowsAD without requiring user authentication.
That is exactly what optionDdescribes.
Why the others are wrong:
A. Change SSID security mode to WPA2-EnterpriseC External captive portals are normally used withopenSSIDs; WPA2-Enterprise uses 802.1X, not captive portal.
B. Disable HTTPS redirectionC Redirection is required so users are sent to the portal; disabling it doesn’t solve reachability.
C. Exclude FortiAuthenticator and Windows AD from filteringC They’re already listed asexempt destinationsin the SSID configuration; the missing piece is thefirewall policy, not the exemption.

Question#2

APs have been manually configured to connect to FortiGate over an IPsec network, and FortiGate successfully detects and authorizes them. However, the APs remain unmanaged because FortiGate is unable to establish a CAPWAP tunnel with them.
What configuration change can resolve this issue and enable FortiGate to establish the CAPWAP tunnel over the IPsec connection?

A. Configure a static route on FortiGate to reach the APs over the IPsec tunnel.
B. Assign a custom AP profile for the remote APs with the set mpls-connection option enabled.
C. Decrease the CAPWAP tunnel MTU size for APs to prevent fragmentation.
D. Upgrade the FortiAP firmware image to ensure compatibility with the FortiOS version.

Explanation:
When FortiAPs connect to FortiGate overIPsec tunnels, this is treated similarly to WAN/MPLS deployments.
In these scenarios, FortiGate must know that CAPWAP must traverse anon-L2transport.
FortiAP profiles include:
set mpls-connection enable
This setting is required so that:
FortiGate can encapsulate CAPWAP inside the transport tunnel
Remote FortiAPs can establish CAPWAP even when behind routed/IPsec networks
Without this option, the FortiGate detects the AP but cannot bring CAPWAP UP, leaving the AP in “discovered/unauthorized” or “offline” state.
Why others are wrong
A. Static route→ Discovery already succeeds, so routing is not the issue.
C. Reduce MTU→ Sometimes useful for IPsec, but not required for CAPWAP establishment.
D. Firmware upgrade→ Firmware mismatch would show “Managed (upgrade required),” not CAPWAP tunnel failure.
Therefore, set mpls-connection enableis the required fix.

Question#3

Refer to the exhibits.






Examine the FortiGate configuration, FortiAnalyzer logs, and FortiGate widget shown in the exhibits.
Security Fabhc quarantine automation has been configured to isolate compromised devices automatically. FortiAnalyzer has been added to the Security Fabric, and an automation stitch has been configured to quarantine compromised devices.
To test the setup, a device with the IP address 10.0.2.1 that is connected through a managed FortiSwitch attempts to access a malicious website. The logs on FortiAnalyzer confirm that the event was recorded, but the device does not appear in the FortiGate quarantine widget.
Which two reasons could explain why FortiGate is not quarantining the device? (Choose two.)

A. The IOC action should include only the FortiSwitch in the quarantine.
B. The SSL inspection should be set to deep-Inspection
C. The malicious website is not recognized as an indicator of compromise (IOC) by FortiAnalyzer.
D. The threat detection services license is missing or invalid under FortiAnalyzer.

Explanation:
In this scenario:
FortiGate + FortiAnalyzer are part of theSecurity Fabric
AnAutomation Stitchis configured:
Trigger:Compromised Host C High(IOC from FortiAnalyzer)
Action:Quarantine on FortiSwitch + FortiAP
A test device10.0.2.1visits a malicious website.
FortiAnalyzer logs show the event, butFortiGate does NOT quarantine the device.
This means theautomation did not receive an IOC trigger, OR theFabric did not classify it as a compromise.
Let's evaluate each answer option.
✅ C. The malicious website is not recognized as an indicator of compromise (IOC) by FortiAnalyzer.
✔ Correct.
For FortiGate to quarantine a device:
FortiAnalyzer must classify the event as aCompromised Host → High / Medium / Critical
FortiAnalyzer must generate anIOC event
FortiGate must receive that IOC through the Fabric
Even though the FAZ log shows:
Action = blocked
Category = Malicious Websites
→ That doesNOTautomatically mean an IOC was generated. A blocked website event isnot always an IOCunless:
It is included in theIOC database
FAZ’sAnalytics / UTM / IOCengine marks it as a compromise
Thus, if FAZ only logs a “Malicious Website” event butdoes not classify it as an IOC,

Question#4

Refer to the exhibit.



On FortiGate, a RADIUS server is configured to forward authentication requests to FortiAuthenticator, which acts as a RADIUS proxy. FortiAuthenticator then relays these authentication requests to a remote Windows AD server using LDAP.
While testing authentication using the CLI command diagnose test authserver. the administrator observed that authentication succeeded with PAP but failed when using MS-CHAFV2.
Which two solutions can the administrator implement to enable MS-CHAPv2 authentication? (Choose two.)

A. Change the FortiGate authentication method to CHAP instead of MS-CHAPv2.
B. Enable Windows Active Directory domain authentication on FortiAuthenticator.
C. Enable RADIUS attribute filtering on FortiAuthenticator.
D. Configure FortiAuthenticator to use RADIUS instead of LDAP as the back-end authentication server

Question#5

How can FortiAIOps help optimize network performance in an SD-Branch deployment with FortiGate, FortiSwitch, and FortiAP?

A. It disables low-performing APs and switches automatically.
B. It uses Al-driven analytics to identify network issues and provide optimization recommendations.
C. It removes the need for SD-WAN configuration by automating all routing decisions.
D. It predicts and resolves all network issues without any human intervention.

Explanation:
In an SD-Branch deployment (FortiGate + FortiSwitch + FortiAP),FortiAIOps:
Collects telemetry and logs from Fabric devices
Usesmachine-learning / AI analyticsto:
Spot anomalies (latency, packet loss, RF issues, misconfigurations)
Highlight root causes
Proposeoptimization recommendations (e.g., channel changes, power tuning, config fixes)
It doesnot:
Automatically disable devices (Afalse)
Replace SD-WAN config or all routing (Cfalse)
Fixallissues with zero human input (Dis marketing fantasy, not reality)

Exam Code: FCSS_LED_AR-7.6Q & A: 40 Q&AsUpdated:  2025-12-21

 Get All FCSS_LED_AR-7.6 Q&As

Top 20 Exams

CertQuestionsBank doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All CertQuestionsBank content is sourced from the Internet.

Important Links

Know Us

Follow Us

Copyright © 2025 CertQuestionsBank NETWORK CO.,LIMITED. All Rights Reserved.