FCSS_NST_SE-7.6 Practice Questions

The correct answers are B and D .

The study guide explains that expectation sessions are pinhole sessions created by session helpers for protocols such as FTP that need additional negotiated connections. It states: “FortiGate created an expectation session and opened the pinhole port for the expected return traffic” and also shows that the firewall “creates an expected (pinhole) session to allow the traffic”

That makes D correct.

For B , the study guide explains the gwy= field in session output: the first value is the gateway to the destination , and the second is the gateway to the source

In the exhibit, the original-direction traffic is DNATed here:

hook=pre dir=org act=dnat 10.171.121.38:0- > 10.200.1.1:60426(10.0.1.10:50365)

So the destination after DNAT is the internal host 10.0.1.10, and the session’s first gwy value corresponds to the next hop toward that destination. That makes B correct.

Why the other options are wrong:

A is wrong because this is an expectation/session-helper behavior, not an IPS-engine-created session. The study guide ties expectation sessions to helpers such as FTP, not IPS.

C is wrong because 10.200.1.1 is the translated address used before DNAT, not the next hop used to forward the original-direction traffic after translation to the internal destination.

So the verified answers are: B, D .

The partial output from diagnose hardware sysinfo memory provides details on system RAM allocation. According to Fortinet ' s technical documentation for memory troubleshooting and Linux memory management (which FortiOS is based on):

MemFree is the portion of physical memory not currently allocated to any running process or kernel function. Thus, 708880 kB is available and can be immediately used by user-space programs or system operations.

Inactive refers to pages in the memory cache that were previously in use for I/O or file system buffering but are now not actively referenced. These pages are retained in memory for quick access if needed again, but can be reclaimed for other memory operations if demand increases. The value 98908 kB here represents currently unused cache pages (inactive pages), ready for repurposing or deletion if the system requires more RAM.

Cached represents the total amount of system memory allocated to cache, which includes both active and inactive cache pages. It does not, by itself, represent I/O cache exclusively, nor does " inactive " mean memory “will never be used” as the kernel can re-purpose inactive pages on demand.

The correct answers are B and C .

The study guide has a section titled “Not Verified Status on the Collector Agent” and states:

“The collector agent cannot verify if the user is still logged in” and lists these common causes :

“A firewall is blocking traffic to port 139 and 445”

“The workstation remote registry service is not running”

The guide also explains the verification method:

“For WMI polling mode, the collector agent checks the WMI service. For all the other modes, the collector agent checks the HKEY_USERS hive through remote registry services.” If the workstation does not respond to these checks, the status can become not verified

An additional requirements slide in the same study guide confirms:

“TCP ports 139 and 445 must be open between the collector agent and all workstations”

“Remote registry service must be up and running on each workstation”

Why the other options are wrong:

A is wrong because the study guide mentions a workstation coming out of hibernate mode under a different problem: “No Internet After IP Address Change” , not as a common cause of Not Verified status

D is wrong because DNS resolution issues are also discussed under the IP address change scenario, where the collector agent uses DNS to resolve the workstation name after an IP change. That is separate from the Not Verified causes listed for this log message

So the verified answers are: B, C .