The exhibit shows these key lines:

handle_req-Rcvd auth req ... for jsmith in Lab

start_search_dn-base: ' DC=TAC,DC=ottawa,DC=fortinet,DC=com ' filter:sAMAccountName=jsmith

get_all_dn-Found DN 1:CN=John Smith,CN=Users,DC=TAC,DC=ottawa,DC=fortinet,DC=com

The study guide explicitly shows the same LDAP real-time debug pattern and says the request line includes the LDAP server object name:

handle_req-Rcvd auth req ... for jsmith in Lab ...

That supports A : Lab is the configured LDAP server name being used for this authentication request.

For the LDAP flow stage, the study guide states:

“An fnbamd_ldap_build_dn_search_req-base message indicates that FortiGate is performing step two: searching for the user in the LDAP tree.” It also says that if the LDAP server finds the user, the output shows the user’s full DN.

That matches the exhibit’s start_search_dn-base ... filter:sAMAccountName=jsmith and Found DN ... CN=John Smith... lines, so D is correct.

Why the other options are wrong:

B is wrong because the exhibit shows FortiOS has found the user DN CN=John Smith,..., but that does not mean the user is already authenticating with that DN in this step. The study guide says this DN is discovered in step 2 , and only in step 3 does FortiGate bind using the user DN.

C is wrong because the exhibit is showing step 2 (Search Request) , not step 3 (Bind Request) . The study guide separates these steps clearly and shows step 3 with fnbamd_ldap_build_userbind_req-Trying DN ... and __ldap_build_bind_req-Binding to ' CN=John Smith,... '

The BGP debug output shows session information for peers, including state details. According to official Fortinet BGP documentation, if the session state with a peer does not show " Idle, " " Active, " or " Connect, " but instead shows " Established, " " Up, " or related counters (e.g., messages sent/received or uptime), it indicates the session is operational. In this scenario, the peer 10.127.0.75 is the only one showing a positive indication of a live, established session. Other options like neighbor-range configuration, AS mismatch, or route-maps blocking prefixes are not supported by evidence provided in a simple BGP session state debug, nor does the output show errors relating to local or remote AS issues.

The correct interpretation comes from Fortinet ' s BGP troubleshooting guide, which outlines how to read session status and neighbor states in debug and summary outputs.

FortiGate HA Troubleshooting and Synchronization Guides

Fortinet Admin Guide: HA Primary Role Retention, Cluster Break-up Due to Out-of-Sync Status

The output of the diagnose sys session list command provides the critical evidence needed to determine the behavior during a failover:

Session Synchronization (synced):

The most important indicator in the exhibit is the synced flag located in the state= line (state=may_dirty synced none app_ntf).

In FortiOS HA (High Availability), the synced flag confirms that this specific session has been successfully synchronized from the primary device to the secondary (backup) device.

Session synchronization (Session Pickup) ensures that if the primary unit fails, the secondary unit already has the session in its table and can resume traffic processing immediately.

TCP State (proto_state=01):

The output shows proto=6 (TCP) and proto_state=01.

In the FortiGate session table, proto_state=01 for TCP indicates that the session is in the ESTABLISHED state (post-three-way handshake).

This invalidates Option B, which claims the TCP session is not fully established.

Failover Outcome:

Because the session is ESTABLISHED and SYNCED, the secondary device will seamlessly take over the session upon primary failure.

The traffic continues to flow through the new primary without requiring the user/client to restart the connection. This is the primary function of HA Session Pickup.

Why other options are incorrect:

A: While the output shows app_ntf (Application Control notification) and may_dirty, the presence of the synced flag overrides this concern regarding failover. If the session type were not supported for failover (e.g., certain proxy sessions in older versions), it would not be marked as synced. Since it is synced, it persists.

B: As noted, proto_state=01 means established, not " not fully established " .

D: While the kernel updates routing tables, the purpose of syncing the session is to preserve the state so it does not need to be re-evaluated as a new packet would, preventing traffic drops.

The correct answers are A and C .

The study guide describes this exact asymmetric ICMP scenario. It states:

“The server sends an echo request to the PC through port2 of the local router, effectively bypassing FortiGate. When it receives the echo request, the PC responds with an echo reply through its default gateway, 10.1.0.2, which is port1 on FortiGate. Because there is no existing session, the echo reply is dropped. All subsequent echo replies are blocked.”

That means the current problem exists because:

the ICMP request bypasses FortiGate

the ICMP reply goes through FortiGate

FortiGate has no matching session , so it drops the reply

The study guide then shows the exact corrective option:

“Allowing asymmetric routing:”

config system settings

set asymroute enable

end

It further explains:

“After the packet passes through the FortiGate CPU, FortiGate forwards the packet using the FIB, even though there are no session matches. FortiGate forwards all subsequent echo replies using the FIB.”

So A is correct.

The other valid fix is to make the traffic symmetric by changing the laptop’s default gateway so the reply no longer goes through FortiGate. In the exhibit, the alternate gateway is 10.1.0.254 , which is the local router on the same subnet. If the laptop uses 10.1.0.254 instead of 10.1.0.2, the ICMP echo reply follows the same bypass path as the echo request, so the server receives it without involving FortiGate session validation. This makes C correct.

Why the other options are wrong:

B is wrong because this is not an RPF problem. The study guide explains RPF as a reverse path lookup used to validate whether a packet arrived on a legitimate interface, mainly for spoofing protection. The issue in this scenario is a missing session due to asymmetric routing , not a strict-versus-feasible RPF failure

D is wrong because FortiGate already has the specific route 10.4.0.0/24 through port3 in the routing table shown in the exhibit, so adding a default static route to port3 is unnecessary and not the reason the echo reply is being dropped

So the verified answers are: A, C .

The Network Security Support Engineer 7.6 Study Guide explicitly explains this debug message:

“iprope_in_check() check failed, drop” means the packet is destined to a FortiGate IP address and one of these conditions applies:

The service is not enabled

The service is using a different TCP port

The source IP address is not included in the trusted host list

The packet matches a local-in policy with action deny

That directly confirms C. Trusted host list misconfiguration .

Why D is the second valid choice:

The FortiOS administration guide explains that:

“IP pools and VIPs are considered local IP addresses if responding to ARP requests on these external IP addresses is enabled … the FortiGate is considered a destination for those IP addresses … once an IP pool or VIP has been configured … the FortiGate considers it as a local address and will not forward traffic based on the routing table.”

Because iprope_in_check() is a local-in/local-destination type failure, a VIP or IP pool misconfiguration can cause traffic to be treated as destined for the FortiGate itself, which can then trigger this drop condition if the matching local service/local-in handling is not valid. So D is the closest supported second answer from the available choices.

Why the other options are wrong:

A is wrong because policy route problems are not the documented meaning of this specific debug message. The study guide instead ties iprope_in_check() check failed, drop to management/local-in conditions.

B is wrong because the study guide says traffic shaping drops appear as: “Denied by quota check”

To solve this high CPU usage scenario involving the ipsengine, we must understand the specific functions of the diagnose test application ipsmonitor commands shown in the troubleshooting steps.

Analyze the Situation:

Exhibit: The diagnose sys top output shows the ipsengine process is in a run state (R) consuming 99% CPU.

Previous Action: The administrator already ran diagnose test application ipsmonitor 5.

Result: The CPU usage did not drop.

Understand the Commands:

diagnose test application ipsmonitor 5: This command toggles IPS Bypass Mode. When enabled, the IPS engine lets traffic pass through without inspection.

Implication: If the CPU was high due to traffic volume, enabling bypass would drop the CPU load immediately.

Failure: Since the CPU remained at 99% after bypass, the ipsengine process is likely frozen, stuck, or in an internal infinite loop unrelated to the current traffic flow. The process itself is the problem, not the traffic volume.

Evaluate the Solution (Option B):

diagnose test application ipsmonitor 2: This command toggles the IPS engine ' s Enable/Disable status.

Because the engine is stuck (bypass failed to relieve pressure), the " Immediate action " required is to stop or restart the process entirely.

Running option 2 effectively disables/kills the stuck IPS engine instance, which will immediately drop the CPU usage to near zero. (It can then be toggled again to restart it).

Why other options are incorrect:

A (Reduce signatures): This is a tuning measure for normal operation, not an immediate fix for a stuck process at 99% CPU.

C (Disable IPS on policies): This is a configuration change that takes time and requires a commit; it is not the most immediate diagnostic tool available.

D (Bypass all IPS engines): This describes the action of command 5 (Bypass), which the prompt explicitly states was already performed and failed.

The study guide states:

“FortiGate categorizes an entry in the session table as an ephemeral session when it is a TCP session that is not fully established (three-way handshake not completed), or when it is a UDP session with only one packet received.”

This directly proves:

A is correct because a UDP session with only one packet received is ephemeral.

C is correct because a TCP session waiting for the SYN/ACK is not fully established , so it is ephemeral. The study guide’s TCP state table shows that the handshake is only completed when the session reaches ESTABLISHED

Why the other options are wrong:

B is wrong because once UDP traffic has been seen in both directions , it is no longer the “single packet received” condition described for ephemeral sessions. The study guide says for UDP: 00 = one way , 01 = both ways

D is wrong because a TCP session waiting for FIN/ACK is already in the closing stage after establishment, not in the “not fully established” stage. The study guide explains that after both sides close the session, FortiGate can keep it briefly in the table in state value 5 for out-of-order packets after FIN/ACK

The Internet Key Exchange version 2 (IKEv2) protocol simplifies the negotiation process compared to IKEv1. It is defined by a specific sequence of message exchanges to establish a secure IPsec tunnel.

The correct chronological order of the IKEv2 exchanges is:

IKE_SA_INIT (Initial Exchange):

This is the first exchange. It negotiates the security parameters for the IKE Security Association (IKE SA), sends nonces, and performs the Diffie-Hellman key exchange. At the end of this exchange, the communication is encrypted, but the peers are not yet authenticated.

IKE_AUTH (Authentication Exchange):

This is the second exchange. It authenticates the previous messages, exchanges identities and certificates (if used), and establishes the first Child SA (the actual IPsec Security Association used for data traffic).

CREATE_CHILD_SA (Subsequent Exchanges):

This exchange occurs after the IKE SA and the initial Child SA are established. It is used to create additional Child SAs (for different traffic selectors) or to perform re-keying for the IKE SA or existing Child SAs.

Why other options are incorrect:

A & B: Incorrect because CREATE_CHILD_SA cannot happen before the SA is initialized (IKE_SA_INIT) and authenticated (IKE_AUTH).

D: Incorrect because IKE_AUTH cannot occur before IKE_SA_INIT.

Therefore, the protocol flow is IKE_SA_INIT $\rightarrow$ IKE_AUTH $\rightarrow$ CREATE_CHILD_SA.