View all questions & answers for the NSE 6 - Network Security 7.6 Support Engineer Materials exam


NSE 6 - Network Security 7.6 Support Engineer Materials-Question 4 Discussion

Refer to the exhibit. Which two statements about FortiGate behavior relating to this session are correct? (Choose two answers)

  • A. FortiGate redirected the client to the captive portal to authenticate so that a correct policy match could be made.
  • B. FortiGate either initiated the session or the session terminates at FortiGate.
  • C. FortiGate forwarded this session without any inspection.
  • D. FortiGate is performing a security profile inspection using the CPU.
Correct Answer: A,D

Brave-Dump Clients Votes

AC 33.33%
AB 33.33%
BC 33.33%

Comments



Rolando Salgado 2026-02-07 03:09:34

Selected Answers: A, C


I think the correct answers are A, C
A): Within the session list, appear state= redir local, which is a typical flag of redir/captive portal
C): There are no associations of UTM profile "av_idx=0, and besides "offload=0/0" " ips offload=0/0"

Anonymous User 2026-02-10 22:08:10

Selected Answers: A, B


A) state=redir local
B) As Local Traffic no need for Inspection? redir + local = Captive Portal / Auth / FortiGate so Fortigate is termination

Anonymous User 2026-04-05 04:19:07

Selected Answers: B, C


B. Local termination/initiation
The Evidence: Look at the state line in the output: state=redir local may_dirty none app_ntf.

The Logic: The keyword local in the session state indicates that this is "Local-In" or "Local-Out" traffic. This means the packet is either destined for the FortiGate itself (like management traffic or a proxy service) or was generated by the FortiGate.

Further Proof: The hook=pre dir=reply act=dnat line shows the destination IP being translated to 172.20.121.96, which is likely an interface IP on the FortiGate unit.

D. CPU-based security inspection
The Evidence: Look at the NPU information at the bottom: npu_state=00000000 and offload=0/0.

The Logic: When the offload counters are 0/0, it means the hardware acceleration (NPU) is not handling this traffic. Instead, every packet in this session is being processed by the main CPU.

Reasoning: This often happens when specialized security inspection is required that the NPU cannot perform, or when the session is "local" (as established in Option B), as local traffic is processed by the system CPU.

Why the other options are incorrect:
A. Captive Portal redirection: While redir appears in the state, it is followed by local. In this context, it refers to the internal redirection to a local process (like a proxy), not necessarily a captive portal for user authentication. Furthermore, auth_info=0 suggests no active authentication is being tracked for this specific session.

C. Forwarded without inspection: This is contradicted by the offload=0/0 and app_list (implied by the presence of app_ntf). If there were no inspection, the session would likely be a candidate for NPU offloading to speed up forwarding. The fact that it is pinned to the CPU suggests that inspection is occurring.