FCSS_NST_SE-7.6 Exam Questions 2026 – Real Practice Test with Verified Answers

Explanation:
Analyze the "Send to Application Layer" Message:
The most critical line in the debug output is: id=65308 ... func=av_receive ... msg="send to application layer"
Meaning: This message indicates that the FortiGate kernel is handing the packet over to a user-space daemon (specifically the WAD/Proxy process, indicated by av_receive handlers) for deep inspection.
Implication: This behavior is the hallmark of Proxy-based inspection. In Flow-based inspection, the traffic is handled by the IPS engine (often within the kernel or via specific IPS handlers like ips_measure), and you would not typically see a "send to application layer" message for standard web filtering.
Evaluate Option B (Firewall Policy Mode):
Since the traffic is being sent to the application layer proxy, the Firewall Policy controlling this traffic (Policy ID 1, as seen in Allowed by Policy-1) must be configured with Inspection Mode = Proxy. If it were Flow-based, the traffic would stay in the flow path.
Thus, Option B is correct.
Evaluate Option C (Web Filter Profile Mode):
In FortiOS, when a firewall policy is set to Proxy-based inspection, the security profiles (like Web Filter) applied to that policy also operate in Proxy-based inspection mode. The presence of the av_receive function confirms that the content inspection (Web Filter/AV) is being performed by the proxy engine. Thus, Option C is correct.
Why Option A is Incorrect (NPU Offload):
The output shows npu_state=0x100. In the context of a flow trace where traffic is being "sent to application layer," this confirms the session is not fully offloaded to the NPU (Network Processor). Offloaded traffic (Fast Path) is handled by the hardware and would not generate these specific CPU-level debug logs for the payload inspection phase. The proxying process requires CPU intervention.
Why Option D is Incorrect (Port Mapping):
While valid protocol mapping is necessary for inspection, the specific debug output shown is a direct result of the Inspection Mode (Proxy vs. Flow). The observation of the traffic moving to the application layer is primarily caused by the policy and profile mode settings, making B and C the direct "observations" derived from the log data.
Reference: FortiGate Troubleshooting (Debug Flow): "If the debug flow shows msg='send to application layer', it confirms the traffic is being handled by the proxy (WAD) for Proxy-based inspection."

Explanation:
To determine the type of policy route, we must interpret the specific flags and fields visible in the diagnose firewall proute list (or similar kernel table) output provided in the exhibit Identify Key Indicators:
The most critical field in the output is vwl_service=1(test123).
It also lists vwl_mbr_seq=1 5.
Decode the Terminology:
vwl: This stands for Virtual WAN Link. In FortiOS, "Virtual WAN Link" is the legacy internal name for the SD-WAN feature. Even in newer firmware versions (7.x), the kernel and CLI debugs often still refer to SD-WAN objects as vwl.
vwl_service: This specifically refers to an SD-WAN Rule (also known as an SD-WAN Service). The name (test123) is the name given to that specific SD-WAN rule by the administrator.
Evaluate the Options:
A & D (Regular Policy Route): Standard policy routes (configured under config router policy) do not carry the vwl_service tag. They are typically identified by simple gateway or interface instructions without the SD-WAN service abstraction.
B (ISDB Route): While SD-WAN rules can use the Internet Service Database (ISDB) as a destination, the structure of the route entry shown here―specifically defined by a vwl_service ID―classifies it fundamentally as an SD-WAN rule, regardless of the destination object.
C (An SD-WAN rule): The presence of vwl_service and vwl_mbr_seq (SD-WAN member sequence) definitively identifies this entry as a rule generated by the SD-WAN subsystem.
Conclusion: The output shows a route controlled by the SD-WAN engine (vwl), confirming it is an SD-WAN rule.
Reference: FortiGate Security 7.6 Study Guide (SD-WAN): "In the kernel routing table and debugs, SD-WAN rules are often referenced as vwl (Virtual WAN Link) services. The vwl_service field indicates the specific SD-WAN rule ID and name."

Explanation:
The session output includes the flags:
state=redir local may_dirty ...
npu_state=00000000
offload=0/0
The 7.6 study guide explains these flags directly:
local = “Session is to/from local stack”
redir = “Session is being processed by an application layer proxy”
may_dirty = “Session is allowed by a firewall policy”
This makes C correct, because the local flag means the session either originates from FortiGate or terminates on FortiGate. The FortiOS administration guide states the same meaning: “Session is originated from or destined for local stack.”
This also makes A correct. The redir flag means the session is handled by an application-layer proxy. FortiOS documents explain that proxy-based inspection buffers traffic on the FortiGate and inspects it there, and that proxy-based processing is CPU and memory-intensive
Since the session also shows no NPU offload (npu_state=00000000, offload=0/0), this traffic is being handled in software/CPU, not by the NPU.
Why the other options are wrong:
B is wrong because the redir flag proves the session is not passing without inspection; it is being processed by an application-layer proxy
D is wrong because there is no authentication flag in this session. In Fortinet examples of captive portal/authentication-related sessions, the session state includes auth or authed flags. The study guide shows: “Any session for traffic coming from an authenticated user contains the authed flag.” This exhibit does not show auth or authed, so there is no basis to conclude the client was redirected to a captive portal for authentication.

Explanation:
The session output reveals a session with proto=1 (ICMP) and the origin and reply directions show address and NAT translations. Specifically, the hook=post dir=org act=snat shows that source NAT is performed for outgoing packets, where the source 10.1.10.10:40602 is translated to 10.200.5.1:8 (likely ICMP id 8, not a TCP/UDP port). The reply direction, hook=pre dir=reply act=dnat, indicates destination NAT for incoming packets: packets incoming for 10.200.5.1:60430 are destination-NATed to 10.1.10.10:40602. The gateway (gwy) is listed as 10.200.1.254/10.1.0.1, which for outgoing traffic means that return traffic is directed to the gateway (10.200.1.254), per the NAT policy. This is confirmed by the FortiOS Session Table Guide, which explains that the returned ICMP reply will be routed out to this NAT gateway. The session statistics and logical flow (SNAT out, matching DNAT in) reinforce that reply traffic to the initiator traverses via 10.200.1.254.
References: FortiOS Administration Guide: Session Table, NAT, and Route Interaction
Fortinet Technical Note: Diagnose sys session list, Direction and NAT Analysis