{"id":128886,"date":"2026-06-30T07:09:35","date_gmt":"2026-06-30T07:09:35","guid":{"rendered":"https:\/\/www.dumpsbase.com\/freedumps\/?p=128886"},"modified":"2026-06-30T07:09:39","modified_gmt":"2026-06-30T07:09:39","slug":"fortinet-nse5_fwf_ad-7-6-exam-dumps-v8-02-reliable-study-materials-for-secure-wireless-lan-7-6-administrator-preparation","status":"publish","type":"post","link":"https:\/\/www.dumpsbase.com\/freedumps\/fortinet-nse5_fwf_ad-7-6-exam-dumps-v8-02-reliable-study-materials-for-secure-wireless-lan-7-6-administrator-preparation.html","title":{"rendered":"Fortinet NSE5_FWF_AD-7.6 Exam Dumps V8.02: Reliable Study Materials for Secure Wireless LAN 7.6 Administrator Preparation"},"content":{"rendered":"\n<p>The Fortinet NSE 5 &#8211; Secure Wireless LAN 7.6 Administrator certification stands as a premier credential for network professionals aiming to demonstrate their expertise in deploying, configuring, and troubleshooting Fortinet wireless architectures. To support their excellent preparation, DumpsBase offers Fortinet NSE5_FWF_AD-7.6 exam dumps V8.02, offering 100 expert-verified exam questions, PDF format, practice testing engine, and one year of free update to streamline your preparation and approach test day with complete confidence.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">NSE5_FWF_AD-7.6 &amp; FCP_FWF_AD-7.4: Which is the Most Current Version for Secure Wireless LAN Administrator Exam<\/h2>\n\n\n\n<p>The Fortinet NSE 5 Secure Wireless LAN Administrator is available for the Fortinet <strong><em><a href=\"https:\/\/www.dumpsbase.com\/fcp-in-secure-networking.html\">FCP in Secure Networking<\/a><\/em><\/strong> credential. You will be highly recommended to take the NSE5_FWF_AD-7.6 Fortinet NSE 5 &#8211; Secure Wireless LAN 7.6 Administrator exam to complete this certification, due to the FCP_FWF_AD-7.4 Fortinet NSE 5 &#8211; Secure Wireless LAN 7.4 Administrator is retiring on August 31, 2026.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">NSE5_FWF_AD-7.6 Free Dumps: 40 Free Practice Questions Available for Checking<\/h2>\n\n\n\n<p>When preparing for your NSE5_FWF_AD-7.6 exam, you must believe that our dumps are the reliable study materials. To help you make a decision, we have NSE5_FWF_AD-7.6 free dumps online, containing 40 free practice questions. These demo questions cover key topics for the Fortinet NSE 5 Secure Wireless LAN 7.6 Administrator exam, including wireless fundamentals, FortiAP management, security, monitoring, and troubleshooting. They focus on RF design, FortiAP deployment, authentication methods, network security, and performance optimization to help you prepare for real-world wireless scenarios and exam readiness.<\/p>\n\n\n<script>\n\t  window.fbAsyncInit = function() {\n\t    FB.init({\n\t      appId            : '622169541470367',\n\t      autoLogAppEvents : true,\n\t      xfbml            : true,\n\t      version          : 'v3.1'\n\t    });\n\t  };\n\t\n\t  (function(d, s, id){\n\t     var js, fjs = d.getElementsByTagName(s)[0];\n\t     if (d.getElementById(id)) {return;}\n\t     js = d.createElement(s); js.id = id;\n\t     js.src = \"https:\/\/connect.facebook.net\/en_US\/sdk.js\";\n\t     fjs.parentNode.insertBefore(js, fjs);\n\t   }(document, 'script', 'facebook-jssdk'));\n\t<\/script><script type=\"text\/javascript\" >\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \nif(!window.jQuery) alert(\"The important jQuery library is not properly loaded in your site. Your WordPress theme is probably missing the essential wp_head() call. You can switch to another theme and you will see that the plugin works fine and this notice disappears. If you are still not sure what to do you can contact us for help.\");\n});\n<\/script>  \n  \n<div  id=\"watupro_quiz\" class=\"quiz-area single-page-quiz\">\n<p id=\"submittingExam12622\" style=\"display:none;text-align:center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\"><\/p>\n\n<div class=\"watupro-exam-description\" id=\"description-quiz-12622\"><\/div>\n\n<form action=\"\" method=\"post\" class=\"quiz-form\" id=\"quiz-12622\"  enctype=\"multipart\/form-data\" >\n<div class='watu-question ' id='question-1' style=';'><div id='questionWrap-1'  class='   watupro-question-id-490570'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>1. <\/span>Scenario: A branch administrator connects a replacement FortiAP after the previous unit fails. The new device receives an IP address, discovers the FortiGate, and appears in the Managed FortiAPs table with a discovered status. The expected corporate and guest SSIDs are not broadcast, although the device remains reachable and repeatedly exchanges control traffic with the controller. The organization does not allow automatic authorization of unknown FortiAP serial numbers.<\/div><input type='hidden' name='question_id[]' id='qID_1' value='490570' \/><input type='hidden' id='answerType490570' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490570[]' id='answer-id-1894830' class='answer   answerof-490570 ' value='1894830'   \/><label for='answer-id-1894830' id='answer-label-1894830' class=' answer'><span>Authorize the discovered FortiAP and assign the model-compatible FortiAP profile that contains the required radio and SSID configuration..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490570[]' id='answer-id-1894831' class='answer   answerof-490570 ' value='1894831'   \/><label for='answer-id-1894831' id='answer-label-1894831' class=' answer'><span>Create firewall policies from the corporate and guest SSID interfaces before authorization, because FortiGate suppresses beacon transmission until forwarding policies exist..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490570[]' id='answer-id-1894832' class='answer   answerof-490570 ' value='1894832'   \/><label for='answer-id-1894832' id='answer-label-1894832' class=' answer'><span>Configure DHCP option 138 again with the FortiGate address, because an AP shown as discovered has located the controller but has not completed Layer 3 controller discovery..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490570[]' id='answer-id-1894833' class='answer   answerof-490570 ' value='1894833'   \/><label for='answer-id-1894833' id='answer-label-1894833' class=' answer'><span>Enable local bridge mode on each SSID so the replacement FortiAP can broadcast wireless networks before the controller approves the device.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-2' style=';'><div id='questionWrap-2'  class='   watupro-question-id-490571'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>2. <\/span>Scenario: A global company manages FortiAP devices at small branch offices from a central FortiGate across an SD-WAN service. Most wireless traffic at each branch is destined for a local file server, local printer, or the branch Internet gateway. The company wants centralized SSID and radio management, but it must avoid sending ordinary client traffic through the headquarters controller because the WAN has limited bandwidth and variable latency. Existing branch switches and DHCP servers already support the required local client VLAN.<\/div><input type='hidden' name='question_id[]' id='qID_2' value='490571' \/><input type='hidden' id='answerType490571' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490571[]' id='answer-id-1894834' class='answer   answerof-490571 ' value='1894834'   \/><label for='answer-id-1894834' id='answer-label-1894834' class=' answer'><span>Configure the SSID as Local bridge with FortiAP interface, apply it through the branch FortiAP profile, and ensure the local switching path carries the required client VLA<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490571[]' id='answer-id-1894835' class='answer   answerof-490571 ' value='1894835'   \/><label for='answer-id-1894835' id='answer-label-1894835' class=' answer'><span>.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490571[]' id='answer-id-1894836' class='answer   answerof-490571 ' value='1894836'   \/><label for='answer-id-1894836' id='answer-label-1894836' class=' answer'><span>Configure the SSID in tunnel mode and enable CAPWAP fragmentation so local application traffic can be reconstructed at the branch after inspection by the central FortiGate..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490571[]' id='answer-id-1894837' class='answer   answerof-490571 ' value='1894837'   \/><label for='answer-id-1894837' id='answer-label-1894837' class=' answer'><span>Enable AP handoff and split the branch FortiAP devices into groups so client traffic is dynamically forwarded through whichever AP has the shortest WAN path..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490571[]' id='answer-id-1894838' class='answer   answerof-490571 ' value='1894838'   \/><label for='answer-id-1894838' id='answer-label-1894838' class=' answer'><span>Configure the SSID as tunnel mode with DTLS data-channel encryption, because encrypting CAPWAP causes FortiAP devices to perform local Layer 3 breakout automatically.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-3' style=';'><div id='questionWrap-3'  class='   watupro-question-id-490572'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>3. <\/span>Scenario: A global enterprise deploys two FortiAP models across its offices: a dual-radio model in small branches and a tri-radio model at high-density headquarters sites. An administrator creates a custom profile based on the headquarters platform, configures the third radio for dedicated monitoring, and attempts to assign the same profile to every managed FortiAP. The headquarters APs accept the configuration, but the branch APs either cannot be assigned the profile or retain their previous radio settings. The SSID and security objects referenced by the profile are valid in the same VDOM.<\/div><input type='hidden' name='question_id[]' id='qID_3' value='490572' \/><input type='hidden' id='answerType490572' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490572[]' id='answer-id-1894839' class='answer   answerof-490572 ' value='1894839'   \/><label for='answer-id-1894839' id='answer-label-1894839' class=' answer'><span>Convert the profile into an SSID group because SSID groups automatically translate radio settings between FortiAP platforms that contain different numbers of physical radios..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490572[]' id='answer-id-1894840' class='answer   answerof-490572 ' value='1894840'   \/><label for='answer-id-1894840' id='answer-label-1894840' class=' answer'><span>Enable per-device configuration overrides on every branch AP so the FortiGate can emulate the missing third radio while preserving the original headquarters profile..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490572[]' id='answer-id-1894841' class='answer   answerof-490572 ' value='1894841'   \/><label for='answer-id-1894841' id='answer-label-1894841' class=' answer'><span>Create separate FortiAP profiles for each supported platform, reproduce the common SSID requirements in both profiles, and configure model-specific radio capabilities only where the hardware supports them..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490572[]' id='answer-id-1894842' class='answer   answerof-490572 ' value='1894842'   \/><label for='answer-id-1894842' id='answer-label-1894842' class=' answer'><span>Change the headquarters profile to use automatic platform detection because a single custom FortiAP profile can dynamically add or remove physical radios after it is assigned.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-4' style=';'><div id='questionWrap-4'  class='   watupro-question-id-490573'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>4. <\/span>Scenario: An administrator clones a production FortiAP profile to create a troubleshooting profile for one remote site. To investigate suspected rogue devices, the administrator changes the 5 GHz radio mode from access point to monitor and assigns a WIDS profile. After the new profile is applied, the FortiAP remains online and continues reporting detected neighboring radios, but the site's 5 GHz employee SSID disappears. The 2.4 GHz employee SSID remains available.<\/div><input type='hidden' name='question_id[]' id='qID_4' value='490573' \/><input type='hidden' id='answerType490573' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490573[]' id='answer-id-1894843' class='answer   answerof-490573 ' value='1894843'   \/><label for='answer-id-1894843' id='answer-label-1894843' class=' answer'><span>Return the 5 GHz radio to access-point mode if it must serve clients, or dedicate a separate supported radio to monitor mode while leaving the production radio in access-point mode..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490573[]' id='answer-id-1894844' class='answer   answerof-490573 ' value='1894844'   \/><label for='answer-id-1894844' id='answer-label-1894844' class=' answer'><span>Add the employee SSID to the WIDS profile because monitor-mode radios advertise only VAPs that are explicitly listed inside the assigned WIDS object..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490573[]' id='answer-id-1894845' class='answer   answerof-490573 ' value='1894845'   \/><label for='answer-id-1894845' id='answer-label-1894845' class=' answer'><span>Enable local bridge mode on the employee SSID because monitor mode suppresses only tunnel-mode VAPs and continues advertising bridged wireless networks..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490573[]' id='answer-id-1894846' class='answer   answerof-490573 ' value='1894846'   \/><label for='answer-id-1894846' id='answer-label-1894846' class=' answer'><span>Assign the employee SSID directly to the managed FortiAP entry because per-device VAP overrides take precedence over the radio's monitor operating mode.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-5' style=';'><div id='questionWrap-5'  class='   watupro-question-id-490574'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>5. <\/span>Scenario: A university is migrating a certificate-authenticated employee WLAN from WPA2-Enterprise to WPA3-Enterprise. Newly managed laptops support WPA3 and PMF, but a limited population of specialized laboratory systems supports only WPA2-Enterprise and cannot be replaced until the next budget cycle. Both populations use EAP-TLS against the same RADIUS infrastructure, and the university wants to maintain one SSID during the controlled migration. The final design will move to WPA3-only after the laboratory systems are retired.<\/div><input type='hidden' name='question_id[]' id='qID_5' value='490574' \/><input type='hidden' id='answerType490574' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490574[]' id='answer-id-1894847' class='answer   answerof-490574 ' value='1894847'   \/><label for='answer-id-1894847' id='answer-label-1894847' class=' answer'><span>Configure WPA3-only Enterprise and disable PMF for the laboratory systems because WPA2 clients can associate with a WPA3-only SSID whenever management-frame protection is disabled..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490574[]' id='answer-id-1894848' class='answer   answerof-490574 ' value='1894848'   \/><label for='answer-id-1894848' id='answer-label-1894848' class=' answer'><span>Replace EAP-TLS with an MPSK profile because one MPSK key can transparently negotiate WPA2-Enterprise for older clients and WPA3-Enterprise for newer clients..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490574[]' id='answer-id-1894849' class='answer   answerof-490574 ' value='1894849'   \/><label for='answer-id-1894849' id='answer-label-1894849' class=' answer'><span>Use the supported WPA2\/WPA3 Enterprise transition configuration during the migration, preserve EAP-TLS, and verify PMF compatibility before later enforcing WPA3-only operation..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490574[]' id='answer-id-1894850' class='answer   answerof-490574 ' value='1894850'   \/><label for='answer-id-1894850' id='answer-label-1894850' class=' answer'><span>Configure OWE Transition mode because it allows WPA2-Enterprise clients to use the open transition BSSID while WPA3-Enterprise clients continue authenticating with certificates.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-6' style=';'><div id='questionWrap-6'  class='   watupro-question-id-490575'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>6. <\/span>Scenario: A security-sensitive campus uses tri-radio FortiAP devices. Radios 1 and 2 provide production access on 2.4 GHz and 5 GHz, while radio 3 currently serves additional 5 GHz clients during peak hours. The security team requires continuous scanning of selected 2.4 GHz and 5 GHz channels for unauthorized APs without repeatedly interrupting production radios to perform off-channel scans. Capacity analysis shows that radios 1 and 2 can support the existing client load after minor channel-width optimization.<\/div><input type='hidden' name='question_id[]' id='qID_6' value='490575' \/><input type='hidden' id='answerType490575' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490575[]' id='answer-id-1894851' class='answer   answerof-490575 ' value='1894851'   \/><label for='answer-id-1894851' id='answer-label-1894851' class=' answer'><span>Leave all three radios in access-point mode and shorten the background-scan interval so each production radio leaves its operating channel more frequently to inspect the selected channels..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490575[]' id='answer-id-1894852' class='answer   answerof-490575 ' value='1894852'   \/><label for='answer-id-1894852' id='answer-label-1894852' class=' answer'><span>Configure radio 3 as an additional 5 GHz access radio and attach a WIDS profile directly to its production SSIDs so scanning occurs between client transmissions..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490575[]' id='answer-id-1894853' class='answer   answerof-490575 ' value='1894853'   \/><label for='answer-id-1894853' id='answer-label-1894853' class=' answer'><span>Disable the third radio and increase the WIDS sensitivity of radios 1 and 2 because a disabled radio can still passively report foreign-channel frames to the controller..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490575[]' id='answer-id-1894854' class='answer   answerof-490575 ' value='1894854'   \/><label for='answer-id-1894854' id='answer-label-1894854' class=' answer'><span>Enable dedicated scanning in a compatible FortiAP profile, place radio 3 in monitor mode, apply a WIDS profile with the required scan-channel list, and retain radios 1 and 2 for client service.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-7' style=';'><div id='questionWrap-7'  class='   watupro-question-id-490576'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>7. <\/span>Scenario: An enterprise replaces the server certificate on its RADIUS platform during a PKI migration. The new certificate is valid, contains the expected authentication-server name, and is signed by a newly introduced intermediate and root CA. Immediately after the change, managed laptops stop joining the WPA2\/WPA3-Enterprise SSID even though the FortiGate can reach the RADIUS server and the RADIUS service receives the initial EAP requests. Client logs show that the supplicants terminate authentication while validating the server certificate.<\/div><input type='hidden' name='question_id[]' id='qID_7' value='490576' \/><input type='hidden' id='answerType490576' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490576[]' id='answer-id-1894855' class='answer   answerof-490576 ' value='1894855'   \/><label for='answer-id-1894855' id='answer-label-1894855' class=' answer'><span>Disable server-certificate validation in the client WLAN profile so EAP-TLS and PEAP can continue without requiring any trusted authentication-server identity..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490576[]' id='answer-id-1894856' class='answer   answerof-490576 ' value='1894856'   \/><label for='answer-id-1894856' id='answer-label-1894856' class=' answer'><span>Distribute the new CA trust chain and correct server-name validation settings to managed clients before or during the certificate cutover, while retaining certificate validation..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490576[]' id='answer-id-1894857' class='answer   answerof-490576 ' value='1894857'   \/><label for='answer-id-1894857' id='answer-label-1894857' class=' answer'><span>Import the new RADIUS server certificate into the FortiGate local certificate store because FortiGate trust automatically propagates to every wireless client during association..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490576[]' id='answer-id-1894858' class='answer   answerof-490576 ' value='1894858'   \/><label for='answer-id-1894858' id='answer-label-1894858' class=' answer'><span>Replace enterprise authentication with WPA3-SAE until the PKI migration is complete because SAE uses the client certificate without checking the RADIUS server chain.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-8' style=';'><div id='questionWrap-8'  class='   watupro-question-id-490577'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>8. <\/span>Scenario: A government agency uses a dedicated WPA2-Enterprise SSID for managed voice handsets. A wireless assessment demonstrates that an attacker can transmit forged deauthentication and disassociation frames, causing active calls to disconnect even though the attacker cannot decrypt user traffic. Every approved handset model supports IEEE 802.11w Protected Management Frames, and the agency no longer needs to support legacy clients on this SSID. The administrator must prevent non-PMF clients from joining rather than merely preferring protection when available.<\/div><input type='hidden' name='question_id[]' id='qID_8' value='490577' \/><input type='hidden' id='answerType490577' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490577[]' id='answer-id-1894859' class='answer   answerof-490577 ' value='1894859'   \/><label for='answer-id-1894859' id='answer-label-1894859' class=' answer'><span>Configure PMF as required on the VAP so only clients capable of negotiating protected management frames can associate with the secure voice SSI<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490577[]' id='answer-id-1894860' class='answer   answerof-490577 ' value='1894860'   \/><label for='answer-id-1894860' id='answer-label-1894860' class=' answer'><span>.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490577[]' id='answer-id-1894861' class='answer   answerof-490577 ' value='1894861'   \/><label for='answer-id-1894861' id='answer-label-1894861' class=' answer'><span>Configure PMF as optional so compatible handsets protect management frames while unsupported clients are accepted and isolated through FortiGate firewall policies..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490577[]' id='answer-id-1894862' class='answer   answerof-490577 ' value='1894862'   \/><label for='answer-id-1894862' id='answer-label-1894862' class=' answer'><span>Enable Opportunistic Key Caching so each handset reuses its PMK during roaming and therefore rejects all unauthenticated deauthentication frames..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490577[]' id='answer-id-1894863' class='answer   answerof-490577 ' value='1894863'   \/><label for='answer-id-1894863' id='answer-label-1894863' class=' answer'><span>Enable Beacon Protection in the FortiAP profile because protected beacon frames automatically encrypt every deauthentication and disassociation frame exchanged by the clients.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-9' style=';'><div id='questionWrap-9'  class='   watupro-question-id-490578'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>9. <\/span>Scenario: A security team changes the data-channel policy in a remote-site FortiAP profile from clear text to DTLS-only. The FortiAP devices at the site had previously been configured locally to permit only clear-text data-channel operation. After the profile change, the APs can still reach the FortiGate IP address, but they repeatedly fail to complete the managed wireless connection and no tunnel-mode SSIDs become operational. The CAPWAP control channel is not blocked by the WAN firewall.<\/div><input type='hidden' name='question_id[]' id='qID_9' value='490578' \/><input type='hidden' id='answerType490578' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490578[]' id='answer-id-1894864' class='answer   answerof-490578 ' value='1894864'   \/><label for='answer-id-1894864' id='answer-label-1894864' class=' answer'><span>Revert the FortiGate interface to clear-text administrative access because the CAPWAP control channel must use the same encryption setting as the wireless data channel..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490578[]' id='answer-id-1894865' class='answer   answerof-490578 ' value='1894865'   \/><label for='answer-id-1894865' id='answer-label-1894865' class=' answer'><span>Align the FortiAP and FortiGate data-channel security settings so both ends support DTLS, then verify performance because software-based encryption can reduce throughput..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490578[]' id='answer-id-1894866' class='answer   answerof-490578 ' value='1894866'   \/><label for='answer-id-1894866' id='answer-label-1894866' class=' answer'><span>Enable WPA3-Enterprise on every SSID so the encrypted 802.11 payload automatically negotiates a compatible CAPWAP data-channel policy with the controller..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490578[]' id='answer-id-1894867' class='answer   answerof-490578 ' value='1894867'   \/><label for='answer-id-1894867' id='answer-label-1894867' class=' answer'><span>Configure the FortiAP profile for both clear text and DTLS simultaneously, because FortiGate always selects DTLS when both methods are enabled at each endpoint.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-10' style=';'><div id='questionWrap-10'  class='   watupro-question-id-490579'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>10. <\/span>Scenario: An enterprise is migrating branch FortiAP devices from an old FortiGate controller to a new high-availability FortiGate cluster. The branch DHCP server currently supplies multiple controller addresses in option 138, with the old controller listed first. Even after the new cluster is configured to manage the APs, rebooted FortiAP devices continue to discover and join the old controller whenever it is reachable. The migration team must move the APs in a controlled manner without relying on manual configuration at every branch.<\/div><input type='hidden' name='question_id[]' id='qID_10' value='490579' \/><input type='hidden' id='answerType490579' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490579[]' id='answer-id-1894868' class='answer   answerof-490579 ' value='1894868'   \/><label for='answer-id-1894868' id='answer-label-1894868' class=' answer'><span>Enable automatic authorization on both controllers so each FortiAP can maintain simultaneous CAPWAP control sessions and select the controller with the lowest latency..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490579[]' id='answer-id-1894869' class='answer   answerof-490579 ' value='1894869'   \/><label for='answer-id-1894869' id='answer-label-1894869' class=' answer'><span>Assign the new FortiGate cluster's FortiAP profile to the AP entries on the old controller, causing the profile download to replace the controller address stored in DHCP option 138..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490579[]' id='answer-id-1894870' class='answer   answerof-490579 ' value='1894870'   \/><label for='answer-id-1894870' id='answer-label-1894870' class=' answer'><span>Configure a FortiAP group on the new controller with a higher priority than the old group, because FortiAP group precedence overrides the discovery address order supplied by DHC<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490579[]' id='answer-id-1894871' class='answer   answerof-490579 ' value='1894871'   \/><label for='answer-id-1894871' id='answer-label-1894871' class=' answer'><span>.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490579[]' id='answer-id-1894872' class='answer   answerof-490579 ' value='1894872'   \/><label for='answer-id-1894872' id='answer-label-1894872' class=' answer'><span>Update option 138 so the new cluster address has the intended priority or is the only active controller address, verify successful discovery and authorization, and then deauthorize or retire the old-controller entries.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-11' style=';'><div id='questionWrap-11'  class='   watupro-question-id-490580'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>11. <\/span>Scenario: A public library wants to replace its completely open visitor WLAN. The library does not want to issue accounts, distribute a shared password, or identify individual visitors, but it requires encryption between each supported client and the FortiAP to prevent passive over-the-air capture. All client devices included in the supported-use policy are OWE capable, and Internet access will still be restricted by FortiGate firewall and web-filtering policies. The solution must not imply that visitors have been authenticated.<\/div><input type='hidden' name='question_id[]' id='qID_11' value='490580' \/><input type='hidden' id='answerType490580' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490580[]' id='answer-id-1894873' class='answer   answerof-490580 ' value='1894873'   \/><label for='answer-id-1894873' id='answer-label-1894873' class=' answer'><span>Configure the visitor SSID with Opportunistic Wireless Encryption and continue enforcing acceptable-use controls through the FortiGate traffic policy..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490580[]' id='answer-id-1894874' class='answer   answerof-490580 ' value='1894874'   \/><label for='answer-id-1894874' id='answer-label-1894874' class=' answer'><span>Configure WPA3-SAE with a password displayed on public signs because SAE provides anonymous encryption without requiring clients to possess a shared credential..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490580[]' id='answer-id-1894875' class='answer   answerof-490580 ' value='1894875'   \/><label for='answer-id-1894875' id='answer-label-1894875' class=' answer'><span>Retain an open SSID and add a captive portal disclaimer because accepting the disclaimer automatically negotiates per-client Layer 2 encryption keys..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490580[]' id='answer-id-1894876' class='answer   answerof-490580 ' value='1894876'   \/><label for='answer-id-1894876' id='answer-label-1894876' class=' answer'><span>Configure WPA3-Enterprise with anonymous outer identities and no RADIUS server because the FortiAP can complete EAP authentication locally for unidentified visitors.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-12' style=';'><div id='questionWrap-12'  class='   watupro-question-id-490581'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>12. <\/span>Scenario: A company deploys a tunnel-mode guest SSID with a FortiGate captive portal that authenticates users through a SAML identity provider. Guests associate successfully, receive IP addresses, and are redirected toward the portal, but the browser cannot load the identity-provider sign-in page before authentication. Packet logs show that the normal Internet policy requires membership in the SAML guest group, so unauthenticated clients cannot resolve the provider hostname or reach the provider's HTTPS endpoints. The company must not grant unrestricted Internet access before authentication.<\/div><input type='hidden' name='question_id[]' id='qID_12' value='490581' \/><input type='hidden' id='answerType490581' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490581[]' id='answer-id-1894877' class='answer   answerof-490581 ' value='1894877'   \/><label for='answer-id-1894877' id='answer-label-1894877' class=' answer'><span>Add the identity-provider FQDN to the FortiAP profile as an SSID-group member so the FortiAP advertises the SAML service before the guest portal is opened..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490581[]' id='answer-id-1894878' class='answer   answerof-490581 ' value='1894878'   \/><label for='answer-id-1894878' id='answer-label-1894878' class=' answer'><span>Create narrowly scoped captive-portal exemptions or pre-authentication policies for required DNS and identity-provider endpoints, then retain a separate policy using the SAML group for normal post-authentication access..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490581[]' id='answer-id-1894879' class='answer   answerof-490581 ' value='1894879'   \/><label for='answer-id-1894879' id='answer-label-1894879' class=' answer'><span>Change the guest SSID to WPA3-Enterprise and configure the SAML server as the RADIUS server so the identity-provider exchange occurs during the 802.1X association process..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490581[]' id='answer-id-1894880' class='answer   answerof-490581 ' value='1894880'   \/><label for='answer-id-1894880' id='answer-label-1894880' class=' answer'><span>Convert the SSID to local bridge mode because SAML captive portal authentication cannot operate when guest packets are tunneled to the FortiGate controller.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-13' style=';'><div id='questionWrap-13'  class='   watupro-question-id-490582'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>13. <\/span>Scenario: A financial institution uses a shared SSID group containing an employee tunnel-mode SSID and a contractor local-bridge SSID. The group is referenced by the standard branch FortiAP profile. A new secure-trading-floor profile is cloned from the branch profile, but the administrator forgets to remove the shared SSID group. As a result, the contractor local-bridge SSID is advertised in the trading area and places authenticated contractor devices directly onto a locally switched VLAN that is not inspected by the central FortiGate data path. The trading-floor requirement permits only the centrally inspected employee SSID.<\/div><input type='hidden' name='question_id[]' id='qID_13' value='490582' \/><input type='hidden' id='answerType490582' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490582[]' id='answer-id-1894881' class='answer   answerof-490582 ' value='1894881'   \/><label for='answer-id-1894881' id='answer-label-1894881' class=' answer'><span>Retain both SSIDs and enable AP handoff so contractor clients are redirected from the trading-floor APs to branch APs before their local-bridge traffic reaches the switch..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490582[]' id='answer-id-1894882' class='answer   answerof-490582 ' value='1894882'   \/><label for='answer-id-1894882' id='answer-label-1894882' class=' answer'><span>Convert the employee SSID to local bridge mode as well, ensuring both VAPs use the same forwarding architecture and therefore receive equivalent FortiGate inspection..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490582[]' id='answer-id-1894883' class='answer   answerof-490582 ' value='1894883'   \/><label for='answer-id-1894883' id='answer-label-1894883' class=' answer'><span>Remove the shared group from the trading-floor profile, reference only the approved employee SSID or a dedicated restricted SSID group, and verify that the contractor VAP is no longer instantiated on those radios..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490582[]' id='answer-id-1894884' class='answer   answerof-490582 ' value='1894884'   \/><label for='answer-id-1894884' id='answer-label-1894884' class=' answer'><span>Preserve the shared group but remove the contractor VLAN from the trading-floor switch trunk because the missing VLAN will prevent the SSID from being advertised by the FortiA<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-14' style=';'><div id='questionWrap-14'  class='   watupro-question-id-490583'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>14. <\/span>Scenario: A university deploys new FortiAP devices in a residence hall located on a routed management subnet. Each FortiAP receives a valid IP address, default gateway, and DNS server from a third-party DHCP service, and administrators can ping the FortiGate wireless-controller interface from the AP subnet. FortiAP devices connected directly to the controller subnet are discovered immediately, but none of the residence-hall devices appear under Managed FortiAPs. Packet analysis confirms that local broadcast discovery messages do not cross the building router.<\/div><input type='hidden' name='question_id[]' id='qID_14' value='490583' \/><input type='hidden' id='answerType490583' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490583[]' id='answer-id-1894885' class='answer   answerof-490583 ' value='1894885'   \/><label for='answer-id-1894885' id='answer-label-1894885' class=' answer'><span>Enable automatic authorization on the FortiGate interface so that broadcast discovery packets are converted into routed CAPWAP requests before they reach the controller..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490583[]' id='answer-id-1894886' class='answer   answerof-490583 ' value='1894886'   \/><label for='answer-id-1894886' id='answer-label-1894886' class=' answer'><span>Configure DHCP option 138 with the reachable FortiGate controller address, or provide the corresponding controller FQDN through the supported DNS discovery method..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490583[]' id='answer-id-1894887' class='answer   answerof-490583 ' value='1894887'   \/><label for='answer-id-1894887' id='answer-label-1894887' class=' answer'><span>Assign the residence-hall FortiAP devices a local-bridge SSID so their management broadcasts are bridged transparently across the routed network to the FortiGate..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490583[]' id='answer-id-1894888' class='answer   answerof-490583 ' value='1894888'   \/><label for='answer-id-1894888' id='answer-label-1894888' class=' answer'><span>Enable AP handoff and FortiAP group discovery so neighboring managed APs can relay the undiscovered devices' controller requests through their CAPWAP data tunnels.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-15' style=';'><div id='questionWrap-15'  class='   watupro-question-id-490584'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>15. <\/span>Scenario: A hotel provides a tunnel-mode guest SSID with captive portal authentication. Guests can access the Internet through a restricted FortiGate policy and are blocked from reaching hotel management networks, but security testing shows that two guests associated with the same VAP can communicate directly with each other. The hotel must prevent peer-to-peer traffic between guest stations while retaining access to the default gateway, DHCP, DNS, and approved Internet destinations. The existing firewall policy from the guest interface to the Internet is already correctly restricted.<\/div><input type='hidden' name='question_id[]' id='qID_15' value='490584' \/><input type='hidden' id='answerType490584' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490584[]' id='answer-id-1894889' class='answer   answerof-490584 ' value='1894889'   \/><label for='answer-id-1894889' id='answer-label-1894889' class=' answer'><span>Remove the guest-to-guest firewall policy because all traffic between stations associated with the same VAP is always evaluated by an explicit inter-interface FortiGate policy..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490584[]' id='answer-id-1894890' class='answer   answerof-490584 ' value='1894890'   \/><label for='answer-id-1894890' id='answer-label-1894890' class=' answer'><span>Enable AP handoff so the FortiGate distributes guest clients among different FortiAP devices, preventing clients connected to separate radios from exchanging Layer 2 frames..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490584[]' id='answer-id-1894891' class='answer   answerof-490584 ' value='1894891'   \/><label for='answer-id-1894891' id='answer-label-1894891' class=' answer'><span>Convert the guest SSID to WPA3-Enterprise because enterprise authentication automatically denies communication between clients that receive addresses from the same subnet..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490584[]' id='answer-id-1894892' class='answer   answerof-490584 ' value='1894892'   \/><label for='answer-id-1894892' id='answer-label-1894892' class=' answer'><span>Enable intra-VAP privacy or the appropriate client-isolation control on the guest VAP, then verify that required infrastructure services remain reachable through the intended forwarding path.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-16' style=';'><div id='questionWrap-16'  class='   watupro-question-id-490585'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>16. <\/span>Scenario: An office campus broadcasts one corporate SSID through multiple closely spaced FortiAP devices. Automatic transmit power is disabled, and all radios use the same relatively high manual level. Voice handsets remain associated with an AP until RSSI falls below -78 dBm even when another FortiAP is visible at a substantially stronger level. The administrator wants to improve roaming for several handset models without causing coverage gaps or repeatedly disconnecting clients that implement different roaming algorithms.<\/div><input type='hidden' name='question_id[]' id='qID_16' value='490585' \/><input type='hidden' id='answerType490585' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490585[]' id='answer-id-1894893' class='answer   answerof-490585 ' value='1894893'   \/><label for='answer-id-1894893' id='answer-label-1894893' class=' answer'><span>Enable AP handoff with a low client threshold and use it as the primary roaming mechanism because FortiGate can transfer existing clients to whichever FortiAP currently reports the strongest signal..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490585[]' id='answer-id-1894894' class='answer   answerof-490585 ' value='1894894'   \/><label for='answer-id-1894894' id='answer-label-1894894' class=' answer'><span>Configure an aggressive sticky-client threshold before modifying radio power so every weak client is disconnected early enough to select the strongest neighboring BSSI<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490585[]' id='answer-id-1894895' class='answer   answerof-490585 ' value='1894895'   \/><label for='answer-id-1894895' id='answer-label-1894895' class=' answer'><span>.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490585[]' id='answer-id-1894896' class='answer   answerof-490585 ' value='1894896'   \/><label for='answer-id-1894896' id='answer-label-1894896' class=' answer'><span>Enable bounded automatic transmit-power control, validate the resulting overlap, and then apply conservative 802.11v or sticky-client settings only to client groups whose behavior has been tested..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490585[]' id='answer-id-1894897' class='answer   answerof-490585 ' value='1894897'   \/><label for='answer-id-1894897' id='answer-label-1894897' class=' answer'><span>Increase the transmit power of neighboring FortiAP devices while preserving the current serving-AP power so the larger signal difference compels standards-compliant clients to roam.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-17' style=';'><div id='questionWrap-17'  class='   watupro-question-id-490586'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>17. <\/span>Scenario: A healthcare organization must connect several hundred diagnostic devices that do not support 802.1X supplicants but can use WPA2 or WPA3 personal security. The devices currently share one PSK, making it impossible to revoke access for a stolen unit without reconfiguring every remaining device. The organization wants each device or device group to use a separately revocable key while continuing to broadcast a limited number of SSIDs. It also wants selected keys to place devices into different VLANs without relying solely on spoofable MAC addresses.<\/div><input type='hidden' name='question_id[]' id='qID_17' value='490586' \/><input type='hidden' id='answerType490586' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490586[]' id='answer-id-1894898' class='answer   answerof-490586 ' value='1894898'   \/><label for='answer-id-1894898' id='answer-label-1894898' class=' answer'><span>Configure RADIUS MAC authentication and maintain each device address in the authentication database, while retaining one shared PSK to encrypt all wireless sessions..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490586[]' id='answer-id-1894899' class='answer   answerof-490586 ' value='1894899'   \/><label for='answer-id-1894899' id='answer-label-1894899' class=' answer'><span>Create a separate WPA3-SAE SSID for every diagnostic device so each SSID has a unique password and can be removed individually if the device is stolen..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490586[]' id='answer-id-1894900' class='answer   answerof-490586 ' value='1894900'   \/><label for='answer-id-1894900' id='answer-label-1894900' class=' answer'><span>Configure WPA3-Enterprise with EAP-TLS and generate certificates on the FortiGate, because the FortiAP can transparently perform the missing 802.1X supplicant functions for each device..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490586[]' id='answer-id-1894901' class='answer   answerof-490586 ' value='1894901'   \/><label for='answer-id-1894901' id='answer-label-1894901' class=' answer'><span>Create an MPSK profile with separately managed keys, associate the required VLAN or group behavior with the appropriate MPSK entries, and apply the profile to a compatible personal-security SSI<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-18' style=';'><div id='questionWrap-18'  class='   watupro-question-id-490587'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>18. <\/span>Scenario: A convention center manages 48 FortiAP devices through a FortiGate integrated wireless controller. The 5 GHz radios use a shared custom FortiAP profile configured for 80 MHz channels, DARRP, and automatic transmit power between 14 dBm and 23 dBm. During large events, the WiFi dashboard shows channel utilization above 85%, high retry rates, and strong average client RSSI, while client counts remain evenly distributed across the radios. DARRP changes several primary channels, but neighboring cells continue to occupy overlapping 80 MHz channel blocks and aggregate throughput does not improve.<\/div><input type='hidden' name='question_id[]' id='qID_18' value='490587' \/><input type='hidden' id='answerType490587' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490587[]' id='answer-id-1894902' class='answer   answerof-490587 ' value='1894902'   \/><label for='answer-id-1894902' id='answer-label-1894902' class=' answer'><span>Retain 80 MHz channels, divide the FortiAP devices between two profiles with separate primary-channel lists, and reduce the DARRP evaluation interval so congested radios can change channels more frequently..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490587[]' id='answer-id-1894903' class='answer   answerof-490587 ' value='1894903'   \/><label for='answer-id-1894903' id='answer-label-1894903' class=' answer'><span>Create a high-density FortiAP profile using 20 MHz channels, a locally appropriate DARRP channel list, and lower bounded automatic transmit power to increase channel reuse and reduce excessive cell overlap..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490587[]' id='answer-id-1894904' class='answer   answerof-490587 ' value='1894904'   \/><label for='answer-id-1894904' id='answer-label-1894904' class=' answer'><span>Preserve the existing channel width, lower the AP handoff threshold, and reduce the maximum client count so FortiGate distributes associations more evenly before channel utilization reaches the current level..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490587[]' id='answer-id-1894905' class='answer   answerof-490587 ' value='1894905'   \/><label for='answer-id-1894905' id='answer-label-1894905' class=' answer'><span>Change the profile to 40 MHz channels, preserve the current transmit-power range, and increase the DARRP weighting assigned to channel load so the controller avoids the busiest neighboring radios.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-19' style=';'><div id='questionWrap-19'  class='   watupro-question-id-490588'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>19. <\/span>Scenario: A hospital uses EAP-TLS on a voice SSID broadcast by FortiAP devices throughout several buildings. Authentication is secure, but calls experience a noticeable interruption whenever handsets roam because each new AP association triggers another complete EAP exchange with a geographically remote RADIUS server. RF coverage and cell overlap have already been validated, and packet captures show that the delay occurs after reassociation begins rather than during channel discovery. The hospital wants to preserve certificate-based authentication while reducing the repeated authentication delay.<\/div><input type='hidden' name='question_id[]' id='qID_19' value='490588' \/><input type='hidden' id='answerType490588' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490588[]' id='answer-id-1894906' class='answer   answerof-490588 ' value='1894906'   \/><label for='answer-id-1894906' id='answer-label-1894906' class=' answer'><span>Enable AP handoff with a low station threshold so FortiGate moves established voice sessions before the serving AP reaches its maximum client count..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490588[]' id='answer-id-1894907' class='answer   answerof-490588 ' value='1894907'   \/><label for='answer-id-1894907' id='answer-label-1894907' class=' answer'><span>Enable frequency handoff so dual-band handsets remain on the least-utilized radio and bypass certificate authentication when moving between FortiAP devices..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490588[]' id='answer-id-1894908' class='answer   answerof-490588 ' value='1894908'   \/><label for='answer-id-1894908' id='answer-label-1894908' class=' answer'><span>Enable Opportunistic Key Caching on the voice VAP so authentication key information can be shared for previously authenticated clients roaming among APs on the same WLA<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490588[]' id='answer-id-1894909' class='answer   answerof-490588 ' value='1894909'   \/><label for='answer-id-1894909' id='answer-label-1894909' class=' answer'><span>.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490588[]' id='answer-id-1894910' class='answer   answerof-490588 ' value='1894910'   \/><label for='answer-id-1894910' id='answer-label-1894910' class=' answer'><span>Change the SSID to WPA3-SAE transition mode so handsets cache the shared password and no longer require communication with the RADIUS server during roaming.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-20' style=';'><div id='questionWrap-20'  class='   watupro-question-id-490589'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>20. <\/span>Scenario: A warehouse extension has no Ethernet cabling but is within reliable wireless range of a wired FortiAP connected to the FortiGate. The company plans to deploy two additional FortiAP devices as mesh leaves while retaining centralized authorization and profile management. The project team configures a mesh-backhaul SSID and powers on the leaf APs, but no radio on the wired AP is configured to provide the mesh-root function. The leaf APs remain offline and never appear for authorization.<\/div><input type='hidden' name='question_id[]' id='qID_20' value='490589' \/><input type='hidden' id='answerType490589' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490589[]' id='answer-id-1894911' class='answer   answerof-490589 ' value='1894911'   \/><label for='answer-id-1894911' id='answer-label-1894911' class=' answer'><span>Configure the leaf APs as local-bridge clients of the employee SSID because any locally bridged VAP can automatically carry FortiAP management traffic to the controller..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490589[]' id='answer-id-1894912' class='answer   answerof-490589 ' value='1894912'   \/><label for='answer-id-1894912' id='answer-label-1894912' class=' answer'><span>Enable the wired FortiAP as a mesh root using the intended mesh-backhaul SSID, ensure the required radio resources are available, and then authorize the leaf APs after they connect through the mesh..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490589[]' id='answer-id-1894913' class='answer   answerof-490589 ' value='1894913'   \/><label for='answer-id-1894913' id='answer-label-1894913' class=' answer'><span>Enable AP handoff on the wired FortiAP so it redirects the unauthenticated leaf APs to the FortiGate when its normal client threshold is reached..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490589[]' id='answer-id-1894914' class='answer   answerof-490589 ' value='1894914'   \/><label for='answer-id-1894914' id='answer-label-1894914' class=' answer'><span>Add the mesh-backhaul SSID to an SSID group used by every production AP because mesh leaves discover the controller only when all managed APs advertise an identical root SSI<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-21' style=';'><div id='questionWrap-21'  class='   watupro-question-id-490590'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>21. <\/span>Scenario: A company creates a dedicated FortiAP management VLAN on a FortiGate interface. The interface has a valid IP address, provides DHCP leases to FortiAP devices, and includes the wireless-controller address in the DHCP configuration. Newly connected FortiAP devices can ping the interface, and packet captures show controller discovery traffic arriving at the FortiGate, but the FortiGate never creates entries for them in the Managed FortiAPs table. A configuration comparison shows that the equivalent interface at another site has Security Fabric Connection enabled.<\/div><input type='hidden' name='question_id[]' id='qID_21' value='490590' \/><input type='hidden' id='answerType490590' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490590[]' id='answer-id-1894915' class='answer   answerof-490590 ' value='1894915'   \/><label for='answer-id-1894915' id='answer-label-1894915' class=' answer'><span>Enable HTTPS and SSH administrative access on the management interface so the FortiAP devices can authenticate to the FortiGate before beginning CAPWAP negotiation..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490590[]' id='answer-id-1894916' class='answer   answerof-490590 ' value='1894916'   \/><label for='answer-id-1894916' id='answer-label-1894916' class=' answer'><span>Enable DNS Query service on the interface so the FortiGate can resolve the serial numbers contained in the incoming FortiAP discovery requests..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490590[]' id='answer-id-1894917' class='answer   answerof-490590 ' value='1894917'   \/><label for='answer-id-1894917' id='answer-label-1894917' class=' answer'><span>Enable automatic device authorization on the interface and assign a global FortiAP profile, because discovery requests are discarded whenever no default profile has been selected..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490590[]' id='answer-id-1894918' class='answer   answerof-490590 ' value='1894918'   \/><label for='answer-id-1894918' id='answer-label-1894918' class=' answer'><span>Enable Security Fabric Connection on the FortiAP-facing interface so the FortiGate accepts the required management and CAPWAP communication from the AP subnet.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-22' style=';'><div id='questionWrap-22'  class='   watupro-question-id-490591'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>22. <\/span>Scenario: A multinational company broadcasts the same enterprise SSID from FortiAP devices in several subsidiaries. A centralized RADIUS server must apply a different policy for each subsidiary, but the FortiGate controller is being migrated to an HA cluster and individual AP BSSIDs may change during hardware replacement. Existing RADIUS rules depend on controller source addresses and AP-specific identifiers, causing users to match the wrong subsidiary policy after infrastructure changes. The company wants a stable identifier associated with each subsidiary's wireless service rather than with a specific FortiGate interface or physical AP.<\/div><input type='hidden' name='question_id[]' id='qID_22' value='490591' \/><input type='hidden' id='answerType490591' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490591[]' id='answer-id-1894919' class='answer   answerof-490591 ' value='1894919'   \/><label for='answer-id-1894919' id='answer-label-1894919' class=' answer'><span>Configure a unique SSID display name for each AP because the visible SSID text is always transmitted as the RADIUS NAS-Identifier during enterprise authentication..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490591[]' id='answer-id-1894920' class='answer   answerof-490591 ' value='1894920'   \/><label for='answer-id-1894920' id='answer-label-1894920' class=' answer'><span>Create separate FortiAP groups and use each group name as a Filter-ID returned by the RADIUS server after the client has already been authenticated..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490591[]' id='answer-id-1894921' class='answer   answerof-490591 ' value='1894921'   \/><label for='answer-id-1894921' id='answer-label-1894921' class=' answer'><span>Configure static Called-Station-ID values on every client supplicant so the client determines which subsidiary identifier is included in the FortiGate RADIUS request..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490591[]' id='answer-id-1894922' class='answer   answerof-490591 ' value='1894922'   \/><label for='answer-id-1894922' id='answer-label-1894922' class=' answer'><span>Configure an appropriate custom RADIUS NAS-ID for each subsidiary VAP and update the RADIUS policies to match that stable service identifier.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-23' style=';'><div id='questionWrap-23'  class='   watupro-question-id-490592'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>23. <\/span>Scenario: A retailer plans to deploy several hundred FortiAP devices of the same model to new stores. Each site has routed connectivity to a central FortiGate, and DHCP option 138 is already configured. The security team wants approved devices to become operational without individual manual authorization, but it does not want every unknown FortiAP that reaches the controller interface to be automatically trusted. The logistics database provides a predictable serial-number pattern for the shipment.<\/div><input type='hidden' name='question_id[]' id='qID_23' value='490592' \/><input type='hidden' id='answerType490592' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490592[]' id='answer-id-1894923' class='answer   answerof-490592 ' value='1894923'   \/><label for='answer-id-1894923' id='answer-label-1894923' class=' answer'><span>Enable auto-auth-extension-device on the controller-facing interface so any FortiAP that completes discovery is authorized and receives the default model profile..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490592[]' id='answer-id-1894924' class='answer   answerof-490592 ' value='1894924'   \/><label for='answer-id-1894924' id='answer-label-1894924' class=' answer'><span>Leave the FortiAP devices in discovered status and configure FortiAP groups, because group membership automatically changes matching devices to an authorized state..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490592[]' id='answer-id-1894925' class='answer   answerof-490592 ' value='1894925'   \/><label for='answer-id-1894925' id='answer-label-1894925' class=' answer'><span>Pre-authorize the deployment using wildcard serial-number entries associated with the intended FortiAP profile, allowing matching devices to be renamed to their physical serial numbers when discovered..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490592[]' id='answer-id-1894926' class='answer   answerof-490592 ' value='1894926'   \/><label for='answer-id-1894926' id='answer-label-1894926' class=' answer'><span>Configure a DNS wildcard for the FortiAP controller hostname so only FortiAP devices whose serial numbers match the DNS suffix receive a controller address.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-24' style=';'><div id='questionWrap-24'  class='   watupro-question-id-490593'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>24. <\/span>Scenario: A financial institution currently uses WPA2-Enterprise with PEAP for its employee WLAN. An internal audit finds that unmanaged devices can still submit username-and-password credentials, and the security team now requires certificate-based mutual authentication with no password fallback. All managed laptops already contain unique client certificates issued by the corporate PKI, and the RADIUS infrastructure can validate the certificate chain. The wireless team also wants the strongest supported WPA3 security mode for the managed-device SSID.<\/div><input type='hidden' name='question_id[]' id='qID_24' value='490593' \/><input type='hidden' id='answerType490593' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490593[]' id='answer-id-1894927' class='answer   answerof-490593 ' value='1894927'   \/><label for='answer-id-1894927' id='answer-label-1894927' class=' answer'><span>Configure WPA3-SAE with a complex shared password, enable PMF, and use the existing RADIUS server only to authorize users after the SAE exchange succeeds..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490593[]' id='answer-id-1894928' class='answer   answerof-490593 ' value='1894928'   \/><label for='answer-id-1894928' id='answer-label-1894928' class=' answer'><span>Configure a WPA3-Enterprise SSID using EAP-TLS, require PMF, reference the appropriate RADIUS server, and ensure clients trust the issuing CA used by the authentication service..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490593[]' id='answer-id-1894929' class='answer   answerof-490593 ' value='1894929'   \/><label for='answer-id-1894929' id='answer-label-1894929' class=' answer'><span>Configure OWE for encrypted association and place a captive portal behind the SSID so users authenticate with their existing directory passwords after joining..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490593[]' id='answer-id-1894930' class='answer   answerof-490593 ' value='1894930'   \/><label for='answer-id-1894930' id='answer-label-1894930' class=' answer'><span>Retain PEAP, disable the inner password method, and install the corporate CA certificate on the FortiGate so every client automatically performs certificate-only authentication.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-25' style=';'><div id='questionWrap-25'  class='   watupro-question-id-490594'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>25. <\/span>Scenario: A manufacturing plant operates FortiAP devices near automated welding systems and variable-frequency motor drives. During production cycles, clients associated with one 5 GHz radio maintain an RSSI near -53 dBm, but their MCS values fall sharply and transmit retries increase. FortiGate monitoring shows that the radio noise floor rises from approximately -93 dBm to -62 dBm during the same periods, while authentication latency, client count, and wired uplink utilization remain normal. DARRP is enabled, but every channel currently permitted by the radio profile is affected during the production cycle.<\/div><input type='hidden' name='question_id[]' id='qID_25' value='490594' \/><input type='hidden' id='answerType490594' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490594[]' id='answer-id-1894931' class='answer   answerof-490594 ' value='1894931'   \/><label for='answer-id-1894931' id='answer-label-1894931' class=' answer'><span>Configure a per-FortiAP transmit-power override near the regulatory maximum and retain the current channels so the stronger downlink signal produces a larger margin above the measured noise floor..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490594[]' id='answer-id-1894932' class='answer   answerof-490594 ' value='1894932'   \/><label for='answer-id-1894932' id='answer-label-1894932' class=' answer'><span>Increase the ARRP weighting for channel load, reduce the weighting for noise floor, and shorten the DARRP schedule so the radio reacts primarily to client contention rather than intermittent external energy..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490594[]' id='answer-id-1894933' class='answer   answerof-490594 ' value='1894933'   \/><label for='answer-id-1894933' id='answer-label-1894933' class=' answer'><span>Change the radio to 80 MHz operation and enable airtime fairness so affected clients can use the remaining resource units while lower-rate clients receive fewer transmission opportunities..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490594[]' id='answer-id-1894934' class='answer   answerof-490594 ' value='1894934'   \/><label for='answer-id-1894934' id='answer-label-1894934' class=' answer'><span>Use spectrum analysis to identify the interference source, determine whether cleaner permitted channels exist, and revise the FortiAP channel list or physical deployment before tuning DARRP behavior.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-26' style=';'><div id='questionWrap-26'  class='   watupro-question-id-490595'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>26. <\/span>Scenario: A financial company replaces older access points with Wi-Fi 6-capable FortiAP devices but retains the previous shared radio profile. The profile uses 80 MHz channels, high fixed transmit power, and several low basic rates for a small legacy client population. FortiGate shows high channel utilization and retries on neighboring radios, while authentication performance and client distribution remain normal. Management expects OFDMA and MU-MIMO to provide additional capacity without changing the RF profile.<\/div><input type='hidden' name='question_id[]' id='qID_26' value='490595' \/><input type='hidden' id='answerType490595' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490595[]' id='answer-id-1894935' class='answer   answerof-490595 ' value='1894935'   \/><label for='answer-id-1894935' id='answer-label-1894935' class=' answer'><span>Preserve the profile and lower the AP handoff threshold because evenly distributing legacy and Wi-Fi 6 clients allows OFDMA to create independent airtime capacity on each FortiA<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490595[]' id='answer-id-1894936' class='answer   answerof-490595 ' value='1894936'   \/><label for='answer-id-1894936' id='answer-label-1894936' class=' answer'><span>.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490595[]' id='answer-id-1894937' class='answer   answerof-490595 ' value='1894937'   \/><label for='answer-id-1894937' id='answer-label-1894937' class=' answer'><span>Increase the channel width where most clients support Wi-Fi 6 and retain the high power level because OFDMA resource units prevent neighboring BSSs from contending for the bonded channel..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490595[]' id='answer-id-1894938' class='answer   answerof-490595 ' value='1894938'   \/><label for='answer-id-1894938' id='answer-label-1894938' class=' answer'><span>Disable legacy access on selected FortiAP devices through per-device VAP overrides while retaining 80 MHz channels so MU-MIMO can isolate modern clients from neighboring-cell interference..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490595[]' id='answer-id-1894939' class='answer   answerof-490595 ' value='1894939'   \/><label for='answer-id-1894939' id='answer-label-1894939' class=' answer'><span>Create a density-appropriate FortiAP profile using narrower reusable channels, bounded automatic power, validated minimum rates, and DARRP measurements while retaining Wi-Fi 6 features as efficiency enhancements.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-27' style=';'><div id='questionWrap-27'  class='   watupro-question-id-490596'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>27. <\/span>Scenario: A retailer uses the same FortiAP model in standard stores, warehouses, and compact urban branches. All APs currently share one custom profile. Warehouse scanners require 2.4 GHz coverage and conservative minimum rates, while urban branches have no 2.4 GHz clients and suffer severe congestion from neighboring networks. An administrator proposes disabling the 2.4 GHz radio in the shared profile to improve urban performance. The change must not interrupt warehouse operations.<\/div><input type='hidden' name='question_id[]' id='qID_27' value='490596' \/><input type='hidden' id='answerType490596' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490596[]' id='answer-id-1894940' class='answer   answerof-490596 ' value='1894940'   \/><label for='answer-id-1894940' id='answer-label-1894940' class=' answer'><span>Create site-specific profiles for the same FortiAP platform, retain 2.4 GHz service and validated rates in warehouses, and disable or repurpose 2.4 GHz only in the urban profile..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490596[]' id='answer-id-1894941' class='answer   answerof-490596 ' value='1894941'   \/><label for='answer-id-1894941' id='answer-label-1894941' class=' answer'><span>Disable 2.4 GHz globally in the shared profile and use per-client frequency handoff exceptions to allow warehouse scanners to continue associating on the disabled band..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490596[]' id='answer-id-1894942' class='answer   answerof-490596 ' value='1894942'   \/><label for='answer-id-1894942' id='answer-label-1894942' class=' answer'><span>Preserve the shared profile and configure FortiAP groups because FortiAP group membership automatically generates different radio settings for each site without separate profiles..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490596[]' id='answer-id-1894943' class='answer   answerof-490596 ' value='1894943'   \/><label for='answer-id-1894943' id='answer-label-1894943' class=' answer'><span>Move warehouse scanners to a separate SSID group because SSID groups can reactivate a physical radio that has been disabled in the assigned FortiAP profile.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-28' style=';'><div id='questionWrap-28'  class='   watupro-question-id-490597'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>28. <\/span>Scenario: A company creates a new tunnel-mode contractor SSID on its FortiGate and assigns it to the correct FortiAP profile. Contractors can associate, complete RADIUS authentication, and receive addresses from the DHCP server configured on the SSID interface. They can ping the SSID interface address but cannot reach an approved Internet destination, and traffic logs show no matching session from the contractor network. Existing corporate wireless users on a different SSID have normal access.<\/div><input type='hidden' name='question_id[]' id='qID_28' value='490597' \/><input type='hidden' id='answerType490597' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490597[]' id='answer-id-1894944' class='answer   answerof-490597 ' value='1894944'   \/><label for='answer-id-1894944' id='answer-label-1894944' class=' answer'><span>Change the contractor SSID to local bridge mode because tunnel-mode clients cannot use FortiGate firewall policies after receiving an address from an SSID interface..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490597[]' id='answer-id-1894945' class='answer   answerof-490597 ' value='1894945'   \/><label for='answer-id-1894945' id='answer-label-1894945' class=' answer'><span>Enable Security Fabric Connection on the contractor SSID interface so authenticated client traffic is accepted as CAPWAP management communication..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490597[]' id='answer-id-1894946' class='answer   answerof-490597 ' value='1894946'   \/><label for='answer-id-1894946' id='answer-label-1894946' class=' answer'><span>Create or correct the firewall policy from the contractor SSID interface to the permitted destination, including the required security profiles and source NAT behavior..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490597[]' id='answer-id-1894947' class='answer   answerof-490597 ' value='1894947'   \/><label for='answer-id-1894947' id='answer-label-1894947' class=' answer'><span>Add the contractor SSID to the FortiAP management VLAN because client traffic must enter the FortiGate through the same interface used by the CAPWAP control channel.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-29' style=';'><div id='questionWrap-29'  class='   watupro-question-id-490598'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>29. <\/span>Scenario: A company divides a large training hall with a temporary RF-attenuating partition. Clients on both sides maintain RSSI values stronger than -60 dBm to the same FortiAP, and the radio noise floor remains stable. Performance is acceptable when users on either side upload separately, but receive errors and retries increase sharply when both groups upload simultaneously. A temporary test using RTS\/CTS reduces the retries but also increases management overhead, and moving one client near an opening in the partition improves performance without changing its AP association.<\/div><input type='hidden' name='question_id[]' id='qID_29' value='490598' \/><input type='hidden' id='answerType490598' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490598[]' id='answer-id-1894948' class='answer   answerof-490598 ' value='1894948'   \/><label for='answer-id-1894948' id='answer-label-1894948' class=' answer'><span>Configure DARRP to exclude the current channel whenever receive errors increase, because a cleaner channel removes collisions between clients that cannot perform mutual carrier detection..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490598[]' id='answer-id-1894949' class='answer   answerof-490598 ' value='1894949'   \/><label for='answer-id-1894949' id='answer-label-1894949' class=' answer'><span>Enable AP handoff and move one client group to a neighboring FortiAP even when that AP uses the same channel, because separate BSSIDs create independent contention domains..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490598[]' id='answer-id-1894950' class='answer   answerof-490598 ' value='1894950'   \/><label for='answer-id-1894950' id='answer-label-1894950' class=' answer'><span>Retain the current cell design and permanently lower the RTS threshold for every FortiAP in the campus profile so all client frames receive additional collision protection..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490598[]' id='answer-id-1894951' class='answer   answerof-490598 ' value='1894951'   \/><label for='answer-id-1894951' id='answer-label-1894951' class=' answer'><span>Redesign the hall into separate cells using appropriate AP placement and reusable channels, while using a tuned RTS threshold only as an interim or validated supplemental control.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-30' style=';'><div id='questionWrap-30'  class='   watupro-question-id-490599'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>30. <\/span>Scenario: A stadium uses a dedicated FortiAP profile for employee scanners and spectator devices. FortiGate client statistics show that fewer than 10% of associated stations consume most of the available airtime despite transferring relatively little data. These clients remain near the cell edge and repeatedly fall back to low legacy rates, while required employee scanners have already been validated at higher rates throughout all operational areas. The administrator must improve capacity without changing FortiAP profiles used at other company locations.<\/div><input type='hidden' name='question_id[]' id='qID_30' value='490599' \/><input type='hidden' id='answerType490599' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490599[]' id='answer-id-1894952' class='answer   answerof-490599 ' value='1894952'   \/><label for='answer-id-1894952' id='answer-label-1894952' class=' answer'><span>Enable airtime fairness in the existing stadium profile and preserve all supported rates so every client receives an equal scheduling opportunity without changing the current coverage boundary..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490599[]' id='answer-id-1894953' class='answer   answerof-490599 ' value='1894953'   \/><label for='answer-id-1894953' id='answer-label-1894953' class=' answer'><span>Clone the stadium profile, remove unnecessary low rates, validate the resulting coverage boundary with the required scanners, and use airtime fairness only as a secondary scheduling control..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490599[]' id='answer-id-1894954' class='answer   answerof-490599 ' value='1894954'   \/><label for='answer-id-1894954' id='answer-label-1894954' class=' answer'><span>Lower the AP handoff threshold and reduce the maximum client count so low-rate stations are distributed across additional FortiAP radios before they consume excessive airtime..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490599[]' id='answer-id-1894955' class='answer   answerof-490599 ' value='1894955'   \/><label for='answer-id-1894955' id='answer-label-1894955' class=' answer'><span>Increase the channel width to 80 MHz and raise the automatic-power ceiling so edge clients can negotiate higher MCS values while all legacy rates remain available for compatibility.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-31' style=';'><div id='questionWrap-31'  class='   watupro-question-id-490600'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>31. <\/span>Scenario: A distribution warehouse uses FortiAP devices mounted above aisles containing metal racks and frequently changing inventory. Handheld clients experience localized retransmission spikes, and the affected locations move when the rack contents change. FortiGate shows normal noise-floor values, DARRP channel changes do not consistently improve performance, and the same FortiAP profile operates normally in an open staging area. Two client positions at similar distances from the same AP can report significantly different MCS values and packet-loss rates.<\/div><input type='hidden' name='question_id[]' id='qID_31' value='490600' \/><input type='hidden' id='answerType490600' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490600[]' id='answer-id-1894956' class='answer   answerof-490600 ' value='1894956'   \/><label for='answer-id-1894956' id='answer-label-1894956' class=' answer'><span>Perform an active survey with representative inventory and client devices, then adjust AP placement, antenna orientation, radio power, and channel boundaries according to the measured propagation patterns..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490600[]' id='answer-id-1894957' class='answer   answerof-490600 ' value='1894957'   \/><label for='answer-id-1894957' id='answer-label-1894957' class=' answer'><span>Increase the DARRP weighting for receive errors and shorten the channel-evaluation interval so affected radios move channels whenever localized retransmissions exceed the configured threshold..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490600[]' id='answer-id-1894958' class='answer   answerof-490600 ' value='1894958'   \/><label for='answer-id-1894958' id='answer-label-1894958' class=' answer'><span>Apply maximum transmit-power overrides to the affected FortiAP devices so the direct signal path remains stronger than any reflected or attenuated component throughout the warehouse..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490600[]' id='answer-id-1894959' class='answer   answerof-490600 ' value='1894959'   \/><label for='answer-id-1894959' id='answer-label-1894959' class=' answer'><span>Reduce the maximum association count and enable airtime fairness so clients experiencing lower MCS values consume fewer scheduling opportunities than clients in clearer areas.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-32' style=';'><div id='questionWrap-32'  class='   watupro-question-id-490601'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>32. <\/span>Scenario: A hospital uses dual-radio FortiAP devices in several voice-critical wards. The radios provide both 2.4 GHz medical-device access and 5 GHz voice-handset access, and a WIDS profile performs background scanning for rogue APs. During busy calling periods, packet captures show brief latency spikes that coincide with the client-serving 5 GHz radio leaving its home channel to inspect foreign channels. The hospital cannot replace the AP hardware immediately, but security requires rogue scanning to continue outside the busiest clinical periods.<\/div><input type='hidden' name='question_id[]' id='qID_32' value='490601' \/><input type='hidden' id='answerType490601' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490601[]' id='answer-id-1894960' class='answer   answerof-490601 ' value='1894960'   \/><label for='answer-id-1894960' id='answer-label-1894960' class=' answer'><span>Change the 5 GHz radio permanently to monitor mode during working hours and allow the 2.4 GHz radio to advertise both the medical and voice SSIDs..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490601[]' id='answer-id-1894961' class='answer   answerof-490601 ' value='1894961'   \/><label for='answer-id-1894961' id='answer-label-1894961' class=' answer'><span>Use background-scan disable schedules for the peak clinical periods, retain scanning during lower-usage windows, and validate that the reduced monitoring interval still satisfies the security requirement..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490601[]' id='answer-id-1894962' class='answer   answerof-490601 ' value='1894962'   \/><label for='answer-id-1894962' id='answer-label-1894962' class=' answer'><span>Increase the background-scan duration so the radio completes each foreign-channel inspection less frequently and returns more accurate rogue-AP results..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490601[]' id='answer-id-1894963' class='answer   answerof-490601 ' value='1894963'   \/><label for='answer-id-1894963' id='answer-label-1894963' class=' answer'><span>Enable AP handoff on the voice profile so connected calls are transferred to another AP every time the serving radio begins an off-channel scan.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-33' style=';'><div id='questionWrap-33'  class='   watupro-question-id-490602'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>33. <\/span>Scenario: A university normally controls radio power through a FortiAP profile configured for automatic operation between 10 dBm and 17 dBm. During a temporary outdoor event, an administrator enabled per-device transmit-power overrides on several corridor FortiAP devices and set them to their maximum supported value. The event ended months ago, but laptops now remain associated with distant APs while closer APs are visible at stronger levels. FortiGate shows strong downlink signal indications from the distant radios, but those radios receive weak uplink frames, high retry rates, and intermittent 802.1X authentication timeouts.<\/div><input type='hidden' name='question_id[]' id='qID_33' value='490602' \/><input type='hidden' id='answerType490602' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490602[]' id='answer-id-1894964' class='answer   answerof-490602 ' value='1894964'   \/><label for='answer-id-1894964' id='answer-label-1894964' class=' answer'><span>Remove the stale per-device overrides, return the radios to the bounded profile-based power range, and validate bidirectional cell overlap before applying conservative roaming-assistance settings..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490602[]' id='answer-id-1894965' class='answer   answerof-490602 ' value='1894965'   \/><label for='answer-id-1894965' id='answer-label-1894965' class=' answer'><span>Keep the overridden radios unchanged and enable AP handoff with a lower threshold so FortiGate redirects any client for which a neighboring FortiAP reports a stronger RSS<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490602[]' id='answer-id-1894966' class='answer   answerof-490602 ' value='1894966'   \/><label for='answer-id-1894966' id='answer-label-1894966' class=' answer'><span>.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490602[]' id='answer-id-1894967' class='answer   answerof-490602 ' value='1894967'   \/><label for='answer-id-1894967' id='answer-label-1894967' class=' answer'><span>Raise the automatic-power maximum in the shared FortiAP profile to match the overridden radios, creating consistent cell sizes and eliminating differences between overridden and profile-controlled APs..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490602[]' id='answer-id-1894968' class='answer   answerof-490602 ' value='1894968'   \/><label for='answer-id-1894968' id='answer-label-1894968' class=' answer'><span>Reduce the minimum supported data rates and enable airtime fairness so weak clients can complete their uplink authentication frames before stronger stations consume the available airtime.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-34' style=';'><div id='questionWrap-34'  class='   watupro-question-id-490603'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>34. <\/span>Scenario: A conference facility uses overlapping FortiAP cells and enables AP handoff in the shared high-density profile. The handoff station threshold is configured for 35 clients, and multiple nearby APs provide sufficient signal coverage. During a keynote session, one AP already has 60 associated clients, but long-connected clients are not redistributed to the surrounding APs. New clients with good signal from neighboring APs generally join the less-loaded radios. The operations team concludes that AP handoff is malfunctioning because it does not rebalance the existing associations.<\/div><input type='hidden' name='question_id[]' id='qID_34' value='490603' \/><input type='hidden' id='answerType490603' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490603[]' id='answer-id-1894969' class='answer   answerof-490603 ' value='1894969'   \/><label for='answer-id-1894969' id='answer-label-1894969' class=' answer'><span>Keep AP handoff enabled and recognize that it primarily influences suitable new association attempts after an AP exceeds the threshold; use RF design and client roaming behavior to address existing associations..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490603[]' id='answer-id-1894970' class='answer   answerof-490603 ' value='1894970'   \/><label for='answer-id-1894970' id='answer-label-1894970' class=' answer'><span>Enable frequency handoff on the overloaded AP because frequency handoff forcibly moves all existing clients to neighboring APs whenever the station threshold is exceeded..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490603[]' id='answer-id-1894971' class='answer   answerof-490603 ' value='1894971'   \/><label for='answer-id-1894971' id='answer-label-1894971' class=' answer'><span>Reduce the handoff RSSI threshold to its weakest setting so the controller immediately disassociates every existing client and distributes them equally among all visible APs..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490603[]' id='answer-id-1894972' class='answer   answerof-490603 ' value='1894972'   \/><label for='answer-id-1894972' id='answer-label-1894972' class=' answer'><span>Disable roaming handoff because AP load balancing is applied only to actively roaming clients and remains inactive for clients making their initial association.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-35' style=';'><div id='questionWrap-35'  class='   watupro-question-id-490604'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>35. <\/span>Scenario: A retail chain maintains a 2.4 GHz SSID for legacy inventory terminals. A regional FortiAP profile permits 20 MHz operation on channels 1 through 11, and DARRP is enabled without a restricted channel list. In one dense store, nearby managed FortiAP radios select channels 1, 4, 8, and 11. FortiGate reports moderate channel utilization but high retries, while packet captures show simultaneous energy from APs operating on different channel numbers. The terminals cannot be migrated to 5 GHz during the current hardware lifecycle.<\/div><input type='hidden' name='question_id[]' id='qID_35' value='490604' \/><input type='hidden' id='answerType490604' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490604[]' id='answer-id-1894973' class='answer   answerof-490604 ' value='1894973'   \/><label for='answer-id-1894973' id='answer-label-1894973' class=' answer'><span>Restrict the FortiAP profile to the locally valid non-overlapping 20 MHz channel set, permit DARRP to reuse those channels, and tune cell size to limit co-channel contention..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490604[]' id='answer-id-1894974' class='answer   answerof-490604 ' value='1894974'   \/><label for='answer-id-1894974' id='answer-label-1894974' class=' answer'><span>Preserve channels 1 through 11 and increase the DARRP managed-AP weighting so the controller eventually assigns a numerically unique channel to each neighboring FortiA<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490604[]' id='answer-id-1894975' class='answer   answerof-490604 ' value='1894975'   \/><label for='answer-id-1894975' id='answer-label-1894975' class=' answer'><span>.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490604[]' id='answer-id-1894976' class='answer   answerof-490604 ' value='1894976'   \/><label for='answer-id-1894976' id='answer-label-1894976' class=' answer'><span>Configure 40 MHz operation using channels 1 and 11 as primary channels so each AP receives more capacity while the intermediate channel numbers remain unused..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490604[]' id='answer-id-1894977' class='answer   answerof-490604 ' value='1894977'   \/><label for='answer-id-1894977' id='answer-label-1894977' class=' answer'><span>Place every FortiAP on channel 6 and enable airtime fairness so all stations coordinate through one contention domain instead of transmitting on partially overlapping channels.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-36' style=';'><div id='questionWrap-36'  class='   watupro-question-id-490605'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>36. <\/span>Scenario: A corporate campus broadcasts the same employee SSID on both 2.4 GHz and 5 GHz. Most laptops support both bands, but a large proportion continues to join the heavily utilized 2.4 GHz radios even when the 5 GHz signal is strong and the 5 GHz radios have substantially lower utilization. The administrator wants the FortiGate wireless controller to influence capable new clients toward the less-used band without disabling 2.4 GHz support for legacy devices. The existing FortiAP profile does not enable frequency handoff.<\/div><input type='hidden' name='question_id[]' id='qID_36' value='490605' \/><input type='hidden' id='answerType490605' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490605[]' id='answer-id-1894978' class='answer   answerof-490605 ' value='1894978'   \/><label for='answer-id-1894978' id='answer-label-1894978' class=' answer'><span>Enable AP handoff only, because AP handoff automatically compares the utilization of the 2.4 GHz and 5 GHz radios within the same FortiAP before responding to every association request..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490605[]' id='answer-id-1894979' class='answer   answerof-490605 ' value='1894979'   \/><label for='answer-id-1894979' id='answer-label-1894979' class=' answer'><span>Remove the employee SSID from all 2.4 GHz radios because dual-band clients cannot be influenced toward 5 GHz while the same SSID remains available on both bands..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490605[]' id='answer-id-1894980' class='answer   answerof-490605 ' value='1894980'   \/><label for='answer-id-1894980' id='answer-label-1894980' class=' answer'><span>Enable frequency handoff in the FortiAP profile, including the required 5 GHz-side capability learning, and configure a suitable handoff RSSI threshold so eligible clients are influenced toward the less-used band..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490605[]' id='answer-id-1894981' class='answer   answerof-490605 ' value='1894981'   \/><label for='answer-id-1894981' id='answer-label-1894981' class=' answer'><span>Increase the transmit power of every 5 GHz radio above the 2.4 GHz power level because any dual-band client receiving a stronger 5 GHz beacon is required to select that band.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-37' style=';'><div id='questionWrap-37'  class='   watupro-question-id-490606'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>37. <\/span>Scenario: A hospital uses FortiAP models that support Zero-Wait DFS and must retain DFS channels because the non-DFS spectrum cannot provide sufficient reuse across several clinical floors. Radar detections occasionally force radios to leave their operating channels, and the normal Channel Availability Check delays service restoration on replacement DFS channels. Voice and telemetry clients can tolerate a short channel transition but not the full availability-check interruption. The wireless team wants to preserve dynamic RF optimization without violating DFS requirements.<\/div><input type='hidden' name='question_id[]' id='qID_37' value='490606' \/><input type='hidden' id='answerType490606' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490606[]' id='answer-id-1894982' class='answer   answerof-490606 ' value='1894982'   \/><label for='answer-id-1894982' id='answer-label-1894982' class=' answer'><span>Configure a static list containing only the least frequently affected DFS channels and disable DARRP so each radio remains on its assigned channel unless an administrator manually changes it..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490606[]' id='answer-id-1894983' class='answer   answerof-490606 ' value='1894983'   \/><label for='answer-id-1894983' id='answer-label-1894983' class=' answer'><span>Increase the DARRP preference for DFS channels and shorten the evaluation interval so FortiGate can return the radios to lower-utilization DFS channels immediately after radar activity ends..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490606[]' id='answer-id-1894984' class='answer   answerof-490606 ' value='1894984'   \/><label for='answer-id-1894984' id='answer-label-1894984' class=' answer'><span>Enable Zero-Wait DFS in a compatible FortiAP profile, verify that backup channels are being pre-evaluated, and retain DARRP for channel selection within the validated DFS design..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490606[]' id='answer-id-1894985' class='answer   answerof-490606 ' value='1894985'   \/><label for='answer-id-1894985' id='answer-label-1894985' class=' answer'><span>Use per-device channel overrides to select replacement DFS channels after each radar event because manually selected channels are not subject to the same availability checks as automatically selected channels.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-38' style=';'><div id='questionWrap-38'  class='   watupro-question-id-490607'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>38. <\/span>Scenario: A university uses an SSID group named Campus-Standard in the FortiAP profiles assigned to lecture halls, libraries, dormitories, and administrative buildings. The group originally contains the employee and student SSIDs. To support a short-term conference, an administrator adds a temporary guest SSID to Campus-Standard, expecting it to appear only on the conference-center FortiAPs. Within minutes, the temporary SSID is visible across the entire campus, including restricted administrative areas.<\/div><input type='hidden' name='question_id[]' id='qID_38' value='490607' \/><input type='hidden' id='answerType490607' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490607[]' id='answer-id-1894986' class='answer   answerof-490607 ' value='1894986'   \/><label for='answer-id-1894986' id='answer-label-1894986' class=' answer'><span>Remove the temporary SSID from the shared group, create a conference-specific SSID group or FortiAP profile assignment, and apply it only to the FortiAPs intended to provide conference access..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490607[]' id='answer-id-1894987' class='answer   answerof-490607 ' value='1894987'   \/><label for='answer-id-1894987' id='answer-label-1894987' class=' answer'><span>Retain the temporary SSID in the shared group and use a firewall address group to prevent non-conference FortiAP devices from including the SSID in their beacon frames..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490607[]' id='answer-id-1894988' class='answer   answerof-490607 ' value='1894988'   \/><label for='answer-id-1894988' id='answer-label-1894988' class=' answer'><span>Configure per-client VLAN assignment on the temporary SSID because dynamic VLANs determine which physical FortiAP radios are permitted to advertise a VA<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490607[]' id='answer-id-1894989' class='answer   answerof-490607 ' value='1894989'   \/><label for='answer-id-1894989' id='answer-label-1894989' class=' answer'><span>.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490607[]' id='answer-id-1894990' class='answer   answerof-490607 ' value='1894990'   \/><label for='answer-id-1894990' id='answer-label-1894990' class=' answer'><span>Move the conference FortiAP devices into a separate FortiAP group because FortiAP group membership automatically filters individual SSIDs from every referenced SSID group.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-39' style=';'><div id='questionWrap-39'  class='   watupro-question-id-490608'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>39. <\/span>Scenario: A financial institution deploys tunnel-mode FortiAP devices in temporary offices that connect to a central FortiGate through the public Internet. Corporate policy requires the client data channel between each FortiAP and the controller to be encrypted, and the selected FortiGate and FortiAP models support IPsec data-channel operation and hardware-assisted processing. The team wants stronger protection than clear-text CAPWAP while minimizing the performance reduction associated with software-only DTLS processing. Wireless client authentication and over-the-air encryption are already configured correctly.<\/div><input type='hidden' name='question_id[]' id='qID_39' value='490608' \/><input type='hidden' id='answerType490608' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490608[]' id='answer-id-1894991' class='answer   answerof-490608 ' value='1894991'   \/><label for='answer-id-1894991' id='answer-label-1894991' class=' answer'><span>Retain a clear-text CAPWAP data channel because the CAPWAP control channel uses DTLS and therefore automatically encrypts all client data packets carried by the tunnel..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490608[]' id='answer-id-1894992' class='answer   answerof-490608 ' value='1894992'   \/><label for='answer-id-1894992' id='answer-label-1894992' class=' answer'><span>Configure a compatible IPsec VPN data-channel policy in the FortiAP profile and verify that the FortiAP endpoint uses the corresponding security mode and supported offload behavior..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490608[]' id='answer-id-1894993' class='answer   answerof-490608 ' value='1894993'   \/><label for='answer-id-1894993' id='answer-label-1894993' class=' answer'><span>Enable WPA3-Enterprise and Protected Management Frames on the SSID because these features extend end-to-end encryption from each client through the CAPWAP tunnel to the FortiGate..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490608[]' id='answer-id-1894994' class='answer   answerof-490608 ' value='1894994'   \/><label for='answer-id-1894994' id='answer-label-1894994' class=' answer'><span>Convert the SSID to local bridge mode and apply central firewall policies to the SSID interface, preserving controller inspection while eliminating the need to protect tunneled client traffic.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-40' style=';'><div id='questionWrap-40'  class='   watupro-question-id-490609'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>40. <\/span>Scenario: A branch migrates a wireless employee network from tunnel mode to local bridge mode so traffic can use local resources. The FortiAP management VLAN is untagged on the access-switch port, while employee traffic should be bridged using VLAN 120. Clients can see the SSID and complete WPA2-Enterprise authentication, but they never receive a DHCP lease. FortiAP management remains online, and wired clients connected directly to VLAN 120 obtain addresses successfully.<\/div><input type='hidden' name='question_id[]' id='qID_40' value='490609' \/><input type='hidden' id='answerType490609' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490609[]' id='answer-id-1894995' class='answer   answerof-490609 ' value='1894995'   \/><label for='answer-id-1894995' id='answer-label-1894995' class=' answer'><span>Create a tunnel-mode SSID interface with VLAN 120 on the central FortiGate so DHCP broadcasts are encapsulated back to the controller before reaching the branch server..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490609[]' id='answer-id-1894996' class='answer   answerof-490609 ' value='1894996'   \/><label for='answer-id-1894996' id='answer-label-1894996' class=' answer'><span>Add a firewall policy between the local-bridge SSID and the FortiAP management interface so the AP can route client DHCP broadcasts into the wired VLA<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490609[]' id='answer-id-1894997' class='answer   answerof-490609 ' value='1894997'   \/><label for='answer-id-1894997' id='answer-label-1894997' class=' answer'><span>.<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490609[]' id='answer-id-1894998' class='answer   answerof-490609 ' value='1894998'   \/><label for='answer-id-1894998' id='answer-label-1894998' class=' answer'><span>Enable CAPWAP data-channel DTLS because unencrypted local-bridge frames are discarded when the FortiAP uplink carries both tagged and untagged traffic..<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-490609[]' id='answer-id-1894999' class='answer   answerof-490609 ' value='1894999'   \/><label for='answer-id-1894999' id='answer-label-1894999' class=' answer'><span>Permit VLAN 120 as a tagged VLAN on the FortiAP switch uplink and preserve the appropriate native or untagged management VLAN configuration.<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div style='display:none' id='question-41'>\n\t<div class='question-content'>\n\t\t<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\" alt=\"Loading...\" title=\"Loading...\" \/>&nbsp;Loading...\t<\/div>\n<\/div>\n\n<br \/>\n\t\n\t\t\t<div class=\"watupro_buttons flex \" id=\"watuPROButtons12622\" >\n\t\t  <div id=\"prev-question\" style=\"display:none;\"><input type=\"button\" value=\"&lt; Previous\" onclick=\"WatuPRO.nextQuestion(event, 'previous');\"\/><\/div>\t\t  \t\t  \t\t   \n\t\t   \t  \t\t<div><input type=\"button\" name=\"action\" class=\"watupro-submit-button\" onclick=\"WatuPRO.submitResult(event)\" id=\"action-button\" value=\"View Results\"  \/>\n\t\t<\/div>\n\t\t<\/div>\n\t\t\n\t<input type=\"hidden\" name=\"quiz_id\" value=\"12622\" id=\"watuPROExamID\"\/>\n\t<input type=\"hidden\" name=\"start_time\" id=\"startTime\" value=\"2026-06-30 10:37:07\" \/>\n\t<input type=\"hidden\" name=\"start_timestamp\" id=\"startTimeStamp\" value=\"1782815827\" \/>\n\t<input type=\"hidden\" name=\"question_ids\" value=\"\" \/>\n\t<input type=\"hidden\" name=\"watupro_questions\" value=\"490570:1894830,1894831,1894832,1894833 | 490571:1894834,1894835,1894836,1894837,1894838 | 490572:1894839,1894840,1894841,1894842 | 490573:1894843,1894844,1894845,1894846 | 490574:1894847,1894848,1894849,1894850 | 490575:1894851,1894852,1894853,1894854 | 490576:1894855,1894856,1894857,1894858 | 490577:1894859,1894860,1894861,1894862,1894863 | 490578:1894864,1894865,1894866,1894867 | 490579:1894868,1894869,1894870,1894871,1894872 | 490580:1894873,1894874,1894875,1894876 | 490581:1894877,1894878,1894879,1894880 | 490582:1894881,1894882,1894883,1894884 | 490583:1894885,1894886,1894887,1894888 | 490584:1894889,1894890,1894891,1894892 | 490585:1894893,1894894,1894895,1894896,1894897 | 490586:1894898,1894899,1894900,1894901 | 490587:1894902,1894903,1894904,1894905 | 490588:1894906,1894907,1894908,1894909,1894910 | 490589:1894911,1894912,1894913,1894914 | 490590:1894915,1894916,1894917,1894918 | 490591:1894919,1894920,1894921,1894922 | 490592:1894923,1894924,1894925,1894926 | 490593:1894927,1894928,1894929,1894930 | 490594:1894931,1894932,1894933,1894934 | 490595:1894935,1894936,1894937,1894938,1894939 | 490596:1894940,1894941,1894942,1894943 | 490597:1894944,1894945,1894946,1894947 | 490598:1894948,1894949,1894950,1894951 | 490599:1894952,1894953,1894954,1894955 | 490600:1894956,1894957,1894958,1894959 | 490601:1894960,1894961,1894962,1894963 | 490602:1894964,1894965,1894966,1894967,1894968 | 490603:1894969,1894970,1894971,1894972 | 490604:1894973,1894974,1894975,1894976,1894977 | 490605:1894978,1894979,1894980,1894981 | 490606:1894982,1894983,1894984,1894985 | 490607:1894986,1894987,1894988,1894989,1894990 | 490608:1894991,1894992,1894993,1894994 | 490609:1894995,1894996,1894997,1894998,1894999\" \/>\n\t<input type=\"hidden\" name=\"no_ajax\" value=\"0\">\t\t\t<\/form>\n\t<p>&nbsp;<\/p>\n<\/div>\n\n<script type=\"text\/javascript\">\n\/\/jQuery(document).ready(function(){\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \t\nvar question_ids = \"490570,490571,490572,490573,490574,490575,490576,490577,490578,490579,490580,490581,490582,490583,490584,490585,490586,490587,490588,490589,490590,490591,490592,490593,490594,490595,490596,490597,490598,490599,490600,490601,490602,490603,490604,490605,490606,490607,490608,490609\";\nWatuPROSettings[12622] = {};\nWatuPRO.qArr = question_ids.split(',');\nWatuPRO.exam_id = 12622;\t    \nWatuPRO.post_id = 128886;\nWatuPRO.store_progress = 0;\nWatuPRO.curCatPage = 1;\nWatuPRO.requiredIDs=\"0\".split(\",\");\nWatuPRO.hAppID = \"0.90749300 1782815827\";\nvar url = \"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/show_exam.php\";\nWatuPRO.examMode = 1;\nWatuPRO.siteURL=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-admin\/admin-ajax.php\";\nWatuPRO.emailIsNotRequired = 0;\nWatuPROIntel.init(12622);\nWatuPRO.inCategoryPages=1;});    \t \n<\/script>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently Asked Questions (FAQs)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What is the best way to start preparing for the NSE5_FWF_AD-7.6 exam?<\/h3>\n\n\n\n<p>Begin by thoroughly reviewing the official Fortinet exam blueprint to understand the primary core domains. Once you have a foundational grasp of the topics, integrate DumpsBase NSE5_FWF_AD-7.6 exam dumps V8.02 to test your knowledge and practice applying those concepts to concrete scenarios.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How close are the practice questions to the actual certification test?<\/h3>\n\n\n\n<p>The practice questions are curated by industry experts to closely match the style, format, and technical difficulty of the official certification. This ensures you are entirely familiar with the layout and phrasing on test day.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Fortinet NSE 5 &#8211; Secure Wireless LAN 7.6 Administrator certification stands as a premier credential for network professionals aiming to demonstrate their expertise in deploying, configuring, and troubleshooting Fortinet wireless architectures. To support their excellent preparation, DumpsBase offers Fortinet NSE5_FWF_AD-7.6 exam dumps V8.02, offering 100 expert-verified exam questions, PDF format, practice testing engine, and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20758,189,1616],"tags":[21434,21435,21436],"class_list":["post-128886","post","type-post","status-publish","format-standard","hentry","category-fcp-in-secure-networking","category-fortinet","category-nse-5","tag-nse5_fwf_ad-7-6","tag-nse5_fwf_ad-7-6-exam-dumps","tag-nse5_fwf_ad-7-6-free-questions"],"_links":{"self":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/128886","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/comments?post=128886"}],"version-history":[{"count":1,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/128886\/revisions"}],"predecessor-version":[{"id":128887,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/128886\/revisions\/128887"}],"wp:attachment":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/media?parent=128886"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/categories?post=128886"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/tags?post=128886"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}