Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Fortinet FCSS_NST_SE-7.6 Exam - Topic 3 Question 4 Discussion

Actual exam question for Fortinet's FCSS_NST_SE-7.6 exam
Question #: 4
Topic #: 3
[All FCSS_NST_SE-7.6 Questions]

In IKEv2, which exchange establishes the first CHILD_SA?

Show Suggested Answer Hide Answer
Suggested Answer: A

According to RFC 7296 (IKEv2) and Fortinet's official documentation, theIKE_SA_INIT exchangeis responsible for negotiating cryptographic parameters, performing the initial Diffie-Hellman exchange, and implementing the cookie challenge mechanism for DoS protection. When the responder suspects a DoS attack (such as mass requests by the same source), it includes a cookie in the IKE_SA_INIT response. The initiator must return the cookie in its next request to prove that it truly exists at the IP address it claims, thereby mitigating resource exhaustion attacks.

This two-step exchange ensures the responder only allocates resources after successful proof of address, aligning with best security practices. Fortinet documentation confirms that this process occurs strictly in the IKE_SA_INIT phase, not in subsequent IKE_Auth or CHILD_SA exchanges.


RFC 7296: IKEv2, Section 2.6, ''Denial of Service Protection''

Fortinet FortiOS VPN Handbook: IKEv2 Exchange Process and DoS Protection Mechanism

by Maxima at Nov 19, 2025, 04:55 PM

Limited Time Offer

25%

Off

Get Premium FCSS_NST_SE-7.6 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Skye
1 day ago
I feel like B) INFORMATIONAL is too vague for this. Not the right choice.
upvoted 0 times
...
Heike
6 days ago
But what about A) IKE_SA_INIT? It sets up the initial parameters.
upvoted 0 times
...
Malinda
12 days ago
I agree with Kaycee. CREATE_CHILD_SA is where it happens.
upvoted 0 times
...
Colton
17 days ago
I’m not so sure. I lean towards D) IKE_Auth. Seems like the right phase.
upvoted 0 times
...
Kaycee
22 days ago
I think it's C) CREATE_CHILD_SA. Makes sense for establishing CHILD_SA.
upvoted 0 times
...
Velda
27 days ago
Just to clarify, it's definitely C) CREATE_CHILD_SA.
upvoted 0 times
...
Deandrea
2 months ago
I thought it was D) IKE_Auth, but I guess I need to double-check.
upvoted 0 times
...
Tesha
2 months ago
Totally agree with that!
upvoted 0 times
...
Tambra
2 months ago
It's C) CREATE_CHILD_SA for sure.
upvoted 0 times
...
Rene
2 months ago
I'm just here for the free snacks, so I'll go with D) IKE_Auth.
upvoted 0 times
...
Tegan
2 months ago
B) INFORMATIONAL? More like INFORMATIONAL_FACEPALM.
upvoted 0 times
...
Izetta
2 months ago
I'm going with C) CREATE_CHILD_SA, just to keep things interesting.
upvoted 0 times
...
Merilyn
3 months ago
D) IKE_Auth seems like the obvious choice here.
upvoted 0 times
...
Felicitas
3 months ago
IKE_SA_INIT seems too early for CHILD_SA, but I can't recall the exact details of when it happens.
upvoted 0 times
...
Ellsworth
3 months ago
I remember practicing a question similar to this, and I think it was about the IKE_AUTH phase, but that might not be right for CHILD_SA.
upvoted 0 times
...
Samuel
3 months ago
I think the first CHILD_SA is established during the CREATE_CHILD_SA exchange, but I’m not entirely sure.
upvoted 0 times
...
Oren
3 months ago
Ah, I think I've got it! The CREATE_CHILD_SA exchange is where the first CHILD_SA is established. I'm feeling pretty confident about that, so I'll select option C.
upvoted 0 times
...
Veronica
3 months ago
I'm a little uncertain about this one. I know the IKE_SA_INIT and IKE_Auth exchanges are important in IKEv2, but I'm not sure if they're directly responsible for establishing the first CHILD_SA. I'll have to review my notes to be sure.
upvoted 0 times
...
Annamaria
4 months ago
The CREATE_CHILD_SA exchange sounds like the most likely option here. I remember learning that this is where the initial CHILD_SA is set up, so I'll go with C.
upvoted 0 times
...
Kenneth
4 months ago
A) IKE_SA_INIT is the correct answer.
upvoted 0 times
...
Kirk
4 months ago
I feel like CREATE_CHILD_SA is the right answer, but I keep mixing it up with the IKE_AUTH phase.
upvoted 0 times
...
Margart
4 months ago
Wait, are you guys sure? I thought it was A) IKE_SA_INIT.
upvoted 0 times
...
Lorriane
5 months ago
Hmm, I'm a bit confused on this one. I know IKEv2 has a few different exchanges, but I'm not sure which one specifically establishes the first CHILD_SA. I'll have to think this through carefully.
upvoted 0 times
...
Verlene
5 months ago
I'm pretty sure the first CHILD_SA is established during the CREATE_CHILD_SA exchange, so I'll go with option C.
upvoted 0 times
Ayesha
4 months ago
I think you're right about option C.
upvoted 0 times
...
...

Save Cancel