Auto TX power control on FortiAP is an RF-optimization feature:

FortiGate (as wireless controller) continuously evaluatesRSSI of associated clientson each FortiAP radio.

The algorithm focuses on theweakest client(the one with the worst signal) and adjusts the AP’s transmit power so that this client’s signal level stays within a configured / target range.

This helps balance coverage and limit co-channel interference: APs don’t transmit at maximum power when clients are close, but will increase power when the weakest client signal drops too low.

Therefore the correct behavior description is:

✔C– AP power is adjusted based on the weakest associated client’s signal.

Why the others are wrong:

AandBtalk about matching nearby APs’ power or forcing everything to –70 dBm, which is not how FortiAP auto TX works.

Dincorrectly states the AP “evaluates its own transmission from the client perspective”; the AP can only infer client-side conditions from theclient’s RSSI at the AP, not the inverse.

The correct answers are A and D.

The study guide explains that in tunnel mode, traffic for local resources at the AP site will hairpin back to FortiGate unless split tunneling is configured:

“In tunnel mode, all traffic from the SSID is sent to the FortiGate Wi-Fi controller. If you locate the AP in a remote office, all the traffic is sent to FortiGate, even if it is destined for a remote office resource. The packets sent to a local resource, such as an office printer, will hairpin, crossing the WAN link needlessly.”

It then gives the fix:

“When you enable split tunneling on an SSID profile, you can configure a different egress point for the traffic. You can split traffic; some traffic is sent to the local network, and some tunnels back to the managing FortiGate... You can configure the subnets in an ACL... You can also configure the AP to automatically add its own subnet to the ACL.”

The next page states:

“The traffic is tunneled or bridged depending on the subnets configured in the split-tunneling-acl list. If the split-tunneling-acl-local-ap-subnet option is enabled, the local subnet of the AP is dynamically added to the list.”

That directly supports:

A: adding the local home subnet to the split tunneling ACL

D: enabling split-tunneling-acl-local-ap-subnet

Why the other options are incorrect:

B. Incorrect. Changing the SSID to local bridging would stop the corporate traffic model shown in the scenario. The employee already can reach company resources, which indicates tunnel mode is working. The issue is only access to a local home printer, which the study guide solves with split tunneling, not by converting the SSID to bridge mode

C. Incorrect. intra-vap-privacy controls host isolation between clients on the same SSID. The problem here is reaching a local subnet resource behind the remote AP, which is a split tunneling issue, not host isolation.

Final verified conclusion:

To allow the remote employee to continue reaching company resources while also accessing the local home printer, the required fixes are:

add the local home subnet to the split tunneling ACL

enable automatic inclusion of the AP local subnet in the split tunneling ACL

So the correct answers are A and D.

The correct answer is D.

The LAN Edge 7.6 Architect study guide explains that when using an external captive portal, configuring the portal URL and exempt destinations on the SSID is not enough by itself. FortiGate must also have a matching firewall policy that allows the unauthenticated client traffic path to the external portal.

The guide states: “If you are using an external captive portal server, you must configure a firewall policy and exempt web traffic to the external captive portal IP address.”

It also states: “Just selecting and applying the address object and selecting the services is not enough to allow the traffic to pass through FortiGate. You must also have a corresponding firewall policy in place that allows the pinhole traffic to pass through FortiGate.”

In the exhibit, the SSID already includes FortiAuthenticator and WindowsAD as exempt destinations/services, so option C is already configured. However, the wireless clients are connecting through the AP on port4, and the visible firewall policy shown is from the guest SSID interface to port1 for internet access. There is no policy shown that permits the required pre-authentication traffic path from the wireless side toward the external portal resources through the relevant source path. Therefore, the missing fix is the firewall policy using port4 as source.

Why the other options are incorrect:

A. Incorrect. External captive portal authentication is designed to work with an open SSID plus captive portal. WPA2-Enterprise is a different authentication model and is not required here

B. Incorrect. The study guide does not identify NAT on that policy as the reason users cannot reach the external captive portal login page. The key requirement is the exempt/pinhole firewall policy, not NAT behavior

C. Incorrect. Those address objects are already present in the SSID configuration under exempt destinations/services, so this is not the missing change.

Final verified conclusion:

Because the exempt destinations are already configured, the missing requirement is the corresponding firewall policy permitting the captive portal pinhole traffic from the wireless source path.

So the correct answer is D.

The LAN Edge 7.6 Architect Study Guide explicitly states in the " Device Detection + FortiGuard Services " section:

" With the FortiGuard Attack Surface Security Service and IoT Detection, FortiGate assesses the security posture of connected devices, especially IoT devices, which often have weak security settings. This feature helps you to monitor and control the growing attack surface created by numerous IoT endpoints, by detecting and identifying connected IoT devices and assessing their vulnerabilities. "

The guide further confirms that FortiLink device detection, combined with these two specific FortiGuard services, enables comprehensive device identification and vulnerability detection, allowing FortiGate to automatically detect any device connected to the network and analyze its potential security risks.

Why the other options are wrong:

A is incorrect — " FortiGuard Vulnerability Management " and " FortiGuard Endpoint Protection " are not the services referenced in the study guide for this feature.

B is incorrect — " FortiGuard Threat Intelligence " is not the named service for this functionality; the correct service is Attack Surface Security.

C is incorrect — Same reason as B; Threat Intelligence and Endpoint Protection are not the correct license pair for FortiLink device detection and IoT vulnerability assessment.

???? Typing Error Corrections Made: Option B and D in the original question had " loT " (lowercase L) corrected to " IoT " (capital I) — the correct abbreviation for Internet of Things.

This question combines two FortiAP behaviors shown in the study guide:

AP handoff for load balancing

Frequency handoff for band steering to 5 GHz

From the WTP profile in the exhibit:

set handoff-rssi 30

set handoff-sta-thresh 30

The LAN Edge 7.6 Architect study guide explains AP handoff like this:

“If the number of clients is already at the defined threshold, new clients will be redirected to join the least busy nearby AP.” It also states: “The handoff-sta-thresh parameter defines the threshold value that triggers the handoff protocol for new clients.”

So, because the first AP 5 GHz radio already has 32 clients, it is above the threshold of 30, meaning AP handoff can be considered.

However, the same extract adds an important condition:

“The handoff-rssi threshold defined in the AP profile applies when a handed-off client tries to connect to the second AP. The client ' s signal strength must be equal to or greater than the defined RSSI value on the new AP.”

The second AP measures the client at -43 dBm. Based on the configured handoff RSSI threshold of 30, the second AP does not satisfy the required signal condition for the handoff target, so FortiGate does not redirect the client there.

Now consider band selection. The study guide explains frequency handoff:

“Frequency handoff is a band steering technique that FortiGate uses to encourage clients to use the 5 GHz frequency instead of the 2.4 GHz.”

It also says:

“When a client tries to connect, FortiGate checks whether it can support 5 GHz and, if so, how good the signals are. If a client supports the 5 GHz frequency and the signal is strong enough to connect, FortiGate ignores the client’s requests to join the network on 2.4 GHz until the request times out. The client will then automatically try to join the same network using 5 GHz.”

Because the client is dual-band capable and the first AP sees it at a very strong -33 dBm, FortiGate will steer it to 5 GHz on the first AP.

Why the other options are incorrect:

A. Incorrect. The study guide says frequency handoff encourages dual-band clients to use 5 GHz instead of 2.4 GHz when the 5 GHz signal is strong enough

C. Incorrect. Even though the second AP 5 GHz radio has fewer clients, AP handoff only occurs if the target AP meets the configured handoff RSSI requirement. The study guide explicitly makes that a condition

D. Incorrect. 2.4 GHz is not preferred here. The study guide specifically says FortiGate uses frequency handoff to encourage 5 GHz for dual-band-capable clients

Final verified conclusion:

The client will associate with the first AP 5 GHz radio because:

the client is dual-band capable

FortiGate prefers 5 GHz through frequency handoff

the first AP has the stronger signal at -33 dBm

the second AP does not qualify as the handoff target under the configured handoff RSSI condition

In this design, FortiAuthenticator receivesRADIUS accounting (RSSO) messages, looks up the user in LDAP to get group information, theninjects FSSO logon eventstoward all FortiGate devices.

From the exhibits we know:

FortiAuthenticatoris receiving RADIUS accountingfrom the RADIUS server.

LDAP queries are successful and return group membership.

But FortiGatedoes not receive FSSO logons, so identity-based policies are not applied.

For FortiAuthenticator to create an FSSO logon, the RADIUS accounting record must be correctlyparsed into at least:

Username

Client IP address

These are mapped from the RADIUS attributes in theRADIUS Accounting SSO clientconfiguration (for example, User-Name and Framed-IP-Address). If these are not defined or mapped incorrectly, FortiAuthenticator can see the accounting packet butcannot build a valid FSSO session, so no update is sent to FortiGate.

Thus the most likely root cause is:

✔The RADIUS Username and Client IPv4 attributes are not correctly definedfor that RADIUS Accounting SSO client (optionA).

Other options conflict with the scenario:

B– LDAP is already successfully returning groups.

C– FSSO user group attribute is separate; even without it, FSSO logons would still be created (just without group mapping).

D– The interfaceisreceiving RADIUS accounting, so it is clearly enabled.

FortiLink NACis the NAC (Network Access Control) engine built into FortiGate when it manages FortiSwitch devices.

It performs:

✔Automated device onboarding

Automatically detects new devices connecting to switches.

Uses MAC, vendor, DHCP fingerprinting, or IoT database to classify devices.

No manual VLAN assignment required.

✔Security posture verification

Works with FortiClient EMS, ZTNA tags, IoT detection.

Applies policies based on:

Device type

User role

Endpoint compliance

IoT vulnerability status

✔Dynamic VLAN assignment

Automatically moves devices into proper VLANs, quarantine networks, or guest zones.

✔Integration with LAN Edge & Zero Trust

Uses FortiGate + FortiSwitch + FortiAP to enforce zero-trust access.

This matches the LAN Edge 7.6 Architect explanation of FortiLink NAC.

❌Why other answers are wrong

A. Extend security policies across FortiGate firewalls

Not NAC. That refers to Security Fabric or SD-WAN.

C. Apply manual firewall rules

FortiLink NAC is specifically designed toautomateaccess control.

D. Manually place devices in VLANs

NAC eliminates manual VLAN assignment — it is dynamic.

WithAD machine authenticationvia FortiAuthenticator:

When a machine successfully authenticates, FortiAuthenticator records:

Machine account / identity

MAC addressof the device

Associated IP and session info

To handle sleep/hibernation:

FortiAuthenticator keeps acache of authenticated MAC addressesfor a configured timeout.

When the device wakes up and sends traffic again, FortiAuthenticator/FSSO can still treat it as authenticated as long as its MAC is in cache, so access is maintained without forcing a full machine re-auth immediately.

This matches optionD.

A(guest VLAN) is not the standard behavior here.

B(WoL) is unrelated.

C(IP-based) would break as IPs can change; MAC-based caching is what’s used.

In this scenario:

FortiGate + FortiAnalyzer are part of theSecurity Fabric

AnAutomation Stitchis configured:

Trigger:Compromised Host – High(IOC from FortiAnalyzer)

Action:Quarantine on FortiSwitch + FortiAP

A test device10.0.2.1visits a malicious website.

FortiAnalyzer logs show the event, butFortiGate does NOT quarantine the device.

This means theautomation did not receive an IOC trigger, OR theFabric did not classify it as a compromise.

Let ' s evaluate each answer option.

✅C. The malicious website is not recognized as an indicator of compromise (IOC) by FortiAnalyzer.

✔Correct.

For FortiGate to quarantine a device:

FortiAnalyzer must classify the event as aCompromised Host → High / Medium / Critical

FortiAnalyzer must generate anIOC event

FortiGate must receive that IOC through the Fabric

Even though the FAZ log shows:

Action = blocked

Category = Malicious Websites

→ That doesNOTautomatically mean an IOC was generated.

A blocked website event isnot always an IOCunless:

It is included in theIOC database

FAZ’sAnalytics / UTM / IOCengine marks it as a compromise

Thus, if FAZ only logs a “Malicious Website” event butdoes not classify it as an IOC,

Observed behavior:

Devices in the VLANcan ping FortiGate→ gateway reachability OK.

FortiGatecan ping devicesin that VLAN → return path OK.

Inter-VLAN routingworks → FortiGate’s L3 and policies are fine.

Devices in the same VLAN cannot ping each other→ problem is on theL2 switching plane, not L3.

On FortiSwitch (managed by FortiGate), there is a feature calledAccess VLAN(sometimes described in NAC/dynamic segmentation context):

WhenAccess VLANis enabled on a VLAN, the switchdoes not perform normal L2 forwardingbetween hosts in that VLAN.

Instead, all traffic from endpoints in that VLAN isforced upstream to FortiGate, as if every frame were destined for the gateway.

This is used for designs where you wantall intra-VLAN traffic inspected by the firewall, implementing micro-segmentation.

Resulting behavior:

Host → FortiGate: works (frames are forwarded to FortiGate).

FortiGate → Host: works (routed back).

Host A → Host B (same VLAN):

Frame from A goes to FortiGate.

FortiGate seessource and destination in same subnet; depending on policy, it may drop or not have a policy allowing that traffic.

Even if allowed, certain designs still break pure L2 expectations.

In the exam scenario, the key point is:

IfAccess VLAN is enabled,local L2 communication within that VLAN is disabled, so hosts in the same VLAN cannot communicate directly.

That perfectly explains:

Same VLAN hosts can’t ping each other

But they can both reach FortiGate and beyond

Why the other options are less likely / incorrect

B. FortiSwitch MAC address table is missing entries

If MAC table were empty/bad,nothingin that VLAN would work properly, including pinging FortiGate.

C. FortiGate ARP table is missing entries

Then FortiGate couldn’t ping the devices either; but it can.

D. Native VLAN misconfigured on ports

That would affect connectivity to FortiGate too, not only host-to-host.