FCSS_NST_SE-7.6 Questions Bank

The correct answers are A and B .

The Network Security Support Engineer 7.6 Study Guide states under OSPF Troubleshooting :

“Follow these steps to troubleshoot an OSPF problem between two peers:

Check that the local router can reach the remote peer. IP addresses must be in the same subnet and have the same subnet mask.

Ensure that IP protocol 89 is not blocked.

Hello and dead intervals must match.

The OSPF router ID for each peer must be unique. Duplicate router IDs are not allowed.

Do the MTUs match?

If authentication is enabled, the type and password must match on both sides.”**

The same page also summarizes the troubleshooting tips as:

“Do peers have an IP address within the same subnet?”

“Is IP protocol 89 blocked?”

This directly confirms:

A is correct

B is correct

Why the other options are wrong:

C is wrong because TCP port 179 is used by BGP , not OSPF. OSPF uses IP protocol 89 , as the study guide explicitly notes

D is wrong because the study guide’s OSPF adjacency troubleshooting checklist does not require an active static route to the peer. OSPF neighbors form adjacency on directly reachable networks, and the guide instead focuses on same subnet, protocol 89, intervals, router ID, MTU, and authentication matching

So the verified answers are: A, B .

The correct answer is A . This behavior is dictated by the configuration command set snat-route-change enable shown in Exhibit 1 under config system global.

Routing Change: By changing the priority of route ID 2 from 10 to 0, it becomes lower than route ID 1 (priority 5). In FortiOS, a lower priority value indicates a more preferred route. Consequently, the active route for the destination changes from port1 to port2 .

SNAT Implication: The existing session (shown in Exhibit 2) is using Source NAT (SNAT) with the IP address associated with port1 (10.200.1.1). If the traffic were simply switched to port2 , the source IP would be incorrect for that interface and the return traffic would likely fail or be dropped.

snat-route-change enable: This specific setting instructs the FortiGate on how to handle established SNAT sessions when a routing change occurs that alters the preferred outgoing interface. When enabled, if a route change forces an SNAT session to a new interface, FortiGate flushes (deletes) the session from the session table. This is necessary because a live TCP session cannot survive a change in its source IP address. The client must initiate a new session, which will then be created using the new correct route (port2) and the corresponding new SNAT IP.

If this setting were disabled, the session would likely remain " sticky " to the original interface (port1) until it closed, provided the route still existed. However, the explicit configuration forces the deletion.

The correct answer is D. IKE_AUTH .

The study guide explicitly states:

“IKE_Auth exchange:

• Performs the mutual authentication of two IKE endpoints.

• Configures settings like IP/mask, DNS, and so on.

• Sets up the piggyback of a child SA. Negotiates IP flow and security settings for the IPsec SA.”

It also says:

“By default, a piggyback child (IPsec) SA is negotiated along with the IKEv2 SA during IKE_AUTH. If additional IPsec SAs are needed … they are negotiated during subsequent CREATE_CHILD_SA exchanges.”

Why the other options are wrong:

A. IKE_SA_INIT is incorrect because this exchange negotiates the security settings to protect the IKE traffic, not the first CHILD_SA.

B. INFORMATIONAL is incorrect because it is used to convey control messages between IKE endpoints.

C. CREATE_CHILD_SA is incorrect for the first CHILD_SA, because it is used to create new additional child SAs or rekey existing ones after the initial exchange.

To capture encrypted IPsec phase 2 (ESP) traffic between two FortiGate devices, the correct protocol filter to use is ip proto 50. According to the Fortinet official sniffing and debugging documentation, ESP (Encapsulating Security Payload) is used for encrypted phase 2 payload transfer and always uses IP protocol number 50. Running the command diagnose sniffer packet any ' ip proto 50 '  captures only ESP packets, which represent the encrypted traffic—whether originating or transiting the device.

If there is no NAT device between FortiGates, ESP is not encapsulated in UDP (thus not on UDP port 4500; if NAT-T were required, packets would be UDP-encapsulated, but the scenario explicitly says NAT is not in use). UDP port 500 is for IKE control (negotiation) traffic, and AH (Authentication Header, ip proto 51) is not used for encryption in standard IPsec phase 2 with ESP.

This matches the official CLI reference from Fortinet for VPN and traffic analysis.

**