The correct answer is A. Device Detection is enabled on the other identified device .

The study guide explains that device identification is a “useful feature for the Security Fabric topology view” and that “FortiGate detects most third-party devices in your network and adds them to the topology view of the Security Fabric.” It also states that in the interfaces section, you can enable device detection , and this detection is what allows FortiGate to identify devices based on observed traffic.

In the exhibit, the tooltip distinguishes between “1 device requires authorization” and “1 other identified device.” That means the unauthorized device is a separate FortiGate/Fabric member issue, while the other identified device is simply a detected third-party device shown in the topology because device detection is working. Therefore, the correct interpretation is that device detection is enabled for that identified device. Option B is incorrect because the exhibit does not say the other identified device requires authorization. Option C is not supported by the study guide, and option D is too specific because no evidence in the exhibit confirms that the detection was enabled specifically on port3 .

The correct answer is D. EtherCAT . The study guide explicitly states under the Ethernet/IP and EtherCAT section that “EtherCAT is a protocol that offers real-time communication in a primary-secondary configuration” and “EtherCAT skips layers 3 to 6 to deliver real-time communication.” It also adds that “the most important feature of this protocol is that secondary devices collect only the information they need from the data packets.” This matches the exhibit exactly, where the diagram shows Real-Time Data above a Proprietary MAC and Proprietary physical layer , reflecting the protocol structure that bypasses the intermediate OSI layers.

The other options do not match this behavior. The guide says POWERLINK uses layer 2 and layer 7 of the OSI model, not that it skips layers 3 to 6. It also explains that Ethernet/IP is the industrial protocol based entirely on Ethernet standards and adapts to the OSI model. Modbus is described as an open client/server protocol and is not suitable for transmitting data in real time . Therefore, the protocol in the exhibit is clearly EtherCAT .

The correct answers are A and C .

Option A is correct because the study guide explains that with active authentication , FortiGate prompts the user only when they use “an acceptable login protocol.” It states: “When you use only active authentication, if all possible policies that could match the source IP address have authentication enabled, then the user will receive a login prompt (assuming they use an acceptable login protocol).” A direct ping to PLC-1 uses ICMP , which is not the kind of login protocol used to trigger user authentication. So the supervisor must first authenticate through a protocol such as HTTPS or Telnet , then the ICMP traffic can match the authenticated policy.

Option C is also correct because the exhibit shows policy ID 8 greyed out, meaning it is not enabled. That policy appears above the Supervisor_access (9) policy and allows broader access to PLC-1 , whereas policy 9 is limited to ALL_ICMP . The study guide explains that “Because the user has not yet authenticated, the user group aspect of the traffic does not match” and FortiGate continues searching for another complete match. In this case, with policy 8 disabled, the supervisor is left with only the ICMP rule, which cannot be used to perform the initial login step needed for active authentication.

Option B is not supported by the exhibit. Option D is incorrect because auth-on-demand always would force authentication prompts more aggressively, but the core problem here is that the user is trying to start with ICMP and the broader policy that could permit the initial authenticated access is disabled.