New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Fortinet FCSS_NST_SE-7.6 Exam - Topic 3 Question 4 Discussion

Actual exam question for Fortinet's FCSS_NST_SE-7.6 exam
Question #: 4
Topic #: 3
[All FCSS_NST_SE-7.6 Questions]

In IKEv2, which exchange establishes the first CHILD_SA?

Show Suggested Answer Hide Answer
Suggested Answer: A

According to RFC 7296 (IKEv2) and Fortinet's official documentation, theIKE_SA_INIT exchangeis responsible for negotiating cryptographic parameters, performing the initial Diffie-Hellman exchange, and implementing the cookie challenge mechanism for DoS protection. When the responder suspects a DoS attack (such as mass requests by the same source), it includes a cookie in the IKE_SA_INIT response. The initiator must return the cookie in its next request to prove that it truly exists at the IP address it claims, thereby mitigating resource exhaustion attacks.

This two-step exchange ensures the responder only allocates resources after successful proof of address, aligning with best security practices. Fortinet documentation confirms that this process occurs strictly in the IKE_SA_INIT phase, not in subsequent IKE_Auth or CHILD_SA exchanges.


RFC 7296: IKEv2, Section 2.6, ''Denial of Service Protection''

Fortinet FortiOS VPN Handbook: IKEv2 Exchange Process and DoS Protection Mechanism

by Maxima at Nov 19, 2025, 04:55 PM

Limited Time Offer

25%

Off

Get Premium FCSS_NST_SE-7.6 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Deandrea
8 hours ago
I thought it was D) IKE_Auth, but I guess I need to double-check.
upvoted 0 times
...
Tesha
6 days ago
Totally agree with that!
upvoted 0 times
...
Tambra
11 days ago
It's C) CREATE_CHILD_SA for sure.
upvoted 0 times
...
Rene
16 days ago
I'm just here for the free snacks, so I'll go with D) IKE_Auth.
upvoted 0 times
...
Tegan
21 days ago
B) INFORMATIONAL? More like INFORMATIONAL_FACEPALM.
upvoted 0 times
...
Izetta
26 days ago
I'm going with C) CREATE_CHILD_SA, just to keep things interesting.
upvoted 0 times
...
Merilyn
1 month ago
D) IKE_Auth seems like the obvious choice here.
upvoted 0 times
...
Felicitas
1 month ago
IKE_SA_INIT seems too early for CHILD_SA, but I can't recall the exact details of when it happens.
upvoted 0 times
...
Ellsworth
1 month ago
I remember practicing a question similar to this, and I think it was about the IKE_AUTH phase, but that might not be right for CHILD_SA.
upvoted 0 times
...
Samuel
2 months ago
I think the first CHILD_SA is established during the CREATE_CHILD_SA exchange, but I’m not entirely sure.
upvoted 0 times
...
Oren
2 months ago
Ah, I think I've got it! The CREATE_CHILD_SA exchange is where the first CHILD_SA is established. I'm feeling pretty confident about that, so I'll select option C.
upvoted 0 times
...
Veronica
2 months ago
I'm a little uncertain about this one. I know the IKE_SA_INIT and IKE_Auth exchanges are important in IKEv2, but I'm not sure if they're directly responsible for establishing the first CHILD_SA. I'll have to review my notes to be sure.
upvoted 0 times
...
Annamaria
2 months ago
The CREATE_CHILD_SA exchange sounds like the most likely option here. I remember learning that this is where the initial CHILD_SA is set up, so I'll go with C.
upvoted 0 times
...
Kenneth
2 months ago
A) IKE_SA_INIT is the correct answer.
upvoted 0 times
...
Kirk
3 months ago
I feel like CREATE_CHILD_SA is the right answer, but I keep mixing it up with the IKE_AUTH phase.
upvoted 0 times
...
Margart
3 months ago
Wait, are you guys sure? I thought it was A) IKE_SA_INIT.
upvoted 0 times
...
Lorriane
3 months ago
Hmm, I'm a bit confused on this one. I know IKEv2 has a few different exchanges, but I'm not sure which one specifically establishes the first CHILD_SA. I'll have to think this through carefully.
upvoted 0 times
...
Verlene
3 months ago
I'm pretty sure the first CHILD_SA is established during the CREATE_CHILD_SA exchange, so I'll go with option C.
upvoted 0 times
Ayesha
2 months ago
I think you're right about option C.
upvoted 0 times
...
...

Save Cancel