Intermittent behavior (working sometimes, failing others) points to resource or connectivity fluctuations rather than static misconfigurations.

B. Check that FortiGate is not entering conserve mode:

Reason: When FortiGate enters Conserve Mode (due to high memory usage), it changes its inspection behavior to save resources. Depending on the av-failopen setting, it may either bypass inspection (allowing blocked sites) or drop traffic (blocking valid sites) temporarily until memory recovers. This flapping between states causes intermittent filtering issues.

D. Check that the communication between FortiGate and FortiGuard is stable:

Reason: The Web Filter engine relies on real-time queries to the FortiGuard Distribution Network (FDN) to categorize URLs that are not in the local cache. If the internet connection or the specific path to FortiGuard is unstable (packet loss, latency), queries will time out. This results in " Rating Errors, " which can block or allow traffic unpredictably based on the " Allow websites when a rating error occurs " setting.

Why other options are incorrect:

A: A mismatch in inspection mode (e.g., Profile set to Proxy, Policy set to Flow) is a static configuration error. It would typically result in the profile not being selectable or consistently failing/not applying, rather than working intermittently.

C: If the wrong port is mapped (e.g., HTTP on 8080 is not mapped), the inspection engine will consistently ignore traffic on that port. It would not be intermittent.

The correct answer is B .

The study guide states that for TCP , the protocol state is a two-digit number . The first digit is the server-side state and is 0 when the session is not subject to inspection . The second digit is the client-side state . It also shows that value 1 = ESTABLISHED

So, for a normal TCP session with no inspection, proto_state=01 means:

first digit 0 = no inspection

second digit 1 = ESTABLISHED

That makes B correct.

Why the other options are wrong:

A is wrong because for UDP , the study guide says 00 = one-way traffic and 01 = two-way traffic

C is wrong because 10 does not represent the normal established TCP session described in the study guide. The established example shown is based on state value 1 , and the guide explicitly highlights proto_state=11 when both server-side and client-side TCP handshakes are completed

D is wrong because for ICMP , the study guide says “the protocol state is always 00”

====

Auxiliary sessions in Fortinet are designed to support ECMP (Equal Cost Multi-Path) and SD-WAN scenarios, allowing sessions to be handled efficiently when traffic needs to be dynamically distributed across multiple links. With the auxiliary session setting enabled, FortiGate creates additional session table entries for each possible path in ECMP or SD-WAN—meaning that if the routing path changes (such as a link failover), a new session can be immediately activated and offloaded to the NP6 network processor for acceleration, ensuring minimal disruption. This greatly benefits high-throughput deployments.

Official documentation specifies that when auxiliary sessions are enabled, FortiGate doesn’t just rely on dynamically creating new sessions after a routing event, it proactively creates sessions for all potential paths. This means that in the event of a route change, two sessions exist and the traffic is quickly re-routed and offloaded, maximizing performance and reliability. Without this feature, multiple paths cannot be efficiently offloaded, and routing changes trigger a single session update, reducing failover performance.

The reported symptom—users unable to access any websites despite no explicit blocks in the profile—points to systemic connectivity or configuration issues rather than specific URL filtering rules.

Option B (SSL/TLS Inspection): When Deep Inspection is enabled, the FortiGate acts as a Man-in-the-Middle (MitM) and re-signs server certificates using its own CA. If the clients (browsers) do not trust this CA (i.e., the certificate is not installed in their Trusted Root store), they will reject the connection with certificate errors, effectively preventing access to all HTTPS websites.

Option D (DNS): Web browsing relies on DNS resolution . If the configured DNS server is unreachable or failing, the FortiGate (or the client) cannot resolve FQDNs to IP addresses. Consequently, browsers will fail to load any page, resulting in a total loss of web access.

Option E (License): If the FortiGuard Web Filtering license expires, the FortiGate can no longer query the FortiGuard Distribution Network (FDN) for ratings. By default, or if the allow-when-rating-error setting is disabled (a common security practice), the FortiGate will block all web traffic that it cannot rate, often displaying a " Web Filter Service Error " or invalid license page.

Option A is incorrect because clearing the cache only increases latency, it does not block traffic. Option C is incorrect because webfilter-force-off is typically used to disable the service (often allowing traffic to bypass checks if the service is down), rather than blocking it.

According to the official Fortinet administration guide for FortiOS 7.6.4 under the section " Configuring a RADIUS server, " the supported RADIUS authentication methods you can configure via the CLI with config user radius are:

pap

chap

mschap

mschapv2

auto

The relevant CLI syntax is set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}​. You can confirm this directly in the configuration table and from real CLI sessions.

EAP (Extensible Authentication Protocol) is NOT an authentication option you can directly set under config user radius. EAP methods (such as EAP-TLS, EAP-PEAP, EAP-TTLS) are negotiated between the RADIUS client and server but are not configurable as an explicit auth-type option in FortiOS. EAP authentication is typically used automatically by features like 802.1X, not through the user radius object authentication-type setting, and always requires proper backend workings between supplicant and RADIUS server

The correct answers are A and C .

The exhibit shows that preserve-session-route is enabled on port1:

config system interface

edit " port1 "

set preserve-session-route enable

next

end

The study guide explains the effect of this setting exactly:

“enable: FortiGate marks existing session routing information as persistent, and applies only the modified routes to new sessions”

It also states:

“The current route must still be present in the FIB. Otherwise, FortiGate flags the session as dirty and reevaluates it”

And the same page further clarifies:

“If you enable this setting, sessions passing through that interface continue to pass without being affected by the routing changes. The routing changes apply only to new sessions. If the route is removed from the FIB, then FortiGate must flag the session as dirty, flush its gateway information, and reevaluate the session.”

This proves:

A is correct because with preserve-session-route enable, existing sessions are normally preserved and routing changes apply only to new sessions.

C is correct because the session remains unchanged unless the current route is removed from the FIB/routing table, in which case FortiGate dirties and reevaluates the session.

Why the other options are wrong:

B is wrong because when the active route is removed, FortiGate does not simply mark the session dirty and stop there. The study guide says it “flags the session as dirty and reevaluates it” , which means route lookup happens again.

D is wrong because the session does change if the active route is removed. FortiGate flushes gateway information and reevaluates the session.

So the verified answers are: A, C .

The get router info ospf database brief output on FGT-2 clearly indicates that Area 0.0.0.5 is configured as a [Stub] area.

In OSPF, a Stub Area is specifically designed to reduce the size of the Link State Database (LSDB) on internal routers. The primary behavior of a Stub area is that it does not accept Type 5 (AS External) LSAs .

FGT-3 is the ASBR (Autonomous System Border Router) and is importing static routes, which are generated as Type 5 LSAs in the OSPF domain.

FGT-1 acts as the ABR (Area Border Router). Because Area 0.0.0.5 is a Stub area, FGT-1 blocks these Type 5 LSAs from entering Area 0.0.0.5.

Consequently, FGT-2 will not receive the specific external routes advertised by FGT-3. Instead, the ABR (FGT-1) injects a default route (0.0.0.0/0) into the Stub area to allow connectivity to the external world, which is visible in the database output.

While the question text mentions FGT-3 not receiving routes, the definitive configuration shown in the exhibit is the Stub area setting, which directly corresponds to the blocking of Type 5 LSA propagation (Option A).

The correct answers are A and D .

The study guide states:

“Application layer test commands do not display information in real time. They display statistics and configuration information about a feature or process. You can also use some of these commands to restart a process or execute a change in its operation.”

This directly proves:

A is correct because they can display statistics and configuration information

D is correct because some of them can restart a process/application

Why the other options are wrong:

B is wrong because the study guide explicitly says application-layer test commands do not display information in real time . Real-time output is done with diagnose debug application ... commands instead.

C is wrong because diagnose debug console enable is related to debug output behavior, not a requirement for application-layer test commands to display output. The study guide does not describe test commands that way.

====