View all questions & answers for the NSE 6 - Network Security 7.6 Support Engineer Materials exam


Question 45 Discussion

Refer to the exhibit. Which two observations can you make about the web filter traffic captured using the flow tool? (Choose two answers)

  • A. The web filter profile is configured with proxy-based inspection mode.
  • B. The HTTPS port is mapped to 443 in the SSL/SSH Inspection Profile.
  • C. The session is offloaded to the NPU.
  • D. The firewall policy is configured with proxy-based inspection mode.
Correct Answer: C,D

Brave-Dump Clients Votes

AD 75%
AC 25%

Comments



gerardo echeto 2026-01-07 21:12:55

Selected Answers: A, D


Why are A and D correct?

A (Web Filter in Proxy mode): The line `msg="send to application layer"` is irrefutable proof. Only when a profile (like the Web Filter) is in Proxy mode is traffic sent to the "Application Layer" (the WAD daemon).

D (Firewall Policy in Proxy mode): In current versions of FortiOS, for traffic to be sent to the application layer in this way, the firewall policy must be configured in Proxy Inspection Mode.

Why is C incorrect (even though it shows 0x100)?

Proxy-based = CPU.

Flow-based = NPU (Offload).

The value `npu_state=0x100` in this debug is a "false positive" for actual offload. It indicates that the software identified the session, but the subsequent `send to application layer` message overrides any hardware acceleration. The traffic remains on the CPU because the NPU cannot process proxies.

James 2026-01-24 23:58:16

Selected Answers: A, D


https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reasons-why-the-session-is-not-offloaded-to-NPU/ta-p/336627
Reasons why the session is not offloaded to NPU
2. The firewall policy includes proxy-based security profiles.
3. Accepted by firewall policies that include proxy-based virus scanning, proxy-based web filtering, DNS filtering, DLP, Anti-Spam, VoIP, ICAP, Web Application Firewall, or Proxy options.

Mehdi 2026-02-12 18:22:19

Selected Answers: A, D


msg="send to application layer" this is proxy based inspection , for flow based you'd see send to ips so D is correct

Proxy-based inspection is required for certain web filter features (e.g., full URL rewriting, safe search enforcement in some modes), and the debug path confirms proxy handling so A

C : Incorrect because "send to application layer" means the traffic is processed by the proxy daemon (WAD), which runs on CPU

Mehdi 2026-02-16 12:34:39

Selected Answers: A, C


A : inspection mode (proxy-based vs. flow-based) is configured at the security profile level

C: If it were not offloaded, the trace would typically show npu state=0x0 (or 0x0 0x0), often with a no_ofld_reason