The Fortinet NSE 6 - Network Security 7.6 Support Engineer (FCSS_NST_SE-7.6)

To determine why sessions are being removed, we must interpret the specific counters in the diagnose sys session stat output provided in the exhibit.

Analyze memory_tension_drop (Reason A):

Observation: The output shows memory_tension_drop=4.

This counter specifically increments when the FortiGate kernel attempts to allocate a new memory page for a session but fails due to a lack of available system memory. As a result, the session creation is aborted or an existing session is dropped to free up resources. This confirms that the kernel is struggling to allocate memory pages.

Analyze extreme_low_mem (Reason D):

Observation: The output shows extreme_low_mem=0 (which is good), but we must look at the context of memory_tension_drop.

Context: While the extreme_low_mem counter itself is 0 in this snapshot, the presence of memory_tension_drop indicates the system is under memory pressure. Furthermore, in many Fortinet exam contexts involving this specific exhibit, the focus is on the mechanism of " flushing sessions " to recover memory.

Refinement: Actually, look closer at the exhibit. It shows flush=787.

The flush counter indicates the number of times the system has actively purged (flushed) old or stale sessions from the table to recover memory or due to policy changes. A high flush count combined with memory tension drops strongly suggests the system is aggressively removing sessions to handle high memory usage. Therefore, " FortiGate is flushing sessions because of high memory usage " is the correct interpretation of the flush and memory_tension_drop counters working together.

Why other options are incorrect:

B: There is no counter in this specific output (like tcp_syn_sent drop) that indicates dropping incomplete handshakes. The clash=0 and delete=0 counters are low/zero.

C: The dev_down=16/120 field does not mean the device was down for 10 seconds. It refers to device index pointers or internal kernel interface states, not system uptime/downtime impacting session acceptance in the way described.

For Option A:In Fortinet BGP (and standard BGP), when a prefix is displayed with an " i " (lowercase i) in the Path column, it represents an internal prefix that originated from the local router, typically configured via the BGP " network " command. In the exhibit, the prefix 10.20.30.0/24 is listed with a Path value of i, indicating it was injected into BGP by the local router using the network statement, not via redistribution from another routing protocol. The same logic applies to i as documented: " Origin code ' i ' means the route was injected via the network command. "

For Option D:The get router info bgp network output is a summary table displaying both local and received BGP routes. It lists all known routes to the BGP process, whether received from peers or originated locally. The exhibit shows all BGP prefixes known to the local router, matching the official admin guide’s description of this command’s output.

Explanation for B and C:

The phrase “legacy route advertisement” is not formalized in BGP documentation or Fortinet’s admin guide; the output uses standard BGP mechanics.

If a route was redistributed into BGP from another routing protocol, the Path field would display a " ? " (question mark) for incomplete (redistributed) origin. Here the /24 route has " i " so it is NOT a redistribution.

According to the official Fortinet administration guide for FortiOS 7.6.4 under the section " Configuring a RADIUS server, " the supported RADIUS authentication methods you can configure via the CLI with config user radius are:

pap

chap

mschap

mschapv2

auto

The relevant CLI syntax is set auth-type {auto | ms_chap_v2 | ms_chap | chap | pap}​. You can confirm this directly in the configuration table and from real CLI sessions.

EAP (Extensible Authentication Protocol) is NOT an authentication option you can directly set under config user radius. EAP methods (such as EAP-TLS, EAP-PEAP, EAP-TTLS) are negotiated between the RADIUS client and server but are not configurable as an explicit auth-type option in FortiOS. EAP authentication is typically used automatically by features like 802.1X, not through the user radius object authentication-type setting, and always requires proper backend workings between supplicant and RADIUS server

From the exhibit, you can observe that the debug output captures an IKEv1 negotiation in aggressive mode. Let ' s break down the supporting details in line with official Fortinet IPsec VPN troubleshooting resources and debug guides:

For Option B:

The very first line of the debug output shows:

comes 10.0.0.2:500- > 10.0.0.1:500, ifindex=7.

This indicates the traffic direction—from the remote IP (10.0.0.2) with port 500 to the local IP (10.0.0.1) with port 500. According to Fortinet ' s documentation, the right side of the arrow always represents the local FortiGate gateway. Thus, 10.0.0.1 is the local gateway IP address.

For Option D:

You see the statement:

negotiation result " remote "

and

received peer identifier FQDNCE88525E7DE7F00D6C2D3C00000000

Official debug documentation describes that the " peer identifier " or peer ID sent by the initiator is displayed here. In the context of IKE/IPsec negotiation, this value is used as the IPsec peer ID for authentication and identification purposes. The initiator is providing " remote " as the peer ID for its connection.

Why Not A or C:

Perfect Forward Secrecy (PFS): The debug does not show any DH group negotiation in phase 2 (no reference to group2, group5, etc., for phase 2), so you cannot deduce the presence of PFS solely from this output.

Phase 2 negotiation: The log focuses on IKE (phase 1) negotiation and establishment; there’s no reference to ESP protocol, Quick Mode, or other identifiers that would show phase 2 SA negotiation and establishment.

This interpretation aligns with the explanation in the FortiOS 7.6.4 Administration Guide ' s VPN section and the official debug command output samples published in Fortinet’s documentation. It demonstrates how to distinguish between local and remote addresses and how to identify the use of peer IDs.

The exhibit for question 4 shows a policy route table entry, and key fields are as follows:

internet service(1) : Fortinet-FortiGuard(1245324,0.0.0.0,0.0.0.0)

According to the Fortinet official documentation, when a policy route is based on Internet Service Database (ISDB) entries, the route entry will specifically mention “internet service,” showing the service being referenced (in this example, Fortinet-FortiGuard). This is fundamentally different from a regular policy route, which is defined by source, destination, and service wildcards without referencing an ISDB signature. A regular policy route ' s output would not contain the line “internet service.”

Policy routes that use ISDB allow FortiGate to steer traffic for specific well-known services (like FortiGuard, Google, Microsoft) based on traffic pattern recognition, even if the destination IP is dynamic. The matching and route selection follow the ISDB tag and can coexist with static or regular policy routes.

Thus, this entry is correctly and uniquely an ISDB route, as explained in the FortiOS policy routing documentation and ISDB configuration references.

The 8.8.8.8/32 route is visible in the OSPF database on FGT-B but not installed into the routing table—the most likely explanation is that FGT-B is filtering it from being installed.

According to the official Fortinet documentation (Technical Tip: Useful FSSO Commands), heartbeat messages play a crucial role in communication between the FSSO Collector Agent and FortiGate. These messages are regularly sent from the Collector Agent to verify its status, maintain session awareness, and confirm connectivity between the authentication infrastructure and FortiGate appliances.

Option B is confirmed by Fortinet, as the collector agent logs on Windows or its management console will specifically note heartbeat events, connection status, and any issues maintaining contact with FortiGate units.

Option C is validated by both official CLI documentation and the technical tip linked. On FortiGate, heartbeat messages from the collector agent are visible using real-time debug tools such as diagnose debug application authd or FSSO-specific commands. These enable administrators to monitor live logon states, session status, and connection health directly from the FortiGate CLI. The debug stream shows heartbeats received and their effect on active logons, associating health monitoring with active sessions.

Heartbeat operation is fully automated once FSSO is set up—there is no requirement for manual enablement or configuration, aligning with Fortinet’s philosophy of seamless integration and centralized management across the Security Fabric. This ensures that both FortiGate and the collector agent can quickly and reliably detect any miscommunication or outage, addressing authentication issues proactively.