Fortinet Updated FCSS_LED_AR-7.6 Exam Questions and Answers by kinza

From the exhibit, the DHCP server configured on the fortilink interface contains:

set vci-match enable

set vci-string " FortiExtender "

That is the key problem. This DHCP scope is tied to a Vendor Class Identifier match for FortiExtender, not FortiSwitch. As a result, the FortiSwitch will not match the DHCP offer and may fail to receive an IP address on the FortiLink network, which prevents FortiGate from discovering and managing it.

The LAN Edge 7.6 Architect study guide says that for FortiLink troubleshooting, you must verify DHCP on the FortiLink interface and confirm the switch receives an IP address:

“On FortiGate verify that DHCP is enabled for the FortiLink interface” and on FortiSwitch “Verify that the interface is getting an IP address from FortiLink”

It also says to use:

#execute switch-controller diagnose-connection for “Interface, DHCP, and NTP connection status”

#get system interface on FortiSwitch to verify that it is getting an IP address from FortiLink

So if the switch stays offline and cabling is correct, DHCP mismatch is a valid root cause.

Further confirmation comes from the FortiOS Administration Guide, which explains VCI-based DHCP assignment:

“VCIs (vendor class identifiers) are supported in DHCP to allow VCI pattern matching as a condition for IP or DHCP option assignment.”

It also states:

“When enabled only DHCP requests with a matching VCI are served with this range.”

That matches this scenario exactly. Because the DHCP pool is restricted to vci-string " FortiExtender " , a FortiSwitch DHCP request will not match that pool.

Why the other options are incorrect:

A. Incorrect. ip-managed-by-fortiipam disable is shown in the FortiLink interface exhibit, but the study guide does not identify this as a requirement for FortiSwitch discovery. It is not the reason the switch would remain offline here.

B. Incorrect. The FortiLink interface member is port4, and the topology exhibit shows the FortiGate connected from port4 to the FortiSwitch port24. That matches the physical topology, so the interface member is not the issue.

C. Incorrect. The study guide explicitly says the FortiLink interface is a LAG by default:

“All FortiGate devices come with a factory default FortiLink interface... By default, the interface is created as a link aggregation group (LAG) interface.”

So type aggregate is normal and valid. It does not need to be physical.

Final verified conclusion:

The FortiSwitch remains offline because the DHCP server on the FortiLink interface is configured with the wrong VCI match string, FortiExtender, which prevents the FortiSwitch from obtaining an IP address from FortiLink.

So the correct answer is D.

When FortiAuthenticator is used as anFSSO agentbased onsyslog, it must:

Parse incoming syslog messagesfrom devices (firewalls, WLAN controllers, VPN concentrators, etc.).

Extract identity fieldssuch as:

Username

IP address

Login/logout event indicators

Syslogmatching ruleson FortiAuthenticator define:

Which syslog messages are relevant (by facility, message pattern, or regex).

How to capture specific fields (username, IP, group, event type).

FortiAuthenticator then uses this parsed data toinject logon sessions into FSSO, so FortiGate can apply identity-based policies.

Thus, the role of syslog matching rules is exactly as described inC.

A: Group mapping is handled separately via directory groups / FSSO config, not directly by matching rules.

B: Enforcement of authentication policies is done on FortiGate, not directly by the matching rules.

D: While irrelevant logs can be ignored via rules, the primary purpose isparsing and extraction, not generic filtering.

Context: You’re troubleshootingSyslog-based SSOonFortiAuthenticator:

Devices (typically firewalls, WLAN controllers, VPN gateways) sendsyslog messagescontaining usernames, IPs, login/logout events.

FortiAuthenticator parses those logs usingSyslog SSO rulesand injects logon sessions intoFSSOfor FortiGate.

When users are not mapping correctly, you need to see:

Did the syslog message arrive?

Which matching rule (if any) caught it?

What username and IP were extracted?

Why was a message ignored or rejected?

FortiAuthenticator has a dedicated debug area for this:

Debug logs → Single Sign-On → Syslog SSO

This view shows:

Raw syslog lines received

Thematching ruleapplied (or “no match”)

Parsed fields (username, IP, group)

Any parsing errors

This is exactly the tool designed totroubleshoot and diagnose Syslog SSO issues.

Why the other options are not the best for this issue

A. Debug logs > Remote Servers > Syslog Viewer

Lets you see syslog traffic in general, but doesnotshow how SSO rules are applied or why they fail. Good for connectivity checks, not SSO logic.

B. Parsing Test Tool

Useful totestpatterns and rules manually by pasting sample log lines, but it doesn’t show live traffic or running SSO sessions.

C. Debug logs > SSO Sessions page

Shows existing SSO sessions (who is logged in), but notwhya particular syslog message did not create a session.