CertPrepNow
FortinetFCSS_LAN_EDGE 7.65 domains

FCSS_LAN_EDGE 7.6 Exam Notes

Last-minute traps, must-know facts, and scenario tips for the Fortinet FCSS - LAN Edge 7.6 exam.

General Exam Tips

  • 1.Read ALL answer options before selecting — Fortinet distractors are intentionally close to the correct answer
  • 2.When a scenario describes a connectivity failure, ask yourself: is this a control-plane (FortiLink/CAPWAP management) problem or a data-plane (security policy/routing) problem? The fix is different for each
  • 3.With approximately 40 questions in 75 minutes, you have under 2 minutes per question — do not overthink. Mark uncertain questions and come back
  • 4.Always answer every question — there is no penalty for wrong answers on Fortinet exams
  • 5.Multi-select questions require ALL correct answers. A partially correct selection scores zero
  • 6.Scenario questions often contain one red-herring detail. Identify what the question is actually asking before evaluating the options
  • 7.When the question describes something that 'should work but doesn't,' look for a single missing prerequisite rather than a complex misconfiguration
  • 8.Aim for 75%+ on practice exams before sitting the real exam — the actual exam skews harder than most free practice banks
  • 9.Authentication (25% weight) is the highest-stakes domain — if you are short on study time, prioritize RSSO vs FSSO and 2FA token assignment
  • 10.Do not confuse what you know from real-world Fortinet deployments with what the exam expects — the exam tests textbook behavior, not production workarounds
Domain 120% of exam

FortiSwitch Deployment and Management

Must-Know Facts

  • FortiLink requires DHCP server enabled on the FortiLink interface — this is how FortiSwitch gets its management IP during discovery
  • Newly connected FortiSwitch units appear as 'Unauthorized' until an administrator explicitly authorizes them, or auto-authorization is enabled on the FortiLink interface
  • Security policies NEVER fix a FortiSwitch management problem — the exam frequently offers 'create a security policy' as a distractor when a switch is not being discovered or managed. FortiLink management traffic is not subject to security policies; any FortiSwitch connectivity issue must be solved in the switch controller configuration or FortiLink interface settings
  • VLAN optimization restricts auto-generated ISL trunk ports to carry only user-defined VLANs instead of all VLANs 1–4093
  • Quarantine VLAN is 4093 by default — it is automatically allowed on all FortiSwitch ports; quarantined devices are isolated but still connected
  • FortiSwitch firmware must be compatible with the FortiGate FortiOS version — version mismatch can silently prevent FortiLink from establishing
  • ISL (inter-switch link) trunks between managed FortiSwitch units are auto-generated by FortiGate — you do not need to manually create them
  • VLAN pruning manually removes specific VLANs from a trunk; VLAN optimization globally restricts auto-generated trunks — they are not the same feature
  • Port security features (DHCP snooping, dynamic ARP inspection, IP source guard, storm control) are configured on managed switch ports from the FortiGate GUI, not from the switch CLI
  • In a multi-tier FortiSwitch topology (daisy-chained), all switches are still managed by the single FortiGate — there is no secondary controller

Common Traps

TrapA FortiSwitch is discovered but the admin creates a security policy to allow its traffic, thinking that will bring it online
RealitySecurity policies do NOT affect FortiLink management traffic. The switch is showing 'Unauthorized' because it needs to be authorized in the switch controller — not because a security policy is missing
TrapThinking VLAN optimization and VLAN pruning are the same thing
RealityVLAN optimization is a switch-controller setting that restricts auto-generated ISL trunks to user-defined VLANs only. VLAN pruning is manually removing specific VLANs from a specific trunk. They address the same problem (unnecessary trunk traffic) but are different mechanisms
TrapAssuming FortiSwitch discovery works without DHCP on the FortiLink interface
RealityDHCP is mandatory on the FortiLink interface. Without it, the FortiSwitch cannot obtain an IP address and will never appear in the switch controller, even if the physical link is up
TrapBelieving that quarantine disconnects a device from the network
RealityQuarantine moves the device to VLAN 4093 — it remains connected but isolated from production VLANs. The device is not physically disconnected
TrapThinking layer 2 isolation for a quarantined device only involves VLAN assignment
RealityFortiOS offers two distinct quarantine modes: quarantine-by-VLAN (moves the device's traffic to VLAN 4093) and quarantine-by-redirect (redirects traffic to a firewall address group). These are mutually exclusive — you configure one mode, not both simultaneously. VLAN 4093 quarantine pushes a MAC-to-VLAN binding to the FortiSwitch so the device's traffic is handled within the quarantine VLAN, but this is not the same as a separate MAC block running in parallel

Confusing Pairs

FortiLinkCAPWAP

FortiLink = protocol for managing FortiSwitch (wired switches). CAPWAP = protocol for managing FortiAP (wireless APs). Both let FortiGate centrally manage LAN Edge devices, but they are completely separate protocols for different device types. A FortiLink problem will never affect FortiAP, and vice versa

VLAN OptimizationVLAN Pruning

VLAN Optimization = global FortiSwitch controller setting that limits all auto-generated ISL trunks to user-defined VLANs only. VLAN Pruning = manual per-trunk configuration removing specific VLANs. Optimization is broader and automatic; pruning is targeted and manual

FortiSwitch Managed ModeFortiSwitch Standalone Mode

Managed mode = FortiGate is the controller via FortiLink; all configuration happens on FortiGate. Standalone mode = FortiSwitch operates independently with its own management interface. The exam focuses entirely on managed mode; standalone appears only as a distractor

Scenario Tips

If the question asks about:

FortiSwitch physical link is up, switch is discovered, but shows 'Unauthorized' — admin cannot manage the switch

Answer:

Authorize the switch in the FortiGate switch controller (Security Fabric > Switch Controller > Managed FortiSwitch). If you want future switches to auto-authorize, enable 'auto-auth-extension-device' on the FortiLink interface

Distractor to avoid:

Adding a security policy to allow traffic from the FortiSwitch IP — security policies do not govern FortiLink management traffic; this will not fix the authorization issue

If the question asks about:

FortiSwitch is not discovered at all — physical link is confirmed up, FortiLink interface is configured

Answer:

Check that DHCP server is enabled on the FortiLink interface. Without DHCP, the FortiSwitch cannot get an IP and cannot establish the FortiLink session

Distractor to avoid:

Checking FortiGuard subscription status — FortiGuard has no bearing on FortiLink operation

If the question asks about:

Auto-generated ISL trunk between two managed FortiSwitches is carrying all VLANs 1–4093, causing excessive traffic

Answer:

Enable VLAN optimization on the FortiSwitch controller — this restricts auto-generated ISL trunks to carry only user-defined VLANs

Distractor to avoid:

Selecting VLAN pooling — VLAN pooling distributes authenticated users across multiple VLANs for broadcast domain reduction, which is unrelated to ISL trunk traffic volume

Last-Minute Facts

1Quarantine VLAN default = 4093
2DHCP server on FortiLink interface = mandatory for switch discovery
3FortiSwitch first connect = Unauthorized state (must be authorized)
4VLAN optimization = limits auto-ISL trunks to user-defined VLANs only
5Security policies = zero effect on FortiLink management traffic
6Quarantine modes = quarantine-by-VLAN (traffic to VLAN 4093) OR quarantine-by-redirect (firewall address group) — mutually exclusive, not simultaneous
Domain 220% of exam

FortiAP and Wireless Infrastructure

Must-Know Facts

  • CAPWAP requires BOTH UDP 5246 (control) and UDP 5247 (data) — exam troubleshooting questions that describe an AP discovering its controller but clients failing to pass traffic point to port 5247 being blocked; questions where the AP never appears in the controller at all point to port 5246 being blocked
  • Tunnel mode: all wireless traffic encapsulated in CAPWAP tunnel to FortiGate for inspection — required when security policies must inspect wireless traffic
  • Bridge mode: wireless traffic forwarded locally at the AP — lower latency but bypasses FortiGate inspection; use for performance-sensitive local SSIDs or remote branch traffic
  • Security Fabric Connection is a per-interface setting — the exam tests this by presenting a scenario where an AP has an IP, a physical link, and even a working CAPWAP session, but is invisible in the fabric topology. The diagnosis is always the same: check whether Security Fabric Connection is enabled on the interface the AP connects through. No amount of AP-side configuration fixes a missing Security Fabric Connection setting on FortiGate
  • Wireless NAC requires a minimum of 2 VLANs with L3 (including DHCP): one onboarding VLAN and at least one target VLAN — without both, NAC cannot dynamically reassign clients
  • AP authorization: newly connected FortiAPs appear as 'Unauthorized' just like FortiSwitches — they must be authorized before they can serve clients
  • Rogue AP suppression can interfere with legitimate neighboring wireless networks — only enable after confirming the AP is truly unauthorized
  • FortiAIOps is a monitoring and recommendation tool — it identifies wireless anomalies and suggests optimizations but does NOT automatically apply any changes
  • CAPWAP discovery sequence: static IP → DHCP option 138 (provides controller IP directly) → DNS (AP appends domain suffix from DHCP option 15 to the default hostname 'fortinet-capwap-controller' to form the FQDN) → FortiEdge Cloud → multicast → broadcast — if an AP cannot be discovered, check option 138 first, then DNS resolution of the controller FQDN

Common Traps

TrapAssuming that because a FortiAP has an IP address and physical link is up, it should automatically appear in the Security Fabric topology
RealityThe interface/VLAN the FortiAP is connected to must have 'Security Fabric Connection' enabled. Without this, CAPWAP discovery succeeds at layer 3 but the AP is not onboarded into the fabric management
TrapChoosing tunnel mode for a remote branch deployment where users need to access local servers with minimal latency
RealityBridge mode is appropriate for remote locations to avoid traffic hairpinning through FortiGate over the WAN. Tunnel mode sends all wireless traffic to FortiGate first, which adds latency and consumes WAN bandwidth
TrapConfiguring wireless NAC with only one VLAN and expecting clients to be moved to the correct segment
RealityNAC needs at minimum two VLANs: an onboarding VLAN (where clients start) and one or more target VLANs. Both must have L3 settings and DHCP. Without the onboarding VLAN, clients connect but can never be dynamically reclassified
TrapThinking FortiAIOps will automatically fix wireless performance problems after identifying them
RealityFortiAIOps only recommends — it never automatically applies changes. An administrator must manually review and implement suggestions

Confusing Pairs

Tunnel Mode (FortiAP)Bridge Mode (FortiAP)

Tunnel Mode = wireless traffic sent through CAPWAP tunnel to FortiGate, inspected by security policies, then forwarded. Use when security inspection is required. Bridge Mode = wireless traffic forwarded directly to the local wired network at the AP, bypassing FortiGate. Use when low latency or local traffic access is the priority. The exam tests: 'company requires FortiGate to inspect all wireless traffic' = Tunnel Mode

Rogue AP DetectionRogue AP Suppression

Detection = FortiAP passively scans for unauthorized APs and reports them to FortiGate — always safe to enable. Suppression = active deauthentication of clients connected to rogue APs — can disrupt legitimate neighboring networks and should only be used when the AP is confirmed unauthorized

CAPWAP Discovery (FortiAP)FortiLink Discovery (FortiSwitch)

FortiAP uses CAPWAP and discovers its controller via DHCP option 138, DNS lookup, or local broadcast — no static config required on the AP. FortiSwitch discovers its controller via FortiLink after getting a DHCP-assigned IP from the FortiLink interface on FortiGate. Both rely on DHCP but for different purposes: FortiAP DHCP tells it WHERE the controller is; FortiSwitch DHCP gives it an IP so FortiGate can contact it. A CAPWAP discovery failure points to option 138 or DNS; a FortiLink discovery failure points to the DHCP server on the FortiLink interface itself

Scenario Tips

If the question asks about:

FortiAP is connected to a managed FortiSwitch port, has an IP address, physical link is up, but does not appear in the wireless controller or Security Fabric topology

Answer:

The VLAN/interface the FortiAP is connected to does not have Security Fabric Connection enabled. Enable it on that interface in FortiGate — this is required for CAPWAP discovery to result in fabric onboarding

Distractor to avoid:

Checking if the FortiAP is in bridge mode vs tunnel mode — traffic forwarding mode does not affect AP discovery or Security Fabric onboarding

If the question asks about:

Remote branch office needs FortiAPs to serve users who primarily access local file servers on the same LAN. Minimal latency is required

Answer:

Configure the SSID in bridge mode — traffic goes directly from the AP to the local network without tunneling to FortiGate over the WAN, minimizing latency

Distractor to avoid:

Tunnel mode — while it provides FortiGate security inspection, it routes all wireless traffic through the WAN link to the central FortiGate, adding significant latency and using WAN bandwidth

If the question asks about:

Wireless NAC is configured, clients connect, but they are never moved out of the onboarding VLAN regardless of their device type

Answer:

Verify that the target VLANs are configured with L3 settings and DHCP. Also verify that the NAC policy matching criteria correctly identifies the device types and that policies are ordered correctly (top-to-bottom evaluation)

Distractor to avoid:

Enabling FortiAIOps — FortiAIOps is for wireless performance monitoring, not NAC policy enforcement

Last-Minute Facts

1CAPWAP control = UDP 5246; CAPWAP data = UDP 5247
2Tunnel mode = all traffic through FortiGate (security); Bridge mode = local forwarding (performance)
3Security Fabric Connection must be enabled on the interface FortiAP connects to
4Wireless NAC minimum = 2 VLANs with L3 + DHCP each
5FortiAIOps = monitoring + recommendations only, never auto-applies changes
6FortiAP authorization state = Unauthorized on first connect (same pattern as FortiSwitch)
7CAPWAP discovery order: static → DHCP option 138 → DNS (resolves 'fortinet-capwap-controller.<domain>') → FortiEdge Cloud → multicast → broadcast — DHCP option 138 and DNS are the two primary methods tested in troubleshooting questions
Domain 325% of exam

Authentication and Single Sign-On

Must-Know Facts

  • RADIUS ports: UDP 1812 (authentication), UDP 1813 (accounting) — legacy 1645/1646 exist but 1812/1813 are standard and what the exam expects
  • LDAP standard port = TCP 389 (cleartext); LDAPS encrypted port = TCP 636 — to enforce encrypted LDAP you change to port 636 AND set 'secure' mode to ldaps
  • LDAP bind types: simple (credentials sent in cleartext), regular (uses bind DN/password), anonymous (no credentials) — the exam tests which is appropriate for given security requirements
  • RSSO (RADIUS Single Sign-On): FortiAuthenticator receives RADIUS accounting messages from network devices (WLC, switches, VPN) and forwards user-IP mappings to FortiGate
  • FSSO (Fortinet Single Sign-On): monitors Windows Active Directory domain controller logon events via DC Agent, polling, or FortiAuthenticator — forwards user-IP mappings to FortiGate
  • FortiAuthenticator dual role: acts as RADIUS SERVER (authenticating users against LDAP/AD) AND as RADIUS CLIENT (receiving accounting messages for RSSO) — these are two different functions
  • Two-factor authentication requires per-user FortiToken assignment — enabling 2FA globally or having tokens activated is NOT sufficient without associating a token to each specific user account
  • FortiAuthenticator can act as a Certificate Authority (CA) for issuing certificates used in certificate-based authentication
  • Syslog integration with FortiAuthenticator: external network devices send syslog authentication events to FortiAuthenticator, which parses them and generates RSSO user session records
  • Authentication flow order: 802.1X attempted first, MAB fallback if no supplicant responds, captive portal as final fallback for web-based authentication
  • RADIUS shared secret must match exactly on both FortiGate and the RADIUS server — a mismatch silently fails authentication with no obvious error message
  • LDAP cnid (Common Name Identifier): use 'sAMAccountName' for Active Directory, 'cn' for standard LDAP

Common Traps

TrapUsing FSSO when the question describes a wireless controller or VPN gateway sending authentication events
RealityFSSO monitors Windows AD domain controller logon events. If the source is RADIUS accounting from a WLC/switch/VPN, that is RSSO territory. The trigger source (AD logon vs RADIUS accounting) determines which SSO method to use
TrapTreating FortiAuthenticator as either purely a RADIUS server OR purely a RADIUS accounting receiver
RealityFortiAuthenticator can simultaneously be a RADIUS server (users authenticate to it, it validates against AD/LDAP) AND receive RADIUS accounting messages from other NAS devices for RSSO. The exam tests whether you can distinguish these two completely separate roles
TrapEnabling 2FA on FortiGate and assuming all users will be prompted for a token
RealityEach individual user account must have a FortiToken explicitly associated with it. If a user authenticates successfully with just a password, the most likely cause is that no FortiToken is assigned to that specific user account — not a global configuration problem
TrapChanging LDAP bind type from simple to anonymous to 'improve security'
RealityAnonymous bind means no credentials at all — it reduces security. For secure LDAP, use regular bind with a dedicated bind DN and switch to LDAPS (port 636) for encryption
TrapRSSO and FSSO sound similar so candidates use them interchangeably
RealityThe key differentiator is the EVENT SOURCE: RSSO = triggered by RADIUS accounting Start/Stop from a network device. FSSO = triggered by Windows AD logon/logoff events from a domain controller. Wrong choice means transparent SSO will not work for that environment

Confusing Pairs

RSSO (RADIUS SSO)FSSO (Fortinet SSO)

RSSO = FortiAuthenticator receives RADIUS accounting from switches/WLCs/VPN gateways → sends user-IP mappings to FortiGate. FSSO = FortiAuthenticator or DC Agent monitors Windows AD logon events → sends user-IP mappings to FortiGate. Same outcome (transparent SSO), different input sources. Question says 'wireless controller sends RADIUS accounting' → RSSO. Question says 'Windows AD logon events' → FSSO

FortiAuthenticator as RADIUS ServerFortiAuthenticator as RADIUS Client

RADIUS Server role = FortiGate (or other NAS) sends authentication requests to FortiAuthenticator, which validates users against its local DB or backend LDAP/AD. RADIUS Client role = FortiAuthenticator receives RADIUS accounting messages from other network devices for RSSO processing. A single FortiAuthenticator can do BOTH simultaneously but for different traffic flows

LDAP Simple BindLDAP Regular Bind

Simple bind = username and password sent directly to LDAP server in cleartext (or over LDAPS). Regular bind = FortiGate first authenticates to LDAP using a dedicated 'bind DN' service account, then searches for the user. Regular bind is more secure and is the correct choice for Active Directory environments with a service account

RADIUS Authentication (UDP 1812)RADIUS Accounting (UDP 1813)

Authentication (1812) = credential verification, returns Access-Accept or Access-Reject, may include VLAN attributes for dynamic assignment. Accounting (1813) = session tracking (start/stop/interim), used by RSSO. Both ports must be open between FortiGate and RADIUS server. Dynamic VLAN assignment uses authentication responses (1812), not accounting

Scenario Tips

If the question asks about:

A company uses a wireless LAN controller that sends RADIUS accounting messages on user connect/disconnect. The team wants FortiGate to apply user-based policies without re-authentication

Answer:

Configure RSSO on FortiAuthenticator — it receives the RADIUS accounting messages from the WLC and forwards user-IP mappings to FortiGate for transparent policy enforcement

Distractor to avoid:

FSSO with DC Agent — FSSO monitors Windows AD logon events, not RADIUS accounting messages from a WLC. This would not capture WLC-based authentication events

If the question asks about:

Users authenticating to Windows domain computers are not being identified by FortiGate for identity-based policies, even though FSSO is configured

Answer:

Verify the FSSO agent or FortiAuthenticator collector is monitoring the correct domain controllers — if the DC authenticating users in that subnet is not being monitored, those logons are invisible to FSSO

Distractor to avoid:

Checking if RADIUS accounting is enabled on the switches — RADIUS accounting is for RSSO, not FSSO. FSSO relies on DC logon events, not RADIUS

If the question asks about:

VPN users can log in with only their password even though two-factor authentication has been configured globally on FortiGate

Answer:

The FortiToken has not been associated with the individual user accounts. Go to each user account and assign a FortiToken — global 2FA configuration alone does not enforce 2FA for users without a token linked

Distractor to avoid:

FortiToken Mobile incompatibility — FortiToken Mobile is fully supported by FortiGate for 2FA

If the question asks about:

Security requirements mandate encrypted LDAP communication to Active Directory. Currently using standard LDAP

Answer:

Change the LDAP server configuration: set secure mode to 'ldaps' and change the port from 389 to 636. This enables LDAP over TLS

Distractor to avoid:

Changing bind type from simple to anonymous — anonymous bind removes credentials entirely, reducing security rather than encrypting communication

If the question asks about:

FortiAuthenticator is receiving RADIUS accounting from a wireless controller but FortiGate is not enforcing user-based policies for those wireless users

Answer:

Check two things: (1) the RADIUS accounting interface on FortiAuthenticator is enabled to receive accounting messages, and (2) the RADIUS client (the wireless controller) is defined in FortiAuthenticator with matching shared secret. Also verify the RSSO attribute configuration on FortiAuthenticator correctly maps the RADIUS accounting fields to user session records that FortiGate can consume

Distractor to avoid:

Reconfiguring FortiGate to directly receive RADIUS accounting — the proper architecture is FortiAuthenticator as the intermediary that converts RADIUS accounting to RSSO user session records forwarded to FortiGate

Last-Minute Facts

1RADIUS auth = UDP 1812; RADIUS accounting = UDP 1813
2LDAP standard = TCP 389; LDAPS encrypted = TCP 636
3RSSO trigger = RADIUS accounting (Start/Stop) from network device
4FSSO trigger = Windows AD domain controller logon events
52FA enforcement requires per-user FortiToken assignment, not just global 2FA enablement
6LDAP cnid for Active Directory = sAMAccountName
7FortiAuthenticator = RADIUS server AND RADIUS accounting receiver (two distinct roles)
8RADIUS shared secret mismatch = silent authentication failure (no clear error)
Domain 420% of exam

Network Access Control and Security

Must-Know Facts

  • 802.1X authentication roles: Supplicant (endpoint software), Authenticator (FortiSwitch port), Authentication Server (RADIUS) — 802.1X requires supplicant software on the endpoint
  • Devices without 802.1X supplicant capability (printers, IP cameras, IoT) cannot use 802.1X and must fall back to MAC Authentication Bypass (MAB)
  • MAB sends the device MAC address as both username AND password to RADIUS — the format (lowercase, no separators by default) must match what the RADIUS server expects
  • Authentication order: 802.1X is attempted first → if no supplicant response, MAB is tried → captive portal as the final web-based fallback
  • Dynamic VLAN assignment requires THREE specific RADIUS attributes returned during authentication: Tunnel-Type (value=VLAN/13), Tunnel-Medium-Type (value=802/6), Tunnel-Private-Group-ID (VLAN ID or name) — missing ANY one causes fallback to the default VLAN
  • VLAN pooling: distributes users across multiple VLANs in a pool (round-robin or hash-based) to prevent single broadcast domain overcrowding — different from dynamic VLAN which puts users into ONE specific VLAN
  • NAC policies on FortiGate are evaluated TOP-TO-BOTTOM — the first matching policy is applied; order matters and is a common misconfiguration cause
  • NAC policy matching criteria: device type, OS, MAC address, EMS tag, user group, VLAN, FortiClient compliance status
  • Guest portals: captive portal redirect, guest user provisioning, isolated guest VLANs, sponsor-based approval — guest users get temporary access with limited permissions
  • FortiGate NAC policies are built into FortiOS and work with FortiSwitch/FortiAP — FortiNAC is a separate product for multi-vendor environments and should not be confused with built-in NAC

Common Traps

TrapConfiguring 802.1X for IP cameras and printers and wondering why they fail authentication
RealityThese devices cannot run 802.1X supplicants. They require MAC Authentication Bypass (MAB) as the fallback method. 802.1X is attempted first but times out; MAB then authenticates using the device MAC address
TrapMAB-authenticated device is in the correct VLAN from RADIUS response but the VLAN assignment silently fails
RealityCheck all three RADIUS Tunnel attributes. If Tunnel-Type, Tunnel-Medium-Type, or Tunnel-Private-Group-ID is missing or has the wrong value, VLAN assignment fails completely and the device lands in the default VLAN. MAB DOES support dynamic VLAN — the issue is always the RADIUS attribute configuration
TrapAssuming NAC policies are evaluated in the order they were created or alphabetically
RealityNAC policies are evaluated strictly top-to-bottom in the displayed order. The first match wins. A broad policy at the top (e.g., 'match all devices') will catch everything before more specific policies below it, causing incorrect VLAN assignments
TrapChoosing FortiNAC as the answer for questions about NAC in a pure Fortinet FortiSwitch/FortiAP environment
RealityFortiNAC is a separate, dedicated NAC appliance for complex multi-vendor environments. Questions about NAC on FortiSwitch ports managed by FortiGate use FortiGate NAC policies (built into FortiOS) — FortiNAC is a distractor for Fortinet-only LAN Edge deployments
TrapConfusing dynamic VLAN and VLAN pooling because both are 'dynamic'
RealityDynamic VLAN = one specific VLAN returned by RADIUS for a user based on their role. VLAN pooling = multiple VLANs in a group; users are distributed across them. Dynamic VLAN is role-based assignment; VLAN pooling is broadcast domain management

Confusing Pairs

802.1X AuthenticationMAC Authentication Bypass (MAB)

802.1X = port-based access control requiring supplicant software on the endpoint. Mandatory for users/managed devices. MAB = fallback for devices that cannot run supplicants (printers, cameras, IoT); switch uses MAC as credentials. 802.1X is always attempted first. MAB is the fallback. Key question: does the device have supplicant capability? Yes = 802.1X. No = MAB

Dynamic VLAN AssignmentVLAN Pooling

Dynamic VLAN = RADIUS returns one specific VLAN ID for this user/device based on authentication result. User always lands in THAT VLAN. VLAN pooling = group of multiple VLANs; after successful auth, user is assigned to one VLAN in the pool via round-robin or hash to distribute broadcast domain load. If the question mentions 'broadcast domain too large' or 'load distribution' = VLAN pooling. If it mentions 'role-based' or 'department-based' VLAN = dynamic VLAN

FortiGate NAC PoliciesFortiNAC

FortiGate NAC Policies = built into FortiOS, used to manage wired/wireless access on FortiSwitch and FortiAP in Fortinet-only environments. No additional product needed. FortiNAC = standalone dedicated NAC appliance for advanced device profiling and multi-vendor (non-Fortinet) network environments. The exam focuses on FortiGate NAC policies; FortiNAC appears as a wrong answer option

Scenario Tips

If the question asks about:

IP security cameras that do not support 802.1X need to be placed in a dedicated IoT VLAN automatically

Answer:

Configure MAB (MAC Authentication Bypass) on the FortiSwitch ports with dynamic VLAN assignment. The RADIUS server returns the IoT VLAN attributes when the camera MAC authenticates, placing cameras in the correct VLAN automatically

Distractor to avoid:

FSSO with device-based policies — FSSO monitors Windows AD logon events, which cameras do not generate. This will not work for non-802.1X IoT devices

If the question asks about:

Printers authenticate successfully via MAB but land in the default VLAN instead of the printer VLAN

Answer:

The RADIUS server is not returning the correct Tunnel attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID). Verify all three are present and correctly configured in the RADIUS policy for printer MACs. MAB fully supports dynamic VLAN — this is a RADIUS configuration issue

Distractor to avoid:

Upgrading printers to support 802.1X — this is unnecessary if MAB is authenticating successfully; the problem is VLAN assignment (RADIUS attributes), not authentication itself

If the question asks about:

A Security Fabric automation detects a compromised endpoint and the automation stitch moves it to VLAN 4093

Answer:

VLAN 4093 is the default quarantine VLAN. The endpoint has been automatically quarantined by Security Fabric automation — it is isolated in the quarantine VLAN but still connected to the network

Distractor to avoid:

VLAN 4093 being a dynamic VLAN assignment from RADIUS — quarantine VLAN 4093 is a Fortinet-specific reserved VLAN for quarantine, not a RADIUS-assigned VLAN

If the question asks about:

NAC policies are configured but some devices are being assigned to the wrong VLAN despite matching the intended policy criteria

Answer:

Check NAC policy order — policies are evaluated top-to-bottom and the first match wins. A more general policy above the intended specific policy may be matching first. Reorder so specific policies are above broad ones

Distractor to avoid:

The FortiSwitch port is configured wrong — NAC policy ordering is the most common cause of wrong VLAN assignment when authentication itself succeeds

Last-Minute Facts

1Authentication order = 802.1X first → MAB fallback → captive portal last
2MAB = MAC address as both username and password (lowercase, no separators by default)
3Dynamic VLAN = 3 required RADIUS attributes: Tunnel-Type + Tunnel-Medium-Type + Tunnel-Private-Group-ID
4Missing any ONE of the three Tunnel attributes = fallback to default VLAN
5NAC policy evaluation = top-to-bottom, first match wins
6VLAN 4093 = default quarantine VLAN (auto-included on all FortiSwitch ports)
7FortiNAC = separate product (multi-vendor); FortiGate NAC policies = built-in (Fortinet-only)
Domain 515% of exam

Security Fabric and FortiManager Integration

Must-Know Facts

  • Security Fabric requires a root FortiGate — without a root device designated, downstream FortiSwitch and FortiAP will not appear in the fabric topology
  • FortiManager pushes configurations TO devices but does NOT lock them — configuration drift occurs when local administrators modify settings directly on devices after FortiManager deployment
  • Zero-touch provisioning (ZTP) requires the new device to reach FortiManager. DNS resolution and connectivity (TCP 541) must be available, often via DHCP option 240 or 241 providing the FortiManager FQDN/IP
  • FortiManager model devices: pre-staged configuration entries for devices not yet deployed — when the real device connects, it matches the model device entry and receives the pre-staged config automatically
  • ADOM (Administrative Domain) in FortiManager provides multi-tenant isolation — each ADOM has separate administrators, policies, and devices with no cross-ADOM visibility
  • FortiAIOps is monitoring and recommendations only — it identifies wireless anomalies but requires an administrator to manually implement any suggested configuration changes
  • Firmware management via FortiManager: centralized upgrades for FortiGate, FortiSwitch, and FortiAP with scheduling, compliance checking, and rollback capability
  • Security Fabric Connection must be enabled on interfaces connecting to FortiSwitch and FortiAP for those devices to appear in the fabric topology

Common Traps

TrapAssuming FortiManager continuously enforces configuration — if a local admin changes a FortiGate after template deployment, FortiManager will not automatically revert the change
RealityFortiManager is push-based. It deploys configurations at a point in time but does not prevent local changes. Configuration drift is a real scenario the exam tests. If you see a question where one site has a different config than what FortiManager deployed, the answer is local modification after push
TrapThinking ZTP requires only network connectivity between the device and FortiManager
RealityZTP requires DNS resolution capability (to resolve FortiManager FQDN) and the device must have a way to learn the FortiManager address — typically via DHCP options 240 or 241, FortiGuard lookup, or pre-configuration. Just having IP connectivity is not sufficient
TrapExpecting FortiAIOps to automatically apply its optimization recommendations
RealityFortiAIOps never auto-applies changes. It provides AI-driven analysis and recommendations, but every configuration change must be manually implemented by an administrator. The exam specifically tests this behavior
TrapConfusing Security Fabric topology (operational view) with Security Fabric Connection (interface setting)
RealitySecurity Fabric Connection is an interface-level setting that must be enabled on each interface connecting to downstream fabric devices (FortiSwitch, FortiAP). Without it, those devices never appear in the Fabric topology view, even if they are otherwise functioning

Confusing Pairs

FortiManager Template PushFortiManager ZTP Model Device

Template Push = administrator manually deploys a configuration template to existing, already-connected managed devices to update their settings. ZTP Model Device = pre-staged configuration waiting for a SPECIFIC device (by serial number) that hasn't connected yet — when it connects, it automatically receives the pre-staged config. Template push = update existing devices. ZTP model device = onboard new devices automatically

Security Fabric Topology ViewSecurity Fabric Connection Setting

Security Fabric Connection = interface-level setting on FortiGate that must be enabled for downstream devices (FortiSwitch, FortiAP) on that interface to join the fabric and appear in the topology. Security Fabric Topology = the resulting visualization in FortiGate/FortiManager showing all connected fabric devices. The Connection setting is the prerequisite; the Topology is the result

FortiManager ADOMFortiManager Device Group

ADOM (Administrative Domain) = hard multi-tenant isolation — separate administrators, separate policy packages, separate devices, zero cross-ADOM visibility. Used when different customers or business units must be completely isolated from each other. Device Group = a soft organizational grouping within a SINGLE ADOM that lets one administrator target a subset of devices for template pushes or firmware upgrades without creating full isolation. ADOM = isolation boundary; Device Group = organizational convenience within one tenant

Scenario Tips

If the question asks about:

50 new FortiSwitch units need to be deployed at remote branch offices and receive their full configuration automatically on first boot without any on-site engineer

Answer:

Use FortiManager zero-touch provisioning with model devices — pre-stage the switch configurations in FortiManager as model device entries. When switches power on and connect, they receive their configs automatically. Ensure DNS and TCP 541 connectivity to FortiManager is available

Distractor to avoid:

CLI script execution — CLI scripts require someone to manually run them on each device or at least trigger execution, which is not 'zero-touch'

If the question asks about:

After FortiManager pushes a VLAN template to all managed FortiGate devices, one site shows a different VLAN configuration than what was pushed

Answer:

A local administrator modified the FortiGate at that site directly after the template was pushed. FortiManager does not enforce configuration locking. The fix is to re-push the template and potentially restrict local admin access

Distractor to avoid:

The FortiGate firmware is incompatible with the template — firmware incompatibility would cause a push failure, not a silent configuration difference after a successful push

If the question asks about:

FortiAIOps shows multiple wireless optimization recommendations, but none of the suggested changes are being applied

Answer:

This is expected behavior — FortiAIOps only provides recommendations, it does not automatically implement changes. An administrator must manually review and apply each suggestion

Distractor to avoid:

FortiAIOps requires FortiManager to apply changes — FortiAIOps and FortiManager are independent; FortiAIOps does not push through FortiManager for change execution

Last-Minute Facts

1ZTP device-to-FortiManager: FortiManager IP learned via DHCP option 240/241 or FortiGuard
2ZTP connectivity requirement: DNS resolution + TCP 541 to FortiManager
3FortiManager = push-based, not enforcement-based — local changes cause configuration drift
4ADOM = multi-tenant isolation in FortiManager (separate admins, policies, devices per ADOM)
5Security Fabric root FortiGate = required; without it, no fabric topology
6Security Fabric Connection = interface setting, must be enabled for downstream devices to appear in topology
7FortiAIOps = recommendations only, zero auto-apply

Feeling confident?

Put your knowledge to the test with a timed FCSS_LAN_EDGE 7.6 mock exam.