Free FCSS_LED_AR-7.6 Questions Attempt

From the exhibits:

SSID “Guest”

Security mode:Open

Captive Portal: Enabled, portal typeAuthentication → External

External portal URL: (FortiAuthenticator)

Exempt destinations/services:FortiAuthenticator and WindowsAD

Firewall policy

From theGuest interface/zonetoport1 (Internet)

Source user group:guest.portal(authenticated users)

The flow for anexternal captive portalis:

Client associates to theopen Guest SSID.

Client makes an HTTP(S) request.

FortiGate intercepts and redirects the client to theexternal portal.

Client must be able toreach FortiAuthenticator’s IP(and AD if the portal needs it)before authentication.

In this setup:

Theexempt destinationsetting tells the captive portal logicnot to require authenticationfor traffic going to FortiAuthenticator and WindowsAD.

However, there still must be a firewall policy that allows traffic from the Guest SSID subnet to those exempt destinations.

The existing firewall policy uses theguest.portal user groupas a source condition, which only matchesaftersuccessful portal authentication. Before login, the client has no user identity, so:

Traffic from the unauthenticated Guest client → FortiAuthenticator isnot matchedby that policy.

It hits theimplicit deny, so the browser never reaches the login page.

To fix this, the administrator must:

Create or modify a firewall policy thatallows traffic from the Guest SSID subnet/interface to FortiAuthenticator and WindowsAD without requiring user authentication.

That is exactly what optionDdescribes.

Why the others are wrong:

A. Change SSID security mode to WPA2-Enterprise– External captive portals are normally used withopenSSIDs; WPA2-Enterprise uses 802.1X, not captive portal.

B. Disable HTTPS redirection– Redirection is required so users are sent to the portal; disabling it doesn’t solve reachability.

C. Exclude FortiAuthenticator and Windows AD from filtering– They’re already listed asexempt destinationsin the SSID configuration; the missing piece is thefirewall policy, not the exemption.

The correct answer is D.

The LAN Edge 7.6 Architect study guide directly explains this exact behavior for SSIDs configured on FortiManager.

The study guide states:

“In central management mode, profiles are created and stored on FortiManager. An AP profile is distributed to a controller when at least one of its supported APs is assigned the profile and the device settings are installed. SSID profiles are delivered only when you select Manual in the SSID field.”

It further says:

“If you create an SSID profile centrally and configure all the AP profiles to be tunnel or bridge, the SSID profile is not delivered to FortiGate. FortiManager does not know which of the SSID profiles to distribute to which FortiGate.”

And the guide gives the exact fix:

“A manual SSID explicitly tells FortiManager which SSID profile to broadcast on the AP and, as a result, the required SSID profile is delivered to the controller.”

Another extract from the same section confirms:

“When you want to broadcast an SSID, you must configure the AP profile that is being used by the APs that are to transmit it... Manual: You can select a mix of SSIDs to broadcast.”

So in this scenario, the AP profile must be changed from Bridge or Tunnel to Manual, and then the required SSIDs must be explicitly selected.

Why the other options are incorrect:

A. Incorrect. The issue is not the AP platform. The study guide identifies the problem as SSID delivery and mapping from FortiManager to FortiGate, not AP hardware support

B. Incorrect. The study guide explicitly says Manual can be used to “select a mix of SSIDs to broadcast,” so a mix is supported when Manual is chosen

C. Incorrect. Transmit Power Mode affects RF behavior, not whether FortiManager delivers SSID profiles to FortiGate. The problem here is SSID assignment and profile distribution, not radio power.

Extra confirmation from FortiGate Cloud administration guidance:

“To configure the SSID that you created select Manual for SSIDs then select the SSID from the dialog.”

Final verified conclusion:

Because the SSIDs were created on FortiManager and are not being broadcast, the AP profile must use Manual in the SSIDs field and the intended SSIDs must be explicitly selected.

So the correct answer is D.

When FortiAuthenticator is used as anFSSO agentbased onsyslog, it must:

Parse incoming syslog messagesfrom devices (firewalls, WLAN controllers, VPN concentrators, etc.).

Extract identity fieldssuch as:

Username

IP address

Login/logout event indicators

Syslogmatching ruleson FortiAuthenticator define:

Which syslog messages are relevant (by facility, message pattern, or regex).

How to capture specific fields (username, IP, group, event type).

FortiAuthenticator then uses this parsed data toinject logon sessions into FSSO, so FortiGate can apply identity-based policies.

Thus, the role of syslog matching rules is exactly as described inC.

A: Group mapping is handled separately via directory groups / FSSO config, not directly by matching rules.

B: Enforcement of authentication policies is done on FortiGate, not directly by the matching rules.

D: While irrelevant logs can be ignored via rules, the primary purpose isparsing and extraction, not generic filtering.

The LAN Edge 7.6 Architect Study Guide identifies the following communication mechanisms between FortiGate and FortiSwitch:

C — FortiLink Protocol (Primary Management Protocol): The study guide states: " FortiLink, also known as the switch controller function, allows FortiGate firewalls to remotely manage FortiSwitch devices. FortiLink defines the management interface and remote management protocol between FortiGate and FortiSwitch, enabling seamless control and integration. " FortiLink is the foundational protocol for the entire management relationship.

B — HTTPS (REST API): The study guide confirms: " FortiGate applies the quarantine-related configuration for the quarantined device to FortiSwitch using the FortiSwitch REST API. " FortiGate communicates with FortiSwitch via HTTPS-based REST API calls for specific configuration pushes such as quarantine enforcement, port configuration, and security policy application.

A — SNMP: SNMP is referenced in the study guide as a management protocol used by FortiGate to monitor and gather status information from FortiSwitch devices. SNMP is a standard network management protocol used for monitoring switch status, which aligns with its role in FortiSwitch management.

Why the other options are wrong:

D is incorrect — CAPWAP (UDP 5246/5247) is the protocol used between FortiGate and FortiAP for wireless AP management, NOT between FortiGate and FortiSwitch. The study guide explicitly states: " FortiGate manages FortiAPs using the CAPWAP protocol. "

E is incorrect — IGMP is an IP multicast group management protocol. It plays no role in the management or control channel between FortiGate and FortiSwitch. It is not mentioned in the LAN Edge 7.6 study guide in the context of FortiSwitch management.