The correct answer is B. The FortiManager 7.6 Administrator Study Guide explicitly states: ''CLI scripts use the FGFM tunnel and the FGFM tunnel is authenticated using the FortiManager and FortiGate serial numbers.'' It also states: ''Tcl scripts do not run through the FGFM tunnel like CLI scripts do. Tcl scripts use SSH to tunnel through FGFM and they require SSH authentication to do so.''

This is the exact reason CLI scripts can run without prompting for SSH authentication every time: they use the existing secure FGFM management tunnel, not a separate interactive SSH login. The FGFM section of the study guide also confirms that this is a secure communication tunnel established between FortiManager and managed FortiGate devices.

So the enabler is not legacy login, script location, or the ''Remote FortiGate Directly'' option by itself. It is the FGFM secure management tunnel.