The correct answers are A and C .

The exhibit shows that preserve-session-route is enabled on port1:

config system interface

edit " port1 "

set preserve-session-route enable

next

end

The study guide explains the effect of this setting exactly:

“enable: FortiGate marks existing session routing information as persistent, and applies only the modified routes to new sessions”

It also states:

“The current route must still be present in the FIB. Otherwise, FortiGate flags the session as dirty and reevaluates it”

And the same page further clarifies:

“If you enable this setting, sessions passing through that interface continue to pass without being affected by the routing changes. The routing changes apply only to new sessions. If the route is removed from the FIB, then FortiGate must flag the session as dirty, flush its gateway information, and reevaluate the session.”

This proves:

A is correct because with preserve-session-route enable, existing sessions are normally preserved and routing changes apply only to new sessions.

C is correct because the session remains unchanged unless the current route is removed from the FIB/routing table, in which case FortiGate dirties and reevaluates the session.

Why the other options are wrong:

B is wrong because when the active route is removed, FortiGate does not simply mark the session dirty and stop there. The study guide says it “flags the session as dirty and reevaluates it” , which means route lookup happens again.

D is wrong because the session does change if the active route is removed. FortiGate flushes gateway information and reevaluates the session.

So the verified answers are: A, C .

The correct answer is D. IKE_AUTH .

The study guide explicitly states:

“IKE_Auth exchange:

• Performs the mutual authentication of two IKE endpoints.

• Configures settings like IP/mask, DNS, and so on.

• Sets up the piggyback of a child SA. Negotiates IP flow and security settings for the IPsec SA.”

It also says:

“By default, a piggyback child (IPsec) SA is negotiated along with the IKEv2 SA during IKE_AUTH. If additional IPsec SAs are needed … they are negotiated during subsequent CREATE_CHILD_SA exchanges.”

Why the other options are wrong:

A. IKE_SA_INIT is incorrect because this exchange negotiates the security settings to protect the IKE traffic, not the first CHILD_SA.

B. INFORMATIONAL is incorrect because it is used to convey control messages between IKE endpoints.

C. CREATE_CHILD_SA is incorrect for the first CHILD_SA, because it is used to create new additional child SAs or rekey existing ones after the initial exchange.

The correct answer is B .

In the exhibit:

Neighbor 100.64.1.254 shows State/PfxRcd = 1 , which means the session is established and the local FortiGate has received 1 prefix

Neighbor 100.64.2.254 shows State/PfxRcd = Active

The study guide explains the BGP states exactly:

Connect : Waiting for a successful three-way TCP connection

Active : Unable to establish the TCP session

OpenSent : Waiting for an OPEN message from the peer

OpenConfirm : Waiting for the keepalive message from the peer

Established : Peers have successfully exchanged OPEN and keepalive messages

It also explains how to read the State/PfxRcd column:

“If the state is not established, this column displays the BGP state. If the state is established, this column displays the number of prefixes that the local FortiGate received from that neighbor.”

Therefore, because neighbor 100.64.2.254 is in Active state, the correct conclusion is that the BGP adjacency cannot form because the TCP session could not be established .

Why the other options are wrong:

A is wrong because BGP can establish adjacencies with multiple neighbors independently; one established neighbor does not block another

C is wrong because BGP adjacency is not established based on neighbor “priority”; the output shows adjacency is established because the session completed and prefixes were exchanged

D is wrong because having two neighbors in the same remote AS is valid in BGP and does not prevent adjacency formation

So the verified answer is: B .

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-troubleshoot-FSSO-agentless-polling/ta-p/214349

From the snippet we can see that FortiGate (via the fssod daemon) is directly detecting the user logon rather than relying on a separate “collector” or “DC agent.” This indicates agentless polling—FortiGate polls the DC’s event logs over TCP 445 to discover logons. So: - FSSO is using agentless polling mode to detect logon events - In agentless mode, FortiGate will periodically poll the same IP (the DC) on port 445 to see if the user is still logged on

The output of the diagnose sys session list command provides the critical evidence needed to determine the behavior during a failover:

Session Synchronization (synced):

The most important indicator in the exhibit is the synced flag located in the state= line (state=may_dirty synced none app_ntf).

In FortiOS HA (High Availability), the synced flag confirms that this specific session has been successfully synchronized from the primary device to the secondary (backup) device.

Session synchronization (Session Pickup) ensures that if the primary unit fails, the secondary unit already has the session in its table and can resume traffic processing immediately.

TCP State (proto_state=01):

The output shows proto=6 (TCP) and proto_state=01.

In the FortiGate session table, proto_state=01 for TCP indicates that the session is in the ESTABLISHED state (post-three-way handshake).

This invalidates Option B, which claims the TCP session is not fully established.

Failover Outcome:

Because the session is ESTABLISHED and SYNCED, the secondary device will seamlessly take over the session upon primary failure.

The traffic continues to flow through the new primary without requiring the user/client to restart the connection. This is the primary function of HA Session Pickup.

Why other options are incorrect:

A: While the output shows app_ntf (Application Control notification) and may_dirty, the presence of the synced flag overrides this concern regarding failover. If the session type were not supported for failover (e.g., certain proxy sessions in older versions), it would not be marked as synced. Since it is synced, it persists.

B: As noted, proto_state=01 means established, not " not fully established " .

D: While the kernel updates routing tables, the purpose of syncing the session is to preserve the state so it does not need to be re-evaluated as a new packet would, preventing traffic drops.

The 7.6 study guide explains the route selection order:

“Route Selection Process

Most specific route

Lowest distance

Lowest metric (dynamic routes)

Lowest priority (static routes)

ECMP (static, BGP, and OSPF routes)”**

It then states:

“If there are multiple routes with the same netmask, distance, metric, and priority, FortiGate shares the traffic among all of them. This is called equal-cost multi-path (ECMP).”

The FortiOS administration guide confirms the ECMP prerequisite:

“Routes must have the same destination and costs. In the case of static routes costs include distance and priority.”

In the exhibit, the kernel/FIB output shows the two default routes as:

gwy=100.64.1.254 dev=3 (port1) prio=0

gwy=100.64.2.254 dev=6 (port2) prio=10

So although both are default routes, their priorities are different . Since FortiGate uses the FIB/kernel for forwarding traffic, ECMP will not happen until the static-route priorities are the same. The study guide also notes that the FIB is the table used to perform standard routing

Therefore, to make the two default routes eligible for ECMP, the administrator must make the priorities equal. Since port2 is already 10, the needed change is to set the port1 default route priority to 10.

Why the other options are wrong:

A is wrong because snat-route-change affects how existing SNAT sessions react to routing changes, not whether static routes qualify for ECMP

B is wrong because changing port2 to priority 1 still would not match port1 at 0, so the routes still would not have equal cost for ECMP

C is wrong because preserve-session-route affects existing-session route persistence after routing changes, not ECMP qualification

The correct answer is A .

The study guide explains the IKEv2 exchange order very clearly:

“The initial exchanges are: IKE_SA_INIT and IKE_AUTH.”

“Create_Child_SA exchange: Creates a new child SA or rekeys an existing child SA.”

It also states:

“After successful IKE_SA_INIT and IKE_AUTH exchanges, the CHILD_SA exchange takes place. In this exchange, the peers negotiate the CHILD_SA and the traffic selectors — traffic selector responder (TSr) and traffic selector initiator (TSi).”

That is why A is correct: if the tunnel was initially brought up successfully , then the initial exchanges already succeeded. A later problem during CREATE_CHILD_SA , especially with traffic selectors/phase 2 selectors , can cause the tunnel to fail during rekey or child-SA renegotiation.

Why the other options are wrong:

B is wrong because proposal mismatch for the IKE SA is handled during IKE_SA_INIT , not after the tunnel is already up. The study guide says IKE_SA_INIT negotiates the security settings to protect the IKE traffic

C is wrong because a pre-shared key mismatch is part of authentication and would prevent successful initial establishment during IKE_AUTH . The study guide shows that after IKE_AUTH, “authentication succeeded” and “established IKE SA” when it works

D is wrong because a Diffie-Hellman mismatch belongs to IKE_SA_INIT , which happens before the tunnel comes up. The study guide also states: “By IKEv2 design, no Diffie-Hellman public key is exchanged during an IKE_AUTH exchange.”

So the verified answer is: A .