Pass the Fortinet Certified Solution Specialist FCSS_LED_AR-7.6 Questions and answers with ExamsMirror

The VAP configuration clearly showsVLAN pooling using WTP-groups:

set vlan-pooling wtp-group

config vlan-pool

edit 101

set wtp-group "Floor_1"

edit 102

set wtp-group "Office"

How VLAN assignment works in this mode

VLAN-pooling with wtp-group modemeans:

Each AP group (WTP group) is tied to exactly one VLAN in the pool.

The FortiGate doesnot load balanceVLANs.

Instead, VLANs are mappedper AP group, not per client.

Now verify each answer option:

A. FortiGate will load balance clients using VLAN 101 and 102...

❌Incorrect.

FortiGatedoes NOT load-balance clientswhen vlan-pooling is set towtp-group.

Each AP group receivesonly the VLAN mapped to it.

B. All clients in the Corp zone get IPs from 10.0.20.0/24

❌Incorrect.

In the Wi-Fi zone table, onlyCorp.102has an IP subnet:

Corp.101 →0.0.0.0/0.0.0.0(no IP assigned → clients get no DHCP)

Corp.102 →10.0.20.1/255.255.255.0

Thus, clients associated to VLAN 101cannotget IPs.

C. Clients connecting to APs in the Floor_1 group cannot receive an IP address

✔Correct.

Reason:

Floor_1 WTP-group → VLAN101

VLAN 101 hasno IPin the Wi-Fi table →0.0.0.0/0.0.0.0

No DHCP =Clients receive no IP address

D. Clients connecting to APs in the Office group will be assigned to VLAN 102

✔Correct.

Reason:

Office WTP-group maps to VLAN102

VLAN 102 has subnet10.0.20.0/24

So Office group clients get an IP in that range

FortiLink device detection relies on FortiGate'sDevice IdentificationandIoT Detectioncapabilities to classify devices connected to FortiSwitch ports.

To enabledevice identificationandvulnerability detectionfor IoT/endpoint devices in LAN Edge deployments, FortiGate must subscribe to the correct FortiGuard services.

1. Required FortiGuard License for Device Identification (IoT Detection)

The FortiOS documentation clearly states:

“IoT detection service… requires anAttack Surface Security Rating service licenseto download the IoT signature package.”

Additionally:

“The following settings are required for IoT device detection:

A validAttack Surface Security Rating service licenseto download the IoT signature package.”

This service provides:

IoT signature package

IoT device classification

Device behavior profiling

This makesAttack Surface Securitymandatory for FortiLink device detection.

2. Required FortiGuard License for Device Vulnerability Detection

FortiOS further clarifies that IoT vulnerabilities require theIoT Detection license, which is included under the same Attack Surface service entitlement:

“To detect IoT vulnerabilities the FortiGate must have a validIoT Definitions license…”

The IoT Definitions license comeswith the Attack Surface Security Rating serviceand is used for:

Scanning connected devices

Identifying IoT/endpoint vulnerabilities

Reporting vulnerability severity

Enabling NAC-based remediation (VLAN steering, port isolation)

In LAN Edge Architect, this license combination is emphasized as a foundational requirement for:

FortiSwitch NAC

FortiLink device profiling

Automated quarantine actions

IoT device classification

Vulnerability-based segmentation

3. Why the Correct Answer Is Option D

OptionDlists:

✔FortiGuard Attack Surface Security

✔FortiGuard IoT Detection

These are exactly the services required per FortiOS 7.4.1:

Attack Surface Security Rating→ provides IoT signature package + vulnerability data

IoT Detection (Definitions)→ enables actual device-type and vulnerability identification

Together they powerFortiLink Device DetectionandIoT Vulnerability Detection, which are essential LAN Edge security functions.

4. Why Other Options Are Incorrect

A. Vulnerability Management + Endpoint Protection

Not used for FortiLink device detection; Endpoint detection relies on IoT service, not FortiClient.

B. Threat Intelligence + IoT Detection

Threat Intelligence (ThreatIntel DB) is used for FAZ IOC, not LAN Edge device detection.

C. Threat Intelligence + Endpoint Protection

Same issue—does not provide IoT device classification or vulnerability scanning.

LAN Edge 7.6 Architect Context Summary

In LAN Edge designs:

FortiGate acts as the controller for FortiSwitch via FortiLink.

Device detection is done at the FortiGate level using NAC/IoT signature capabilities.

Vulnerability detection enables dynamic segmentation decisions (e.g., move device to quarantine VLAN).

To support this, two licenses aremandatory:

Attack Surface Security(includes Security Rating + IoT Detection DB)

IoT Detection(part of the same entitlement, but explicitly required for vulnerability detection)

Thus the verified answer aligns perfectly with LAN Edge operational requirements and Fortinet documentation.

Let’s verify each protocol:

C. FortiGate uses the FortiLink protocol to establish communication with FortiSwitch.✔

FortiLink is themanagement and control protocol, encapsulated over:

LLDPfor discovery

CAPWAP (UDP/5246–5247)for control channel

DHB (Device Handshake Bus)inside CAPWAP frames

Thus,FortiLink is required.

D. CAPWAP is used to establish the control channel between FortiSwitch and FortiGate.✔

Although CAPWAP is commonly associated with FortiAP, FortiSwitchalso uses CAPWAPinternally when managed by FortiGate.

This is documented in:

FortiSwitch Administration Guide

LAN Edge deployment guide

SoD is correct.

B. UHTTPS is used by FortiGate to securely manage and configure FortiSwitch devices.✔

FortiLink session actually uses:

Encrypted CAPWAP (over DTLS)

UHTTPS (port 4433)for secure configuration exchanges

This protocol is mandatory for:

Switch configuration synchronization

Firmware upgrade

NAC data exchange

VLAN provisioning

ThereforeUHTTPS is indeed one of the key protocols.

Why the incorrect options are wrong:

A. SNMP can be used by FortiGate to manage FortiSwitch.✖

FortiGate doesnotuse SNMP to manage FortiSwitch.

SNMP is for monitoring by external systems, not for FortiLink control.

E. IGMP is required for management.✖

IGMP is a multicast protocol, irrelevant for FortiGate–FortiSwitch management.

The FortiOS documentation explicitly states that a CSR used for certificate signing must contain accurate and valid fields, especially:

Common Name (CN)

Organization (O)

Country (C)

Public key parameters

According to the FortiGate certificate section:

Incorrect CSR field information can cause the CA to reject the request.

Reasons include:

The CA validates identity and organizational information.

Missing or malformed data invalidates PKI requirements.

The CSR is not corrected automatically by the CA.

Therefore:

✔A is correct.

Options B–D contradict PKI principles:

B is false: CAs do not issue certificates with mismatched identity fields for public trust.

C is false: CSR fields are not only for internal use; they define certificate identity.

D is false: CAs do not auto-correct CSR fields.

From the FortiManager NAC policy:

Category =Device

Match criteria includeMAC addressandOperating System = Linux

Action =Assign VLAN “Students”

From the FortiGate CLI:

diagnose switch-controller switch-info mac-table ...

MAC: 70:88:6b:8c:4a:ce VLAN: 4089 Port: port2

diagnose switch-controller mac-device mac onboard­ing

VLAN 4089 MAC 70:88:6b:8c:4a:ce

So the device is stuck inVLAN 4089, which is theonboarding VLAN. No NAC policy is matched.

For a NAC policy to match, FortiGate needsdevice-identity information, which comes fromdevice detection on the VLAN / FortiLink interfaceplus theattributes that the policy expects(OS, MAC, etc.).

A. Device detection is not enabled on VLAN 4089.

If device detection is disabled on the interface/VLAN where the endpoint lives, FortiGate cannot learn OS / device info.

Without this, the NAC engine cannot compare against the NAC policy (which relies on OS and other attributes), so the device remains in the onboarding VLAN.✅This is a valid root cause.

B. The device operating system detected by FortiGate is not Linux.

The NAC policy explicitly requiresOperating System = Linux.

If the endpoint is actually Windows/macOS, or the OS fingerprint is still “Unknown”, the policy will never match, and the device stays in onboarding.✅Also a valid reason.

C. Management communication between FortiGate and FortiSwitch is down.

CLI output (switch-info mac-table and mac-device) proves FortiGate is talking to the switch and sees MAC/VLAN/port information.❌Not a valid reason.

D. The MAC address configured on the NAC policy is incorrect.

The exhibits show the MAC in the NAC policy matches the MAC appearing in the MAC table.❌Not the cause here.

The SSL-VPN configuration hasRequire Client Certificateenabled. When this is enabled, FortiOS performs two checks:

Normal user authentication(username/password or PKI user)

Additional client certificate check– the client certificatemust be signed by a CA that FortiGate trusts

FortiOS documentation for “SSL VPN with certificate authentication” states:

“The client certificate only needs to be signed by a known CA in order to pass authentication.”

“The CA certificate is the certificate that signed both the server certificate and the user certificate… The CA certificate is available to be imported on the FortiGate.”

The debug output shows key lines:

__quick_check_peer-CA does not match.

Issuer of cert depth 0 is not detected in CMDB.

This tells us:

FortiGatedoes see the user’s certificate,

Butcannot find the issuing CAin its local CA certificate store (“CMDB” = configuration database).

This means theCA that signed the user certificate has not been importedinto FortiGate.

Now evaluate the options:

A. Enable Redirect HTTP to SSL-VPN– affects only redirection from HTTP to HTTPS; it has nothing to do with certificate validation.

B. Import the CA that signed the SSL VPN Server Certificate– the server certificate is already working (the portal comes up) and its CA is not what the debug complains about; the error is about thepeer (user) certificate. Often the same CA signs both, but the failing check specifically says the issuer of the client cert is not in CMDB.

C. Set the user certificate as the Server Certificate– incorrect; server and client certificates serve different roles.

D. Import the CA that signed the user certificate to FortiGate– this directly addresses the debug error and aligns with the documented requirement that the CA which issued the user certificate must be known to FortiGate.

In FortiLink topologies, a managed FortiSwitch normally gets itsmanagement IP automaticallyfrom theDHCP server on the FortiLink interface. If the switch does not receive an IP:

It cannot form the FortiLink CAPWAP/DTLS control channel.

Therefore it doesnot appearunderWiFi & Switch Controller > FortiSwitch.

FortiOS documentation states that FortiLink uses abuilt-in DHCP serveron the FortiLink interface for onboarding switches.

So thefirst troubleshooting stepis to confirm:

The FortiLink DHCP server is enabled.

Leases are being handed out to the FortiSwitch MAC.

Other options:

A: Security policies do not affect the L2 FortiLink control channel.

B: Static IP may be used but is not the normal first step.

D: Internet access is not required for FortiGate to see the switch.

In this design, FortiAuthenticator receivesRADIUS accounting (RSSO) messages, looks up the user in LDAP to get group information, theninjects FSSO logon eventstoward all FortiGate devices.

From the exhibits we know:

FortiAuthenticatoris receiving RADIUS accountingfrom the RADIUS server.

LDAP queries are successful and return group membership.

But FortiGatedoes not receive FSSO logons, so identity-based policies are not applied.

For FortiAuthenticator to create an FSSO logon, the RADIUS accounting record must be correctlyparsed into at least:

Username

Client IP address

These are mapped from the RADIUS attributes in theRADIUS Accounting SSO clientconfiguration (for example, User-Name and Framed-IP-Address). If these are not defined or mapped incorrectly, FortiAuthenticator can see the accounting packet butcannot build a valid FSSO session, so no update is sent to FortiGate.

Thus the most likely root cause is:

✔The RADIUS Username and Client IPv4 attributes are not correctly definedfor that RADIUS Accounting SSO client (optionA).

Other options conflict with the scenario:

B– LDAP is already successfully returning groups.

C– FSSO user group attribute is separate; even without it, FSSO logons would still be created (just without group mapping).

D– The interfaceisreceiving RADIUS accounting, so it is clearly enabled.

Auto TX power control on FortiAP is an RF-optimization feature:

FortiGate (as wireless controller) continuously evaluatesRSSI of associated clientson each FortiAP radio.

The algorithm focuses on theweakest client(the one with the worst signal) and adjusts the AP’s transmit power so that this client’s signal level stays within a configured / target range.

This helps balance coverage and limit co-channel interference: APs don’t transmit at maximum power when clients are close, but will increase power when the weakest client signal drops too low.

Therefore the correct behavior description is:

✔C– AP power is adjusted based on the weakest associated client’s signal.

Why the others are wrong:

AandBtalk about matching nearby APs’ power or forcing everything to –70 dBm, which is not how FortiAP auto TX works.

Dincorrectly states the AP “evaluates its own transmission from the client perspective”; the AP can only infer client-side conditions from theclient’s RSSI at the AP, not the inverse.

From the exhibits:

FortiSwitch Ports viewshows:

port2

Mode: Static

Native VLAN: Students

Allowed VLANs: quarantine.fortilink (quarantine)

NAC policy “Training”:

Switch FortiLink: fortilink

Category:Device

Matching criteria:

MAC Address: 70:88:6b:8c:4b:0e (enabled)

Operating System:Linux(enabled)

Switch Controller Action:

Assign VLAN = Students

Bounce Port = enabled

Design intent:

Device with that MAC + OS Linux, when plugged intoport2, should be dynamically moved to VLANStudentsby the NAC policy.

Why it doesn’t work now

On FortiLink NAC,dynamic NAC decisions only apply on ports whose “Access Mode” is set to NAC:

NAC mode = FortiGate controls theonboarding VLAN, evaluates NAC policies, and then dynamically reassigns the switch port VLAN (access, quarantine, etc.).

Static mode(what we see on port2) means the port just uses its configurednative/allowed VLANs, andno NAC classificationhappens.

Right now:

port2 is astatic access portwith Native VLAN = Students.

The NAC policy exists, butFortiSwitch is not in NAC enforcement mode on that port, so the policy is never evaluated for traffic on port2.

Therefore, themissing configurationis:

Setport2toNAC mode(sometimes called “Access mode: NAC” or “NAC LAN edge port”).

Once port2 is changed to NAC mode:

Device initially lands in the onboarding/quarantine VLAN.

FortiGate collects device info (MAC, OS, etc.).

NAC policy “Training” matches MAC + Linux.

Switch controller actionAssign VLAN = Studentsis applied.

Port is bounced (if configured), bringing the device back up in VLAN Students.

Why the other options are wrong

B. MAC or OS misconfigured

Possible in general, but the question asks forwhich configuration is missing, and the exhibits clearly focus on port mode. Also, even with wrong MAC/OS, the port would still be in NAC mode; here NAC isn’t even active.

C. Port Policy mode

Port policy (edge/trunk) is separate from NAC; NAC requires the specificNAC access mode.

D. Students VLAN should be Allowed VLANs instead of Native VLAN

For an access port, having Students as thenative VLANis correct. NAC policy’s Assign VLAN will set that as access VLAN; no need to make it an allowed trunk VLAN.