View all questions & answers for the NSE 6 - Network Security 7.6 Support Engineer Materials exam


Question 36 Discussion

Refer to the exhibit The partial output of diagnose sys session stat command is shown. Which statement about the output shown in the exhibit is correct? (Choose one answer)

  • A. There have been 131072 recorded ephemeral sessions but there are no current ones.
  • B. 27 sessions have expired but are still in the session table in case any out-of-order packets arrive.
  • C. 113 sessions have been dropped because of memory page exhaustion.
  • D. 562 TCP sessions have their proto_state set to 01 if there is no inspection.
Correct Answer: B

Brave-Dump Clients Votes

A 40%
B 40%
D 20%

Comments



Brave-Dumps Admin 2025-10-25 00:04:16

Selected Answers: A


the output shows ephemeral=0/131072, which indicates 0 current ephemeral sessions and a total/limit value of 131072. The other options don’t match the stats: clash=113 is not a memory drop (memory_tension_drop=0), 27 are in CLOSE (not “expired and kept”), and 562 are ESTABLISHED (not proto_state 01).

What do you think?

TungTungSahur 2025-11-23 21:37:33

Selected Answers: B


The answer is actually B and not A, the number 131072 indicates the maximum number of ephemeral sessions the device can hold.
The CLOSE_WAIT state in indicates the device is waiting for the local application to close a TCP connection after receiving a FIN packet from the remote peer
  • Manuel Mejia 2025-12-26 08:49:26
    Thats correct: "When a session is closed by both sides, FortiGate keeps that session in the session table for a few seconds more, to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the state value 5." https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988
  • Manuel Mejia 2025-12-26 08:49:32
    Thats correct: "When a session is closed by both sides, FortiGate keeps that session in the session table for a few seconds more, to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the state value 5." https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988

James 2026-01-24 23:17:50

Selected Answers: B


27 in CLOSE state
This is the important one.
CLOSE state means: TCP session is logically closed
Session entry is kept temporarily
Purpose: handle late or out-of-order packets
This is normal TCP behavior on FortiGate.

Mehdi 2026-02-16 12:20:51

Selected Answers: A


The format is current_ephemeral / maximum_ephemeral_limit (or total recorded/allocated for ephemeral sessions in some contexts, but here it's the capacity/limit)

Anonymous User 2026-02-17 21:27:40

Selected Answers: D


proto_state=01 is tcp state established without inspection

For TCP, the first number (from left to right) is related to the server-side state and is 0 when the session is not subject to any inspection (flow or proxy). If flow or proxy inspection is done, then the first digit will be different from 0.

The second digit is the client-side state. The table above correlates the second-digit value with the different TCP session states. For example, when FortiGate receives the SYN packet, the second digit is 2. It changes to 3 when the SYN/ACK packet is received. After the three-way handshake, the state value changes to 1.


When a session is closed by both sides, FortiGate keeps that session in the session table for a few seconds more to allow for any out-of-order packets that might arrive after the FIN/ACK packet. This is the state value 5=TIME_WAIT.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGate-session-table-information/ta-p/196988