Fortinet Certified Solution Specialist FCSS_NST_SE-7.6 Book

The exhibit shows these key lines:

handle_req-Rcvd auth req ... for jsmith in Lab

start_search_dn-base: ' DC=TAC,DC=ottawa,DC=fortinet,DC=com ' filter:sAMAccountName=jsmith

get_all_dn-Found DN 1:CN=John Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

The study guide explicitly shows the same LDAP real-time debug pattern and says the request line includes the LDAP server object name:

handle_req-Rcvd auth req ... for jsmith in Lab ...

That supports A : Lab is the configured LDAP server name being used for this authentication request.

For the LDAP flow stage, the study guide states:

“An fnbamd_ldap_build_dn_search_req-base message indicates that FortiGate is performing step two: searching for the user in the LDAP tree.” It also says that if the LDAP server finds the user, the output shows the user’s full DN.

That matches the exhibit’s start_search_dn-base ... filter:sAMAccountName=jsmith and Found DN ... CN=John Smith... lines, so D is correct.

Why the other options are wrong:

B is wrong because the exhibit shows FortiOS has found the user DN CN=John Smith,..., but that does not mean the user is already authenticating with that DN in this step. The study guide says this DN is discovered in step 2 , and only in step 3 does FortiGate bind using the user DN.

C is wrong because the exhibit is showing step 2 (Search Request) , not step 3 (Bind Request) . The study guide separates these steps clearly and shows step 3 with fnbamd_ldap_build_userbind_req-Trying DN ... and __ldap_build_bind_req-Binding to ' CN=John Smith,... '

The correct answers are C and D .

The study guide states: “SSL certificate inspection relies on extracting the FQDN of the URL from either: TLS extension server name indication (SNI), SSL certificate common name (CN).” It also says: “When using SSL certificate inspection, FortiGate is not decrypting the traffic. It is only inspecting the server digital certificates and the SNI field, which are interchanged before the encryption.”

This proves the second part of the answer:

under SSL certificate inspection , FortiGate does not decrypt the traffic

therefore, if the traffic is allowed , it still passes without decryption

That makes D correct.

For the SNI mismatch behavior, the FortiOS administration guide describes the default Server certificate SNI check behavior as:

“Enable: If it is mismatched use the CN in the server certificate for URL”

So if the SNI does not match the CN or any SAN, FortiGate falls back to using the CN from the Subject field for URL handling under the default setting. That makes C correct.

Why the other options are wrong:

A is wrong because with the default SNI-check behavior, when the SNI mismatches the certificate identity, FortiGate does not continue using the mismatched SNI . Instead, it uses the CN in the server certificate for the URL .

B is not the best answer in this single pair selection . While certificate inspection does not decrypt traffic, the key default behavior the documents explicitly highlight for this mismatch case is:

use the CN when SNI mismatches , and

certificate inspection does not decrypt allowed HTTPS traffic .

So the verified answers are: C, D .

The correct answer is B .

The study guide explicitly states: “IKE version 2 does not interoperate with IKE version 1, but they share enough of the header format that both versions can unambiguously operate over the same UDP port.”

That directly proves B .

Why the other options are wrong:

A is wrong because the study guide shows authentication methods as Asymmetric for IKEv2 and Symmetric for IKEv1

C is wrong because the study guide does not say they use the same TCP port; instead, it specifically says they can operate over the same UDP port

D is wrong because the study guide states: “IKEv2 does not use the concept of phase 1 or phase 2” , even though FortiOS CLI/GUI still uses those terms for configuration purposes