Fortinet FCSS_NST_SE-7.6 Exam With Confidence Using Practice Dumps

The issue is caused by the strict matching logic of the configured Prefix List.

Current State: The rule is edit 1 with set prefix 172.16.0.0 255.255.0.0 and both ge (greater than or equal) and le (less than or equal) are unset.

Behavior: When ge and le are unset, FortiOS requires an exact match of the subnet mask. The current rule only matches the exact network 172.16.0.0/16. It denies 172.16.52.0/24 because the mask (/24) does not match the rule ' s mask (/16).

To fix this and inject 172.16.52.0/24, you must modify the list to match the /24 mask:

A. Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network:

Creating a new rule (e.g., edit 2) with set prefix 172.16.52.0 255.255.255.0 will provide an exact match for the incoming route, allowing it to pass the distribute-list.

B. Change the ge value to 17:

By configuring set ge 17 on the existing rule (conceptually 172.16.0.0/16 ge 17), you change the logic from " exact match " to " range match " .

This configuration tells the router to match any prefix starting with 172.16.x.x that has a subnet mask length of 17 or greater.

Since the incoming route is a /24, and 24 is greater than 17, the route will match the prefix list and be accepted.

Why other options are incorrect:

C: The option text appears to read " Change the ... value to 16 " . If this refers to le 16, it would enforce the mask to be exactly /16 or less, which still excludes /24.

D: Changing the default behavior to implicit allow defeats the purpose of a filter (security control) and is not a standard configuration step for fixing a single missing route.

The correct answer is A . This behavior is dictated by the configuration command set snat-route-change enable shown in Exhibit 1 under config system global.

Routing Change: By changing the priority of route ID 2 from 10 to 0, it becomes lower than route ID 1 (priority 5). In FortiOS, a lower priority value indicates a more preferred route. Consequently, the active route for the destination changes from port1 to port2 .

SNAT Implication: The existing session (shown in Exhibit 2) is using Source NAT (SNAT) with the IP address associated with port1 (10.200.1.1). If the traffic were simply switched to port2 , the source IP would be incorrect for that interface and the return traffic would likely fail or be dropped.

snat-route-change enable: This specific setting instructs the FortiGate on how to handle established SNAT sessions when a routing change occurs that alters the preferred outgoing interface. When enabled, if a route change forces an SNAT session to a new interface, FortiGate flushes (deletes) the session from the session table. This is necessary because a live TCP session cannot survive a change in its source IP address. The client must initiate a new session, which will then be created using the new correct route (port2) and the corresponding new SNAT IP.

If this setting were disabled, the session would likely remain " sticky " to the original interface (port1) until it closed, provided the route still existed. However, the explicit configuration forces the deletion.

The correct answer is B. Assertion dump .

The study guide states: “SAML attributes are pieces of information about a user that are exchanged between IdPs and SPs during the SAML authentication process. These attributes are included in the SAML assertion, which is built by the IdP as part of the authentication process.”

The same study guide page for real-time SAML troubleshooting shows the section labeled **** Assertion Dump **** , and inside that assertion it displays the actual user attributes, such as:

< saml:Attribute Name= " username " >

< saml:Attribute Name= " groups " >

It also explicitly marks this part as “Attributes sent by IdP”

Why the other options are wrong:

A. Bindings HTTP post is incorrect because bindings define how SAML messages are transported , not the section that contains the attributes. The study guide says: “Bindings: Define how SAML protocol messages are transmitted over different communication channels.”

C. Authentication request is incorrect because that is built by the SP and sent toward the IdP, not where the IdP’s user attributes are shown. The study guide’s flow says the SP “Builds auth request” and the IdP later “Builds auth response.”

D. Authentication response is broader than the exact section being asked. The exact section in the study guide where the IdP-provided attributes are shown is the Assertion dump .

So the verified answer is: B .