CertPrepNow
FortinetFCSS_LAN_EDGE 7.686 concepts

FCSS_LAN_EDGE 7.6 Cheat Sheet

Quick reference for the Fortinet FCSS - LAN Edge 7.6 exam.

FortiLink Protocol Fundamentals

FortiLink
Fortinet proprietary protocol allowing FortiGate to discover, authorize, and centrally manage FortiSwitch units over Ethernet — extends Security Fabric to switch ports.
FortiLink vs CAPWAP
FortiLink manages FortiSwitch (wired switches); CAPWAP manages FortiAP (wireless APs). Both enable centralized FortiGate control but for different device types.
FortiLink DHCP requirement
A DHCP server MUST be enabled on the FortiLink interface so FortiSwitch can obtain an IP address during discovery — without DHCP, switches are never discovered.
FortiSwitch authorization states
After first FortiLink connection a switch appears as Unauthorized — it must be explicitly authorized (or auto-authorization enabled) before it can be managed.
Security policies and FortiLink
Security policies on FortiGate control transit (user) traffic only — they do NOT affect FortiLink management traffic between FortiGate and managed switches.
FortiLink interface config (CLI)
Enable switch controller and create a FortiLink interface with an IP and DHCP server so managed FortiSwitch units can be discovered.

FortiSwitch Configuration CLI

config system global set switch-controller enable end
Enable the FortiGate switch controller — prerequisite before any FortiSwitch can be managed via FortiLink.
config system interface edit "fortilink" set ip 172.16.16.254 255.255.255.0 set fortilink enable set auto-auth-extension-device enable next end
Create a FortiLink interface; auto-auth-extension-device enables automatic FortiSwitch authorization on discovery.
config switch-controller managed-switch edit <FortiSwitch_SN> set authorized enable next end
Manually authorize a specific FortiSwitch unit by serial number in the switch controller (FortiOS 7.x uses 'authorized'; the old 'fsw-wan1-admin' parameter is deprecated).
execute switch-controller get-conn-status <SN>
Verify the connection health and status of a managed FortiSwitch by serial number.
execute switch-controller diagnose-connection <SN>
Run full FortiLink connectivity diagnostics against a specific managed FortiSwitch.
diagnose switch-controller switch-info port-stats
View per-port traffic statistics on managed FortiSwitch units from the FortiGate CLI.
diagnose switch-controller switch-info mac-table
Display the MAC address table of managed FortiSwitch units — useful for troubleshooting client connectivity.

VLAN Management on Managed FortiSwitch

VLAN optimization
Limits auto-generated ISL (inter-switch link) trunks to carry only user-defined VLANs instead of all VLANs 1–4093 — reduces unnecessary trunk traffic.
Quarantine VLAN 4093
Default quarantine VLAN on Fortinet — automatically included on all FortiSwitch ports; compromised or non-compliant devices are moved here, not disconnected.
ISL trunk VLAN pruning
Manually removing specific VLANs from inter-switch link trunks; distinct from VLAN optimization which restricts auto-generated trunks globally.
Native VLAN vs allowed VLANs
Native VLAN carries untagged frames on a trunk port; allowed VLANs lists which VLANs are permitted on the trunk — both are configured per-port from FortiGate.
diagnose switch-controller switch-info trunk status
Check trunk port configuration and status on managed FortiSwitch units including allowed VLANs.
diagnose switch-controller switch-info stp
Check Spanning Tree Protocol status on managed FortiSwitch — used to troubleshoot loop prevention and topology changes.

FortiAP and CAPWAP Wireless

CAPWAP ports
CAPWAP uses UDP 5246 (control plane) and UDP 5247 (data plane) — firewalls between FortiGate and FortiAP must allow both ports.
Tunnel mode
All wireless client traffic is encapsulated in a CAPWAP tunnel back to FortiGate for inspection — required when FortiGate security policies must inspect wireless traffic.
Bridge mode
Wireless traffic is bridged locally at the AP to the wired network — lower latency but traffic bypasses FortiGate inspection; use for performance-sensitive local SSIDs.
Security Fabric Connection required
FortiAPs only appear in the Security Fabric topology when connected to an interface with Security Fabric Connection enabled — missing this setting prevents AP onboarding.
Wireless NAC: 2 VLANs required
Wireless NAC requires at minimum 2 VLANs with L3 settings including DHCP: one onboarding VLAN and one or more target VLANs — without both, clients cannot be dynamically reassigned.
diagnose wireless-controller wlac -c wtp
List all wireless access points and their connection status from FortiGate — the primary command to verify AP discovery and state.
diagnose wireless-controller wlac -c sta
Display all currently connected wireless clients (stations) across all managed FortiAP devices.
diagnose wireless-controller wlac -c vap
Show virtual access point (SSID) configuration data as seen by the wireless controller.

RADIUS Authentication

RADIUS ports
RADIUS uses UDP 1812 for authentication and UDP 1813 for accounting — legacy ports 1645/1646 also exist but 1812/1813 are standard.
config user radius edit "RADIUS-SRV" set server "192.168.1.10" set secret "SharedSecret" set radius-port 1812 set auth-type auto next end
Configure a RADIUS server on FortiGate with server IP, shared secret, and authentication port.
diagnose test authserver radius <server_name> pap <username> <password>
Test RADIUS server connectivity and authenticate a user directly from the FortiGate CLI — essential for troubleshooting authentication failures.
RADIUS shared secret mismatch
A mismatched shared secret silently fails RADIUS authentication with no clear error message — always verify the secret matches exactly on both sides.
Dynamic VLAN RADIUS attributes
Three RADIUS attributes are required for dynamic VLAN assignment: Tunnel-Type (=VLAN/13), Tunnel-Medium-Type (=802/6), Tunnel-Private-Group-ID (=VLAN ID or name) — missing any one causes fallback to default VLAN.

LDAP Authentication

LDAP ports
Standard LDAP uses TCP 389 (cleartext); LDAPS (LDAP over TLS) uses TCP 636 (encrypted) — use 636 when encrypted LDAP communication is required.
config user ldap edit "AD-LDAP" set server "192.168.1.20" set cnid "sAMAccountName" set dn "dc=corp,dc=local" set type regular set username "corp\\binduser" set password ENC <password> set port 389 next end
Configure an LDAP server on FortiGate for Active Directory integration with regular bind type.
LDAP bind types: simple vs regular vs anonymous
Simple bind sends credentials in cleartext; regular bind uses bind DN credentials; anonymous bind requires no credentials — exam tests which to use for different security requirements.
LDAPS (encrypted): set secure ldaps / set port 636
Enable LDAPS by setting secure mode to ldaps and changing the port from 389 to 636 in the LDAP server configuration.
diagnose test authserver ldap <server_name> <username> <password>
Test LDAP server connectivity and validate user credentials from the FortiGate CLI.
cnid (Common Name Identifier)
The LDAP attribute used to identify users — use sAMAccountName for Active Directory, cn for OpenLDAP, or uid for some UNIX directories.

SSO: FSSO and RSSO

FSSO (Fortinet Single Sign-On)
Monitors Windows Active Directory domain controller logon events via DC Agent or polling — forwards user-to-IP mappings to FortiGate for transparent identity-based policy enforcement.
RSSO (RADIUS Single Sign-On)
FortiAuthenticator receives RADIUS accounting Start/Stop messages from network devices (wireless controllers, switches, VPN) and forwards user session info to FortiGate.
FSSO vs RSSO trigger source
FSSO is triggered by Windows AD logon events; RSSO is triggered by RADIUS accounting messages from network devices — exam tests knowing which to use based on infrastructure.
diagnose debug authd fsso list
Review current FSSO user authentication records and user-to-IP mappings as seen by the FortiGate.
execute fsso refresh
Manually synchronize the FSSO logged-on user list — use when users are not being identified after a domain logon.
FortiAuthenticator dual role
FortiAuthenticator can act as both a RADIUS server (authenticating users) AND as a RADIUS client receiving accounting messages for RSSO — do not confuse the two roles.
config user fsso edit "FAC-FSSO" set server "192.168.1.30" set port 8000 set password ENC <password> next end
Configure an FSSO agent connector on FortiGate pointing to a FortiAuthenticator or FSSO Collector Agent.

Two-Factor Authentication and Certificates

FortiToken types
FortiToken hardware (physical OTP token), FortiToken Mobile (smartphone app), email token, and SMS token — all deliver the second factor for 2FA.
2FA requires per-user FortiToken assignment
Simply enabling 2FA globally is not sufficient — each user account must have a FortiToken explicitly associated with it in the user configuration.
2FA on FortiGate vs FortiAuthenticator
FortiGate can handle 2FA directly for local users; FortiAuthenticator is used for 2FA when authenticating against RADIUS/LDAP backends or at larger scale.
Certificate-based authentication
Digital certificates used for user and device authentication; FortiAuthenticator can act as the Certificate Authority (CA) issuing and validating certificates.
config user local edit "john" set two-factor fortitoken set fortitoken "FTKMOB..." set email-to "john@corp.com" next end
Associate a FortiToken Mobile with a local user account to enable two-factor authentication on FortiGate.

Guest Portal and Captive Portal

Guest portal VLAN isolation
Guest users are placed in a dedicated guest VLAN with internet-only access — the guest VLAN must be isolated from production VLANs via firewall policy.
Captive portal redirect mechanism
Unauthenticated HTTP requests are intercepted and redirected to the captive portal page — HTTPS interception requires importing the FortiGate CA certificate on the client.
Guest portal on FortiAuthenticator
FortiAuthenticator can host a self-service guest portal where sponsors create temporary accounts; credentials can be delivered by SMS or email to the guest.
config wireless-controller vap edit "guest-ssid" set security captive-portal set captive-portal-fw-accounting enable next end
Configure a wireless SSID to use captive portal authentication — clients connect and are redirected to login before gaining network access.

FortiSwitch Port Security Features

DHCP snooping
Filters DHCP responses on untrusted ports — prevents rogue DHCP servers from assigning addresses; configured on managed FortiSwitch ports via FortiGate.
Dynamic ARP Inspection (DAI)
Validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing/poisoning attacks on managed FortiSwitch ports.
IP source guard
Restricts traffic on a port to only the IP/MAC address learned during DHCP — drops packets with spoofed source IPs on managed FortiSwitch ports.
Storm control
Limits broadcast, multicast, or unknown unicast traffic on FortiSwitch ports to prevent network storms — configured as packets-per-second threshold via FortiGate.
config switch-controller security-policy local-access edit "port-sec" set mgmt-allowaccess https ssh next end
Configure local access restrictions on managed FortiSwitch ports through the FortiGate switch controller security policy.

Network Access Control (NAC)

802.1X authentication roles
Supplicant (endpoint software), Authenticator (FortiSwitch port), Authentication Server (RADIUS) — 802.1X requires a supplicant; devices without one must fall back to MAB.
Authentication order: 802.1X → MAB → Captive Portal
802.1X is attempted first; if no supplicant responds MAB is tried; captive portal is the final fallback for web-based authentication — order matters on exam questions.
MAC Authentication Bypass (MAB)
Fallback for devices that cannot run 802.1X supplicants (printers, cameras, IoT) — the switch sends the device MAC address as both username and password to RADIUS.
MAB MAC format
By default MAB sends the MAC address in lowercase without separators (e.g., aabbccddeeff) — format must match what the RADIUS server expects or authentication fails.
config user nac-policy edit "IoT-Policy" set category device set family "Cameras" set switch-fortilink "fortilink" set switch-mac-policy "vlan-assign" set switch-vlan 30 next end
Create a NAC policy matching device category with VLAN assignment action on managed FortiSwitch ports.
NAC policy evaluation order
NAC policies are evaluated top-to-bottom; the first matching policy is applied — incorrect ordering is a common misconfiguration causing wrong VLAN assignment.
Dynamic VLAN assignment
RADIUS server returns VLAN attributes during authentication placing the user in a specific VLAN based on role — requires all three Tunnel attributes to function.
VLAN pooling
Multiple VLANs grouped into a pool; authenticated users distributed across VLANs using round-robin or hash to prevent broadcast domain overcrowding.

802.1X CLI Configuration

config switch-controller security-policy 802-1X edit "dot1x-policy" set security-mode 802.1X set auth-order dot1x-MAB set mac-auth-bypass enable set guest-vlan enable set guest-vlanid 999 set auth-fail-vlan enable set auth-fail-vlanid 100 next end
Create an 802.1X security policy with MAB fallback, guest VLAN, and auth-failure VLAN for managed FortiSwitch ports.
auth-order dot1x-MAB
Sets 802.1X as primary authentication with MAB as fallback — the correct order for environments with mixed 802.1X and non-802.1X devices.
diagnose firewall auth list
Display currently authenticated IPv4 user sessions on FortiGate — shows user, IP, authentication method, and expiry.
diagnose firewall auth filter clear
Clear authentication filters to show all authenticated users — use when diagnosing authentication policy enforcement.
diagnose firewall dynamic list
Show dynamic address groups and security posture tags — used to verify NAC policy matching and EMS tag assignments.

Security Fabric and FortiManager Integration

Security Fabric root FortiGate
A root FortiGate must be designated for the Security Fabric — without it, downstream FortiSwitch and FortiAP devices will not appear in the fabric topology.
Zero-Touch Provisioning (ZTP)
Devices connect to FortiManager and automatically receive pre-staged configurations without on-site manual setup — requires DNS and FortiGuard connectivity for device-to-FortiManager contact.
FortiManager template deployment
System templates, device templates, and CLI templates are pushed from FortiManager to managed devices for consistent multi-site configuration.
FortiManager configuration drift
FortiManager pushes configurations but does not lock them — local changes after deployment cause drift; the exam tests identifying this scenario.
ADOM (Administrative Domain)
FortiManager feature for multi-tenant management — each ADOM can have isolated administrators, policies, and devices with no cross-ADOM visibility.
FortiAIOps
AI-powered wireless monitoring tool providing anomaly detection and optimization recommendations — it does NOT automatically apply changes; administrators must implement suggestions manually.
Firmware management via FortiManager
FortiManager centrally manages firmware upgrades across FortiGate, FortiSwitch, and FortiAP devices with version compliance checking and scheduled upgrade windows.

Troubleshooting Commands Reference

diagnose switch-controller switch-info lldp
Check LLDP (Link Layer Discovery Protocol) data on managed FortiSwitch — shows neighbor device information for topology verification.
diagnose switch-controller switch-info mclag
Review multi-chassis link aggregation (MCLAG) information on managed FortiSwitch units — used for stacking and redundancy troubleshooting.
diagnose wireless-controller wlac wtp_filter <SN>
Troubleshoot a specific FortiAP by serial number — filters CAPWAP debug output to a single AP for focused diagnosis.
diagnose wireless-controller wlac sta_filter <MAC> 255
Focus wireless debugging on a specific client by MAC address — use value 255 for full verbosity when troubleshooting a client's CAPWAP behavior.
cw_diag -c acs-chan-stats
Run on the FortiAP CLI to check real-time CAPWAP connection status to the controller — confirms tunnel establishment from the AP side.
cw_diag -c wtp-cfg
Display current WTP (Wireless Termination Point) configuration parameters on the FortiAP CLI — confirms profile and settings pushed from FortiGate.
diagnose endpoint ec-shm list
Query endpoint compliance records including IP, MAC, and serial number — used to verify NAC/EMS tag matching for connected devices.

Ready to test yourself?

Start a timed FCSS_LAN_EDGE 7.6 mock exam or review practice questions by domain.