Fortinet FCSS_LED_AR-7.6 Exam With Confidence Using Practice Dumps

The correct answer is D.

The LAN Edge 7.6 Architect study guide states: “Note that suppression of rogue APs is becoming increasingly more difficult, because new wireless security standards are beginning to mandate management frame protection (802.11w). This requires that clients authenticate management frames as being legitimate, preventing spoofing attacks. Because rogue suppression is a form of spoofing attack, an AP that the client is not connected to is trying to send deauthentication frames and, as a result, 802.11w prevents the client from taking notice of the dedicated monitoring AP.”

This exactly matches option D. Rogue AP suppression relies on spoofed deauthentication behavior, and 802.11w protects management frames, making that suppression method less effective.

Why the other options are incorrect:

A. Incorrect. The study guide does not say 802.11w makes suppression harder because of processing overhead. It specifically points to management frame protection and spoofing prevention

B. Incorrect. The study guide does not mention reduced wireless range as the reason.

C. Incorrect. The issue is not data traffic encryption. The study guide specifically refers to authentication of management frames, not general traffic encryption

From the exhibits:

SSID “Guest”

Security mode:Open

Captive Portal: Enabled, portal typeAuthentication → External

External portal URL: (FortiAuthenticator)

Exempt destinations/services:FortiAuthenticator and WindowsAD

Firewall policy

From theGuest interface/zonetoport1 (Internet)

Source user group:guest.portal(authenticated users)

The flow for anexternal captive portalis:

Client associates to theopen Guest SSID.

Client makes an HTTP(S) request.

FortiGate intercepts and redirects the client to theexternal portal.

Client must be able toreach FortiAuthenticator’s IP(and AD if the portal needs it)before authentication.

In this setup:

Theexempt destinationsetting tells the captive portal logicnot to require authenticationfor traffic going to FortiAuthenticator and WindowsAD.

However, there still must be a firewall policy that allows traffic from the Guest SSID subnet to those exempt destinations.

The existing firewall policy uses theguest.portal user groupas a source condition, which only matchesaftersuccessful portal authentication. Before login, the client has no user identity, so:

Traffic from the unauthenticated Guest client → FortiAuthenticator isnot matchedby that policy.

It hits theimplicit deny, so the browser never reaches the login page.

To fix this, the administrator must:

Create or modify a firewall policy thatallows traffic from the Guest SSID subnet/interface to FortiAuthenticator and WindowsAD without requiring user authentication.

That is exactly what optionDdescribes.

Why the others are wrong:

A. Change SSID security mode to WPA2-Enterprise– External captive portals are normally used withopenSSIDs; WPA2-Enterprise uses 802.1X, not captive portal.

B. Disable HTTPS redirection– Redirection is required so users are sent to the portal; disabling it doesn’t solve reachability.

C. Exclude FortiAuthenticator and Windows AD from filtering– They’re already listed asexempt destinationsin the SSID configuration; the missing piece is thefirewall policy, not the exemption.

Goal: enforce captive portal authentication overHTTPSfor guests.

On FortiGate/FortiAuthenticator captive portal setups:

HTTP redirectis used so that when a guest browses to any HTTP site, their request is redirected to theportal URL.

Theportal URLitself must beHTTPSif you want a secure login page.

FortiOS captive portal and firewall authentication guidelines recommend:

EnablingHTTP redirectso unauthenticated HTTP traffic is transparently sent to the portal.

Configuring theportal URL with HTTPS, often referencing a certificate on FortiGate or FortiAuthenticator.

Therefore:

A. Enable HTTP redirect in the user authentication settings.✔This ensures unauthenticated HTTP requests are redirected to the (now HTTPS) portal.

D. Update the captive portal URL to use HTTPS on FortiGate and FortiAuthenticator.✔This makes the login itself secure (TLS-protected).

Incorrect:

B– You don’t need a new SSID; the same SSID can use HTTPS portal.

C– Disabling HTTP admin access on the SSID doesn’t control the captive portal scheme; HTTPS enforcement is done by the portal configuration and redirect, not by admin-access flags.