The correct answers are C and D .
The key clue is the command itself:
diagnose debug application fssod -1
The study guide explicitly states: “There is a specific FortiGate daemon that handles the polling mode. It is the fssod daemon. To enable agentless polling mode real-time debug use the command: diagnose debug application fssod -1.”
That directly proves D. FSSO is using agentless polling mode to detect logon events .
The study guide also states: “In agentless polling mode, FortiGate frequently polls all workstations (as a standalone collector agent does) to check which users are still logged in. You can sniffer this traffic on port 445.”
That directly proves C. FortiGate is frequently polling the workstation in case the user has logged out .
Why the other options are wrong:
A is wrong because the “cannot verify if the user is still logged in” / Not Verified condition is described for the collector agent workstation status, not as a conclusion from this FortiGate fssod debug line. The study guide says: “A user goes to not verified status when they log out, or when there is a problem in the polling done by the collector agent to the workstation.”
B is wrong because DC Agent mode is part of agent-based FSSO , where DC agents send events to a collector agent. This output is from the fssod daemon, which the study guide ties to agentless polling mode , not DC Agent mode.
E is wrong because TCP port 8000 is used for communication between the collector agent and FortiGate , while in agentless polling mode FortiGate polls workstations and that traffic can be sniffed on TCP port 445 .
So the verified answers are: C, D .
