Fortinet NSE5_FSW_AD-7.6 Exam Dumps

In FortiSwitch, Access Control Lists (ACLs) are used to enforce security rules on both ingress and egress traffic:

ACL Evaluation Order (D):

Operational Function:FortiSwitch processes ACL entries from top to bottom, similar to how firewall rules are processed. The first match in the ACL determines the action taken on the packet, whether to allow or deny it, making the order of rules critical.

Configuration Advice:Careful planning of the order of ACL rules is necessary to ensure that more specific rules precede more general ones to avoid unintentional access or blocks.

In a hierarchical network model, the role of a device functioning simultaneously as both the distribution and core is most accurately described as 'FortiGate managing FortiSwitch (B).' In this setup, FortiGate acts as the central unit managing multiple FortiSwitch units, thereby functioning both as a distribution layer---handling traffic between network segments---and as a core layer---managing traffic within the network on a broader scale. This setup is typical in medium-sized networks where a single device is capable enough to handle both roles effectively.

When FortiGate exports configuration settings to a managed FortiSwitch stack with sampling mode set to 'perimeter is true,' the behavior is:

B . FortiGate configures FortiSwitch to perform ingress sampling on all switch interfaces, except ICL and ISL interfaces.This setting ensures that all incoming traffic on normal operational ports is sampled for monitoring and analysis purposes, but it excludes the inter-chassis link (ICL) and inter-switch link (ISL) interfaces from sampling. These exclusions are typically made to prevent the duplication of sampled data and to reduce unnecessary load on the monitoring system, as these links often carry traffic already monitored at other points.

Options A and D are incorrect because they either generalize the sampling across all interfaces without exceptions or incorrectly specify egress sampling on management interfaces. Option C is also incorrect as FortiGate can modify existing sampling settings to fit the perimeter-based configuration requirement.

According to theFortiSwitchOS 7.6 Administration Guideand theFortiLink 7.6 Study Guide, the Spanning Tree Protocol (STP) is automatically enabled on managed FortiSwitches to ensure a loop-free Layer 2 topology within the FortiLink fabric. When multiple physical paths exist between switches (as shown in the redundant connections between the Core and Access tiers), STP must block one of the paths to prevent a broadcast storm.

The behavior described in the exhibit---whereport3 on Access-1enters aDiscarding state---is a result of the STP election process. In a standard STP environment, switches elect aRoot Bridgebased on the lowestBridge Priority(or lowest MAC address as a tie-breaker). Once a root is established, other switches identify the 'best' path to that root (the Root Port) and block all other redundant paths.

The provided exhibit shows that Access-1 has two paths to the core: one to Core-1 and one to Core-2. The fact that the path to Core-2 is discarded suggests that the STP topology was recalculated when Core-2 was enabled. In the context of Fortinet technical exams for this specific scenario,Option C (Core-2 has the lowest bridge priority)is the standard answer identifying that Core-2's priority settings influenced the STP tree such that Access-1's link to it was determined to be the redundant (alternate) path.

If the switches were configured withMCLAG (Multi-Chassis Link Aggregation), both physical links would be treated as a single logical trunk, and neither would be in a discarding state. However, without MCLAG, the system relies on bridge priorities to prune the loop.BPDU Guard (Option A)is incorrect because it would administratively shut down the port rather than placing it in an STP 'Discarding' state.Option Bis incorrect as the switch would not appear in the managed topology if unauthorized.

In FortiSwitchOS 7.6,Dynamic ARP Inspection (DAI)is tightly integrated withDHCP snoopingto provide Layer 2 protection against ARP spoofing and man-in-the-middle attacks. DAI relies on theDHCP snooping binding table, which contains trusted IP-to-MAC-to-port mappings learned from legitimate DHCP transactions. Because of this dependency, the trust model for DAI is directly inherited from DHCP snooping.

According to the FortiSwitchOS 7.6 Administrator Guide, when a switch port is configured astrusted for DHCP snooping, that same port isautomatically treated as trusted by DAI. No additional configuration is required. This implicit trust relationship exists because trusted DHCP snooping ports are assumed to be connected to legitimate infrastructure devices such as DHCP servers, routers, or upstream network devices that must be allowed to send valid ARP replies.

On untrusted ports, DAI inspects ARP packets and validates them against the DHCP snooping database. If an ARP packet does not match an existing binding, it is dropped. On trusted ports, ARP packets bypass DAI inspection to ensure normal network operation and to avoid blocking valid infrastructure traffic.

The other options are incorrect. There is no separate CLI command required to trust a port for DAI (Option A). IP Source Guard (Option C) is another Layer 2 security feature that also depends on DHCP snooping but is not required to establish DAI trust. Static MAC learning (Option D) is unrelated to DAI trust behavior.

Therefore, once a port is configured as trusted for DHCP snooping,DAI implicitly trusts the port, makingOption Bthe correct and fully verified answer based on FortiSwitchOS 7.6 documentation.