Based on the FortiOS 7.6 Administrator Guide regarding Fortinet Single Sign-On (FSSO) polling modes, the agentless polling mode has specific technical characteristics:

SMB Protocol Usage (Statement B is True):

In agentless polling mode, the FortiGate unit itself acts as the collector.

It establishes direct connections to the Windows Domain Controllers (DCs) using the SMB (Server Message Block) protocol, typically over TCP port 445, to read the Windows Security Event logs.

This allows FortiGate to parse login event IDs (such as 4768 and 4769) to identify users and their corresponding IP addresses without needing an external collector agent installed on a server.

Workstation Check Support (Statement C is True):

One of the primary limitations of the agentless polling mode compared to the agent-based mode is the lack of workstation verification.

In agentless mode, FortiGate does not perform " workstation checks " or " dead entry checks " . This means it cannot proactively verify if a user is still logged into a specific workstation after the initial logon event is recorded, which can lead to stale entries if a user logs off without a corresponding event being captured.

Why other options are incorrect:

Option A: In agentless mode, FortiGate (the FSSO daemon) performs the collection itself; it does not use the AD server as a " collector agent " in the functional sense of FSSO architecture.

Option D: While FortiGate uses LDAP to retrieve group membership information once a user is identified, it does not " direct " a collector agent to a remote LDAP server, as there is no external collector agent involved in this specific mode.

According to the FortiOS 7.6 Administration Guide, the firewall policy ID is a unique numerical identifier assigned to each policy for internal database tracking and management purposes. It is important to distinguish the policy ID from the policy sequence . While the FortiGate processes traffic based on a top-down approach (the sequence), the policy ID itself does not determine the order of execution (Statement A is incorrect).

In FortiOS, once a policy is committed to the configuration, the policy ID cannot be modified (Statement B). If an administrator needs to change a policy ID, they must either delete and recreate the policy or use the clone command in the CLI to copy the settings to a new ID.

Furthermore, the CLI provides a specific shortcut for policy creation: you can create a policy with ID 0 (Statement C). When the command edit 0 is used within the config firewall policy context, the FortiOS kernel automatically assigns the next available integer as the policy ID. This is a standard practice for efficient configuration via the command line. Statement D is incorrect because, while every policy must have an ID, the GUI automatically generates this value without requiring the user to manually provide or even see it during the initial creation process.

From the exhibits:

System performance output

Memory used: 90%

Free memory: ~5%

Default memory thresholds (FortiOS 7.6)

memory-use-threshold-green 82%

memory-use-threshold-red 88%

memory-use-threshold-extreme 89%

Because memory usage (90%) exceeds the extreme threshold (89%), the FortiGate enters conserve mode.

Effects of conserve mode (FortiOS 7.6 – verified)

B. FortiGate has entered conserve mode.

Correct

When memory usage exceeds the red/extreme threshold, FortiGate automatically enters conserve mode.

This is exactly the condition shown in the system performance output.

D. Administrators can change the configuration.

Correct

Even in conserve mode:

Administrators can still log in (GUI, SSH, console)

Configuration changes are allowed

FortiGate does not lock configuration access during conserve mode.

This behavior is explicitly documented in the FortiOS 7.6 Conserve Mode section.

Why the other options are incorrect

A. Administrators can access FortiGate only through the console port.

Incorrect

Network access (GUI/SSH) is still available in conserve mode unless otherwise restricted.

Console-only access is not a conserve-mode requirement.

C. FortiGate drops new sessions.

Incorrect (as a general statement)

FortiGate may drop or bypass new inspection-required sessions depending on fail-open/fail-close settings.

It does not universally drop all new sessions, so this statement is not always true.

According to the FortiOS 7.6 Study Guide and technical documentation, conserve mode is a protective state triggered when memory utilization reaches the Extreme Threshold (typically 95% by default). When this occurs, the FortiGate implements several measures to prioritize system stability over new functionality. One of the primary restrictions is that the FortiGate refuses to accept configuration changes (Statement B). This prevents the system from initiating new processes or allocating additional memory that could lead to a total system crash.

Regarding traffic handling, the behavior is determined by specific " fail-open " settings. For the IPS engine, if the fail-open global setting is enabled, the FortiGate continues to transmit packets without IPS inspection (Statement D). This ensures that network connectivity is maintained even when the system lacks the memory resources to perform deep packet inspection. In contrast, Statement A is incorrect because the system may skip non-essential actions to save memory. Statement C is incorrect because conserve mode is designed to avoid a system halt; the device remains operational and will automatically exit conserve mode once memory usage drops below the Release Threshold (typically 82%).

With a dialup IPsec VPN on FortiGate, when add-route is enabled, FortiGate will only install the corresponding route when it has enough negotiated information from the tunnel. In FortiOS 7.6, that means the route is tied to the Phase 2 (Quick Mode) selectors and is created dynamically when the IPsec SA is actually up.

B. The administrator must ensure phase 2 is successfully established

This is required. FortiGate does not install the add-route route just because Phase 1 exists or because the configuration is present. The route is added when the tunnel is effectively usable, which requires Phase 2 (IPsec SA) to be up. If Phase 2 is not established, there is no active SA and FortiGate will not inject the related route into the routing table.

So, if the static route is not showing, one correct explanation is that Phase 2 is not up.

C. The administrator must define the remote network correctly in the phase 2 selectors

This is also required. For dialup tunnels, FortiGate derives what route to add from the remote subnet(s) defined in the Phase 2 selector (proxy ID). If the remote network in Phase 2 is missing, incorrect, or too broad/too narrow in a way that prevents negotiation, the tunnel either won’t come up (so no route), or the route that would be installed won’t match what the administrator expects.

So, another correct explanation is that the Phase 2 remote network is not correctly defined, preventing the correct route from being created.

Why the other options are incorrect

A. Policy route instead of a static route

Add-route does not require policy routes. It is specifically a feature that injects a route (route-table entry) associated with the IPsec tunnel/SA and the Phase 2 selector networks.

D. Enable a dynamic routing protocol

Dynamic routing protocols (OSPF/BGP/RIP) are not required for add-route. Add-route is independent of dynamic routing and works by installing routes locally based on the negotiated selectors.

From the exhibits:

The firewall policy has NAT enabled and is configured to Use Dynamic IP Pool.

The selected IP pool (Internet-pool) is configured as:

Type: One-to-One

External IP Range: 100.65.0.110–100.65.0.111 (only two public IPs)

PC1 and PC2 can access the internet because each one-to-one NAT mapping consumes one public IP from the pool. When PC3 is added, there is no third public IP available in the pool, so FortiGate cannot allocate a one-to-one mapping for PC3 and the session fails.

FortiOS behavior here is standard: with one-to-one IP pools, the available pool size limits how many distinct internal sources can be translated concurrently (depending on allocation and sessions), and a pool with only two IPs will not reliably support three separate hosts needing translations.

Therefore, the administrator can fix this in two valid ways:

B. In the IP pool configuration, set end ip to 100.65.0.112.

This expands the pool by adding an additional public IP address, making three public IPs available (.110, .111, .112), so PC3 can be assigned an address for one-to-one NAT.

D. In the IP pool configuration, set type to overload.

Changing the pool type to overload enables PAT (many-to-one), allowing multiple internal hosts (PC1, PC2, PC3) to share the pool address(es) using different source ports. This removes the “one public IP per internal host” limitation inherent to one-to-one pools.

Why the other options are not correct:

A. Multiple Interface Policies is unrelated to IP pool exhaustion and does not solve NAT allocation limits.

C. match-vip affects VIP matching behavior for destination NAT/virtual IP usage and does not address the source NAT pool shortage causing PC3 to fail.

From the routing table in the exhibit, there is already a static route for 172.20.1.0/24 pointing out port3 with:

Distance = 9

Priority = 2

Type = Static

In FortiOS, route selection prefers (in order) the route with the lowest administrative distance to a destination. Therefore, to make traffic to 172.20.1.0/24 go through port2 only, the administrator must ensure the port2 static route is more preferred than the existing port3 route.

Why C is correct

C. The existing static route through port3 must have the distance set to 11.

If the existing port3 route distance is increased to 11, then a new port2 route with distance 9 will be preferred (9 < 11). This makes the port3 route a backup route instead of the active one.

Why D is correct

D. The new static route must have the distance set to 9

Setting the new port2 route distance to 9 (and increasing the port3 route to 11 as in option C) ensures FortiGate selects the port2 route as the best route for 172.20.1.0/24.

Why A and B are not correct

A (priority 3): By itself it does not guarantee selection over the existing route, and FortiOS route choice is driven primarily by distance.

B (metric 1): Metric is not the primary selector for static route preference compared to administrative distance in this scenario.

So the two criteria that achieve the objective are:

Make the existing port3 route less preferred by increasing its distance (C)

Ensure the new port2 route uses the preferred distance (D)

“IKE uses UDP port 500. If NAT-T is enabled in a NAT scenario, IKE uses UDP port 4500.”

“IKEv2 provides a simpler operation, which is the result of using a single exchange mode and requiring less messages to bring up the tunnel.”

For the specific workaround asked in this question, Fortinet’s official documentation states that for an IP-level VPN, SSL VPN tunnel mode is useful to avoid issues caused by intermediate devices such as “ESP packets being blocked,” “UDP ports 500 or 4500 being blocked,” and “fragments being dropped, causing IKE negotiation that uses large certificates to fail if the peer does not support IKE fragmentation.” ( Fortinet Document Library )

Fortinet’s official documentation also states: “The ip-fragmentation command controls packet fragmentation before IPsec encapsulation, which can benefit packet loss in some environments.” ( Fortinet Document Library )

Technical Deep Dive:

The correct answers are A and B .

A is correct because SSL VPN tunnel mode can bypass the classic IPsec transport problems caused by intermediate devices filtering ESP or blocking UDP 500/4500 . Fortinet explicitly documents this as a practical workaround. ( Fortinet Document Library )

B is correct because enabling fragmentation helps when IKE negotiation uses large certificates and fragments are being dropped in transit. Fortinet documents this exact failure scenario and the related fragmentation control. ( Fortinet Document Library )

Why the others are not correct:

C is not the key fix. Hub-and-spoke is a topology choice, not the actual mechanism that solves blocked ESP or UDP 500/4500.

D is not sufficient for this problem. IKEv2 uses fewer messages, but it still relies on IPsec/IKE transport and does not itself solve intermediate devices blocking ESP or UDP 500/4500. The source PDF mentions simpler operation, not blocked-port avoidance.

So, the two effective fixes are:

Use SSL VPN tunnel mode

Enable fragmentation

“As previously stated, collector agent-based polling mode has three methods (or options) for collecting login information. The order on the slide from left to right shows most recommend to least recommended:

• WMI ...

• WinSecLog ...

• NetAPI ...”

Technical Deep Dive:

The correct three AD polling methods are WMI, WinSecLog, and NetAPI . These are the collector-agent polling options FortiGate FSSO uses against Windows domain controllers. WMI is generally the most efficient because the DC returns requested login events directly. WinSecLog polls Windows Security Event Logs and is typically more reliable than NetAPI for not missing recorded logons. NetAPI can be faster, but it is more prone to missing events under load because it depends on temporary session information rather than persistent security logs.

Why the other options are wrong:

DNS reverse lookup is not one of the three AD polling methods. DNS is used by FSSO to resolve workstation names to IP addresses and to track IP changes, but it is not itself a polling method for collecting AD logon events. FSSO REST API is also not one of the documented collector-agent AD polling methods in the study guide.

From an operational standpoint, FSSO login collection and workstation verification are separate functions. The collector agent may still rely on DNS and workstation checks after a login is learned, but the actual AD polling methods remain only WMI, WinSecLog, and NetAPI . On a FortiGate, when troubleshooting FSSO behavior, you would typically validate the collector feed and user cache with commands such as:

diagnose debug authd fsso list

diagnose debug authd fsso server-status

Those commands help confirm whether the users gathered by the collector through one of those three polling methods are reaching FortiGate correctly.