Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Fortinet
  3. NSE5_FSW_AD-7.6

Fortinet NSE5_FSW_AD-7.6 (page: 2)

Fortinet NSE 5 - FortiSwitch 7.6 Administrator

Updated 12-Apr-2026

Page 2 of 15 NSE5_FSW_AD-7.6 PDF — 34 Questions

Which statement about the IGMP snooping querier when enabled on a VLAN is true?

  1. Active multicast receiver entries are aging on each IGMP query sent on the VLAN
  2. IGMP reports on the VLAN are forwarded to all switch ports.
  3. The setting can only be enabled using the FortiSwitch CLI.
  4. All other indirectly connected switches will be unable to get IGMP multicast traffic.

Answer(s): A

Explanation:

Active multicast receiver entries are aging on each IGMP query sent on the VLAN (A): When IGMP snooping querier is enabled on a VLAN, it functions to manage multicast traffic within the VLAN by keeping track of multicast group memberships. The IGMP querier sends queries to determine which ports require the multicast traffic. The multicast receiver entries, which are entries that indicate which devices have requested the multicast data, age or time out based on these IGMP queries. Each query refreshes active connections but ages out entries that no longer respond, helping to ensure that multicast traffic is only sent to ports with active receivers.



Refer to the exhibit.



The security port policy is configured as shown in the exhibit.
Which behavior occurs if a device connected to the port that does not support 802.1X? (Choose one answer)

  1. The device is blocked from accessing the network.
  2. The device is placed into the onboarding VLAN.
  3. The device is placed into the quarantine VLAN.
  4. The device is assigned to the default management VLAN.

Answer(s): B

Explanation:

According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, the interaction between a managed switch and a connected endpoint depends on whether the endpoint can participate in the 802.1X authentication process.
When a security policy is applied to a port, the switch sends EAP (Extensible Authentication Protocol) requests to the device to initiate the login.

The FortiSwitch handles two primary failure scenarios differently:

Non-supplicant (No 802.1X Support):If a device, such as a legacy PC or a basic printer, does not have an 802.1X supplicant, it will not respond to the switch's EAP requests. In this case, the switch waits for the duration specified in theGuest authentication delayfield (30 seconds in the exhibit). Once this timer expires without a response, the switch places the device into theGuest VLAN. As shown in the exhibit, the Guest VLAN is explicitly set to"onboarding.fortilink (onboarding)".

Authentication Failure:If a devicedoessupport 802.1X but the user provides incorrect credentials, the RADIUS server returns an Access-Reject message. In this scenario, the device is moved to theAuthentication fail VLAN, which the exhibit identifies as"quarantine.fortilink (quarantine)".

Note:BecauseMAC authentication bypass (MAB)is disabled in the exhibit, the switch will not attempt to authenticate the device's MAC address against the RADIUS server before defaulting to the Guest VLAN. Therefore, for any device lacking an 802.1X supplicant, the result is placement into theonboardingVLAN.



Which drop policy mode, if assigned to a congested port, will drop incoming packets until there is no congestion on the egress port?

  1. Tail-drop mode
  2. Weighted round robin mode.
  3. Random early detection mode
  4. Strict mode

Answer(s): A

Explanation:

Tail-drop mode is a congestion management technique used in network devices, including FortiSwitches, to handle congestion on network ports:

Tail-Drop Mode (A):

Behavior:When a queue reaches its maximum capacity on a congested port, tail-drop mode simply drops any incoming packets that arrive after the buffer is full. This continues until the congestion is alleviated and there is space in the queue to accommodate new packets.

Application:This is a straightforward approach used when the device's buffer allocated to the port becomes full due to sustained high traffic, preventing buffer overflow and maintaining system stability.


Reference:

For more details on congestion management techniques and settings on FortiSwitch, you can refer to the configuration manuals available on:Fortinet Product Documentation



On supported FortiSwitch models, which access control list (ACL) stage is recommended for applying actions before the switch performs any layer 2 or layer 3 processing? (Choose one answer)

  1. Ingress
  2. Forwarding
  3. Egress
  4. Prelookup

Answer(s): D

Explanation:

According to theFortiSwitchOS 7.6 Administration Guideand theNSE 5 FortiSwitch 7.6 Administrator Study Guide, FortiSwitch supports a multi-stage ACL pipeline that allows for granular traffic control at different points in a packet's journey through the switch.1The documentation identifies three primary stages for ACL application:Prelookup,Ingress, andEgress.

Prelookup (Option D):This is the earliest stage in the switching pipeline. The documentation explicitly states thatPrelookup ACLsare processedbefore any Layer 2 or Layer 3 lookupsare performed by the switch hardware. This stage is highly recommended for high-performance security actions, such as dropping unwanted traffic immediately upon arrival, because it prevents the switch from wasting internal resources (CPU and ASIC lookup cycles) on frames that are destined to be discarded anyway.

Ingress (Option A):This stage occursafterthe switch has completed its Layer 2 (MAC table) and Layer 3 (routing table) lookups butbeforethe packet is queued for the egress port.
While powerful, actions here occur after initial processing has already taken place.

Egress (Option C):This stage is processed just before the frame leaves the switch through the destination port. It is typically used for final modifications or filtering based on the outgoing interface context.

Therefore, to achieve the goal of applying actionsbeforeany Layer 2 or Layer 3 processing occurs, thePrelookupstage is the technically correct and recommended choice in FortiSwitchOS 7.6.Forwarding (Option B)is a general functional stage of a switch but is not a specific ACL stage type in the FortiSwitch configuration hierarchy.



(Full question statement start from here)

How does FortiSwitch determine the route for traffic traversing its interfaces? (Choose one answer)

  1. Hardware-based routing on FortiSwitch is handled by the CPU.
  2. ASIC hardware routing can handle only dynamic routing, if supported.
  3. FortiSwitch looks up the hardware routing table and then the forwarding information base (FIB).
  4. FortiSwitch forwards all traffic to FortiGate for routing decisions.

Answer(s): C

Explanation:

FortiSwitch determines how traffic is routed by leveraging atwo-tier routing lookup mechanismthat prioritizes hardware-based forwarding before software-based processing. According to theFortiSwitchOS 7.6 Administrator Guide, FortiSwitch first checks thehardware routing table, which is populated with a subset of routes installed from the Forwarding Information Base (FIB) and programmed directly into the switch ASIC.

The hardware routing table contains routes that are eligible for ASIC acceleration.
When a packet arrives on a FortiSwitch interface, the switch performs a lookup in this hardware routing table. If a matching route is found, the packet is forwarded at wire speed using ASIC-based forwarding, which provides optimal performance and minimal latency. This process is referred to ashardware-based routing.

If no matching route exists in the hardware routing table, FortiSwitch then performs a lookup in theForwarding Information Base (FIB), which resides in the kernel. Routes in the FIB are handled by the CPU and processed throughsoftware-based routing. This fallback mechanism ensures correct forwarding behavior even when routes cannot be offloaded to hardware.

The FortiSwitchOS documentation explicitly states that the hardware routing table indicates which routes in the FIB are installed in hardware. This confirms that routing decisions are not exclusively offloaded to FortiGate, nor are they limited to CPU-based processing alone. Instead, FortiSwitch uses ahierarchical lookup order: hardware routing table first, followed by the FIB.

Therefore, the correct and fully documented answer isC. FortiSwitch looks up the hardware routing table and then the forwarding information base (FIB).



Which statement about the use of the switch port analyzer (SPAN) packet capture method is true?

  1. Mirrored traffic can be sent across multiple switches.
  2. SPAN can be configured only on a standalone FortiSwitch.
  3. Traffic on the management interface can be mirrored and captured by the monitoring device.
  4. The monitoring device must be connected to the same switch where the traffic is being mirrored

Answer(s): A

Explanation:

The correct statement about using the Switch Port Analyzer (SPAN) packet capture method on FortiSwitch is that "Mirrored traffic can be sent across multiple switches (A)." This feature allows for extensive traffic analysis as it enables network administrators to configure SPAN sessions that span across different switches, thereby providing the capability to monitor traffic across a broad segment of the network infrastructure.



When Dynamic Host Configuration Protocol (DHCP) snooping is enabled on a FortiSwitch VLAN, which two statements are true? (Choose two answers)

  1. DHCP replies are accepted only on trusted ports.
  2. DHCP snooping blocks all unicast traffic.
  3. Option 82 can be inserted into DHCP requests.
  4. DHCP requests are dropped if sent from trusted ports.

Answer(s): A,C

Explanation:

According to theFortiSwitchOS 7.6 Administration Guideand theFortiLink 7.6 Study Guide, DHCP snooping is a security feature that prevents rogue DHCP servers from distributing incorrect IP addresses on a network. Once enabled for a specific VLAN, the switch differentiates betweentrustedanduntrustedports to regulate DHCP traffic.

Trusted Ports and DHCP Replies (Option A):In a managed FortiSwitch environment, all ports areuntrusted by default. To allow a DHCP server (such as a FortiGate or an external server) to provide IP addresses, the administrator must explicitly set the connecting port astrusted. DHCP snooping validates incoming packets; it allowsDHCP server messages(such as DHCPOFFER and DHCPACK) only on these trusted ports. Any DHCP server reply arriving on an untrusted port is identified as coming from a potentially rogue source and is discarded by the switch.

Option 82 Data Insertion (Option C):FortiSwitch supportsDHCP Option 82(also known as the Relay Information Option), which provides additional security by appending location-specific information (such as the Circuit ID and Remote ID) toDHCP request packets.
When DHCP snooping is active, the switch can be configured to insert this data into client requests as they enter untrusted ports. This allows the upstream DHCP server to identify the specific physical port or VLAN from which the request originated, even if the server is located in a different subnet.

Regarding the incorrect options:Option Bis false as DHCP snooping only inspects and filters DHCP-

specific traffic, not general unicast data.Option Dis incorrect because DHCP requests (client-to- server) are generally permitted on all ports to ensure clients can find a server, though some configurations allow dropping requests from untrusted sources if they do not meet specific security criteria.



Refer to the exhibit.



PC1 connected to port1 has joined multicast group 225.1.2.3 on VLAN 10 with IGMP snooping enabled.
What will happen if you disable IGMP snooping on FortiSwitch? (Choose one answer)

  1. PC1 will be removed from the multicast group 225.1.2.3.
  2. The FortiSwitch will stop processing IGMP report join messages.
  3. Multicast traffic for 225.1.2.3 will be flooded to all ports.
  4. Multicast traffic will stop until a multicast receiver is detected.

Answer(s): C

Explanation:

According to theFortiSwitchOS 7.6 Administration Guideand theFortiSwitch 7.6 Study Guide, Internet Group Management Protocol (IGMP) snooping is a Layer 2 mechanism that allows a switch to "listen" to IGMP conversations between hosts and routers to maintain a map of which ports require specific multicast streams.
When IGMP snooping is enabled, the switch populates aMulticast Layer 2 Forwarding Table(as shown in the exhibit), which ensures that multicast traffic is only forwarded to ports where a receiver has explicitly requested it (e.g., PC1 on port1).

When IGMP snooping isdisabled, the switch no longer maintains this granular forwarding table. By default, a Layer 2 switch that is not performing IGMP snooping treats multicast traffic as if it werebroadcast traffic. Consequently, instead of being intelligently forwarded only to the interested receiver (PC1), the multicast traffic for group 225.1.2.3 will beflooded to all portswithin the same VLAN (VLAN 10). This means PC2, even if it has not joined the group, will receive the multicast packets at the physical layer, leading to unnecessary bandwidth consumption and increased CPU load on unintended recipients.

The documentation explicitly states that disabling IGMP snooping reverts the switch to a "flood-all" behavior for multicast frames within the broadcast domain. Option A is incorrect because the host (PC1) remains a member of the group; only the switch's forwarding logic changes. Option B is incorrect as the switch may still see the messages but will not act on them to prune ports. Option D is incorrect as disabling the feature removes the prune/stop mechanism, causing traffic to flow everywhere rather than stopping.



Page 2 of 15

Share your comments for Fortinet NSE5_FSW_AD-7.6 exam with other users:

Nenad 7/12/2022 11:05:00 PM

passed my first exam last week and pass the second exam this morning. thank you sir for all the help and these brian dumps.
INDIA


Lucky 10/31/2023 2:01:00 PM

does anyone who attended exam csa 8.8, can confirm these questions are really coming ? or these are just for practicing?
HONG KONG


Prateek 9/18/2023 11:13:00 AM

kindly share the dumps
UNITED STATES


Irfan 11/25/2023 1:26:00 AM

very nice content
Anonymous


php 6/16/2023 12:49:00 AM

passed today
Anonymous


Durga 6/23/2023 1:22:00 AM

hi can you please upload questions
Anonymous


JJ 5/28/2023 4:32:00 AM

please upload quetions
THAILAND


Norris 1/3/2023 8:06:00 PM

i passed my exam thanks to this braindumps questions. these questions are valid in us and i highly recommend it!
UNITED STATES


abuti 7/21/2023 6:10:00 PM

are they truely latest
Anonymous


Curtis Nakawaki 7/5/2023 8:46:00 PM

questions appear contemporary.
UNITED STATES


Vv 12/2/2023 6:31:00 AM

good to prepare in this site
UNITED STATES


praveenkumar 11/20/2023 11:57:00 AM

very helpful to crack first attempt
Anonymous


asad Raza 5/15/2023 5:38:00 AM

please upload this exam
CHINA


Reeta 7/17/2023 5:22:00 PM

please upload the c_activate22 dump questions with answer
SWEDEN


Wong 12/20/2023 11:34:00 AM

q10 - the answer should be a. if its c, the criteria will meet if either the prospect is not part of the suppression lists or if the job title contains vice president
MALAYSIA


david 12/12/2023 12:38:00 PM

this was on the exam as of 1211/2023
Anonymous


Tink 7/24/2023 9:23:00 AM

great for prep
GERMANY


Jaro 12/18/2023 3:12:00 PM

i think in question 7 the first answer should be power bi portal (not power bi)
Anonymous


9eagles 4/7/2023 10:04:00 AM

on question 10 and so far 2 wrong answers as evident in the included reference link.
Anonymous


Tai 8/28/2023 5:28:00 AM

wonderful material
SOUTH AFRICA


VoiceofMidnight 12/29/2023 4:48:00 PM

i passed!! ...but barely! got 728, but needed 720 to pass. the exam hit me with labs right out of the gate! then it went to multiple choice. protip: study the labs!
UNITED STATES


A K 8/3/2023 11:56:00 AM

correct answer for question 92 is c -aws shield
Anonymous


Nitin Mindhe 11/27/2023 6:12:00 AM

great !! it is really good
IRELAND


BailleyOne 11/22/2023 1:45:00 AM

explanations for the answers are to the point.
Anonymous


patel 10/25/2023 8:17:00 AM

how can rea next
INDIA


MortonG 10/19/2023 6:32:00 PM

question: 128 d is the wrong answer...should be c
EUROPEAN UNION


Jayant 11/2/2023 3:15:00 AM

thanks for az 700 dumps
Anonymous


Bipul Mishra 12/14/2023 7:12:00 AM

thank you for this tableau dumps . it will helpfull for tableau certification
UNITED STATES


hello 10/31/2023 12:07:00 PM

good content
Anonymous


Matheus 9/3/2023 2:14:00 PM

just testing if the comments are real
UNITED STATES


yenvti2@gmail.com 8/12/2023 7:56:00 PM

very helpful for exam preparation
Anonymous


Miguel 10/5/2023 12:16:00 PM

question 11: https://help.salesforce.com/s/articleview?id=sf.admin_lead_to_patient_setup_overview.htm&type=5
SPAIN


Noushin 11/28/2023 4:52:00 PM

i think the answer to question 42 is b not c
CANADA


susan sandivore 8/28/2023 1:00:00 AM

thanks for the dump
Anonymous


AI Tutor 👋 I’m here to help!