View all questions & answers for the NSE 6 – LAN Edge 7.6 Architect Exam Materials exam


NSE 6 – LAN Edge 7.6 Architect Exam Materials-Question 27 Discussion
Comment Image Comment Image Comment Image

Refer to the exhibits to analyze a network topology and SSID settings. FortiGate is configured to use an external captive portal for authentication to grant access to a wireless network. Testing detected that users attempting to access the SSID are not able to access the captive portal login page. Which configuration change should fix this issue? (Choose one answer)

  • A. Change the SSID security mode to WPA2-Enterprise for authentication.
  • B. Firewall policy with the ID 13 must have NAT disabled.
  • C. Address objects FortiAuthenticator and WindowsAD must be included as exempt destinations/services.
  • D. A firewall policy with port4 as source is missing.
Correct Answer: D

Brave-Dump Clients Votes

C 50%
D 50%

Comments



Mohamed Shaban 2026-02-22 13:27:02

Selected Answers: C


The missing configuration is a firewall policy that allows users’ unauthenticated traffic to reach the captive portal, as described on page p267.
In other words, you must have a policy from the user-facing interface that permits HTTP/HTTPS (and usually DNS) so the FortiGate can intercept the request and present the captive portal login page
so I think there is missing option for this question

Anonymous User 2026-03-27 17:40:13

Selected Answers: D


Either this question is rubbish, or if not, then only D remains as only possible answer. C is wrong, because adress objects have been added as exempt already. But setting exempt alone is not enough, we need an addition policy allowing traffic from WLAN Client to DNS and Authenticatior. I would assume to use the wireless interface as source, but as we only have the option of port 4 as source, I would choose this.
  • Bora 2026-06-03 16:37:29
    I agree with you

Anonymous User 2026-04-13 19:58:05

Selected Answers: C


I had this question in my exam. In this version the screenshot is not correct. In my exam, the FAC & AD were selected as source exempt. So C is the correct answer, because both objects has to be the exempt destination / service.

Anonymous User 2026-06-03 16:51:03

Selected Answers: D


correct choice is option D

However, FortiGate is a stateful firewall. Adding these servers to the "Exempt" list in the WiFi settings only ensures that the Wireless Controller itself does not block that traffic. For the traffic to actually pass through FortiGate's internal architecture from port4 (or the corresponding WiFi interface) to the port3 interface (the Server Block), a Firewall Policy must absolutely be in place.

In the current policy table, there is no rule configured for the Guest -> port3 direction! There is only a Guest -> port1 (Internet) rule available.

The correct choice is option D (Technical Root Cause): The interface to which the FortiAP is connected and where the guest traffic enters the FortiGate is port4. For guests to access the DNS (WindowsAD) and Authentication (FortiAuthenticator) servers located behind port3, a firewall policy with port4 (or the related Guest SSID interface) as the source and port3 as the destination is missing.