View all questions & answers for the NSE 6 - Network Security 7.6 Support Engineer Materials exam


NSE 6 - Network Security 7.6 Support Engineer Materials-Question 56 Discussion

Refer to the exhibits. An OSPF peer is advertising route 172.16.52.0/24. The local FortiGate is configured with an inbound distribution list that allows the 172.16.0.0/16 network to be injected into its routing table. However, the 172.16.52.0/24 subnet cannot be seen in the FIB. Which two steps can the administrator of the local FortiGate take to ensure that the advertised 172.16.52.0/24 subnet will be injected into the routing table? (Choose two answers)

  • A. Change the ge value to 17.
  • B. Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network.
  • C. Modify the default prefix-list behavior from implicit deny to implicit allow.
  • D. Change the le value to 16.
Correct Answer: A,B

Brave-Dump Clients Votes

AB 100%

Comments



Brave-Dumps.com Admin 2025-11-06 23:55:42

Selected Answers: A, B


I believe the correct answers are A and B, but I’d like to get an additional verification from our expert clients.

Anonymous User 2026-04-03 21:34:21

Selected Answers: A, B


Network_Security_Support_Engineer_7.6_Study_Guide - Page 458 - 462

Anonymous User 2026-04-06 15:39:13

Selected Answers: A, B


The issue lies in how the Prefix-list matches the OSPF route. The current configuration shows the prefix 172.16.0.0 255.255.0.0 with unset ge and unset le. This means it is performing an exact match.

In exact match mode, the FortiGate will only allow the specific route 172.16.0.0/16. Since the peer is advertising 172.16.52.0/24, it is being rejected by the implicit deny at the end of the prefix list.

A. Change the ge value to 17: By setting a ge (Greater than or Equal to) value, you change the logic from an exact match to a range match. Setting ge 17 (or commonly ge 24) while using the 172.16.0.0/16 base allows the FortiGate to match any subnet within that range that has a mask length of 17 or higher. Since 24 is greater than 17, 172.16.52.0/24 would be permitted.

B. Add another entry to the prefix list to specifically allow the 172.16.52.0/24 network:
This is the most direct fix. By adding a specific rule (edit 2) that permits 172.16.52.0 255.255.255.0, the OSPF distribution list will find an exact match for the advertised route and inject it into the routing table.

Why the other options are incorrect:
C. Modify the default prefix-list behavior from implicit deny to implicit allow: FortiOS prefix lists do not have a toggle to change the "implicit deny" at the end to an "implicit allow." This is a hard-coded security standard in routing protocols. To allow everything else, you would have to manually add a permit 0.0.0.0/0 le 32 entry.

D. Change the le value to 16:
The le (Less than or Equal to) parameter defines the maximum mask length allowed. If you set le 16 on a /16 network, you are still effectively performing an exact match for /16. It would not allow a /24 subnet because 24 is greater than 16.