View all questions & answers for the NSE 7 - Enterprise Firewall 7.6 Administrator Exam Materials exam


Question 46 Discussion

Refer to the exhibit, FortiGate_A and FortiGate_B are members of a FortiGate Session Life Support Protocol (FGSP) cluster in an enterprise network. While testing the cluster using the ping command, you monitor packet loss and on FortiGate_B, you see the session list output that is shown in the exhibit. What is causing this output on FortiGate_B? (Choose one answer)

  • A. standalone-config-sync is set to disable on FortiGate_B.
  • B. FortiGate_B is configured in passive mode.
  • C. The session synchronization is encrypted.
  • D. session-pickup-connectionless is set to disable on FortiGate_B.
Correct Answer: D

Brave-Dump Clients Votes

D 100%

Comments



l 2025-10-31 10:48:37

Selected Answers: D


You need to set session-pickup-connectionless to enable to also pickup udp and icmp sessions. Page 108

Hasan Ahmed 2025-11-27 17:51:18

Selected Answers: D


D is the correct answer

Anonymous User 2025-12-28 23:24:33

Selected Answers: D


What the exam is asking

It’s asking why FortiGate_B shows no ICMP sessions when you run:

get system session list | grep icmp

while you are testing with ping and observing packet loss.

Correct answer (the one you should select)

D. session-pickup-connectionless is set to disable on FortiGate_B.

Why (and where the dump’s “A” goes wrong)

In an FGSP setup, ICMP and UDP are connectionless protocols. Fortinet explains that connectionless sessions are not synchronized/picked up unless you enable the specific setting for them: session-pickup-connectionless (along with session pickup).
* If session-pickup-connectionless is disabled, FortiGate_B will not receive/maintain synchronized ICMP sessions, so grep icmp returns nothing—exactly what your exhibit shows.

Option A (standalone-config-sync disable) is about configuration synchronization, not session synchronization. Also, Fortinet notes that config sync does not synchronize the FGSP-related config system cluster-sync settings anyway.
* So “A” does not directly explain an empty ICMP session list.

Bottom line: the symptom (no ICMP sessions shown on FortiGate_B) matches D, while A confuses config-sync with connectionless session pickup.

Adam 2026-01-20 14:40:48

Selected Answers: D


A is wrong because standalone-config-sync is for configuration synchronization, not session synchronization

B is wrong because there's no active-passive with FGSP, but it's controlled by the external load balancer, and even with normal active-passive HA, session sync works fine from active unit to passive unit

C is wrong because even if we have session synchronization encryption using IPsec with pre-shared key, it will be encrypted in the transit between FortiGates, but "get system session list" will show decrypted session info

D is correct as per the below part from Study Guide:
//To sync connectionless sessions (UDP and ICMP)
config system ha
set session-pickup enable
set session-pickup-connectionless enable