To solve this high CPU usage scenario involving the ipsengine, we must understand the specific functions of the diagnose test application ipsmonitor commands shown in the troubleshooting steps.
* Analyze the Situation:
* Exhibit: The diagnose sys top output shows the ipsengine process is in a run state (R) consuming 99% CPU.
* Previous Action: The administrator already ran diagnose test application ipsmonitor 5.
* Result: The CPU usage did not drop.
* Understand the Commands:
* diagnose test application ipsmonitor 5: This command toggles IPS Bypass Mode. When enabled, the IPS engine lets traffic pass through without inspection.
* Implication: If the CPU was high due to traffic volume, enabling bypass would drop the CPU load immediately.
* Failure: Since the CPU remained at 99% after bypass, the ipsengine process is likely frozen, stuck, or in an internal infinite loop unrelated to the current traffic flow. The process itself is the problem, not the traffic volume.
* Evaluate the Solution (Option B):
* diagnose test application ipsmonitor 2: This command toggles the IPS engine's Enable
/Disable status.
* Because the engine is stuck (bypass failed to relieve pressure), the "Immediate action" required is to stop or restart the process entirely.
* Running option 2 effectively disables/kills the stuck IPS engine instance, which will immediately drop the CPU usage to near zero. (It can then be toggled again to restart it).
* Why other options are incorrect:
* A (Reduce signatures): This is a tuning measure for normal operation, not an immediate fix for a stuck process at 99% CPU.
* C (Disable IPS on policies): This is a configuration change that takes time and requires a commit; it is not the most immediate diagnostic tool available.
* D (Bypass all IPS engines): This describes the action of command 5 (Bypass), which the prompt explicitly states was already performed and failed.
Reference:
FortiGate Security 7.6 Study Guide (IPS & Diagnostics): "Troubleshooting IPS high CPU: 1. Check top. 2.
Try bypass (ipsmonitor 5). 3. If CPU persists, restart the engine (ipsmonitor 99 or 2)."

The output of the diagnose sys session list command provides the critical evidence needed to determine the behavior during a failover:
* Session Synchronization (synced):
* The most important indicator in the exhibit is the synced flag located in the state= line (state=may_dirty synced none app_ntf).
* In FortiOS HA (High Availability), the synced flag confirms that this specific session has been successfully synchronized from the primary device to the secondary (backup) device.
* Session synchronization (Session Pickup) ensures that if the primary unit fails, the secondary unit already has the session in its table and can resume traffic processing immediately.
* TCP State (proto_state=01):
* The output shows proto=6 (TCP) and proto_state=01.
* In the FortiGate session table, proto_state=01 for TCP indicates that the session is in the ESTABLISHED state (post-three-way handshake).
* This invalidates Option B, which claims the TCP session is not fully established.
* Failover Outcome:
* Because the session is ESTABLISHED and SYNCED, the secondary device will seamlessly take over the session upon primary failure.
* The traffic continues to flow through the new primary without requiring the user/client to restart the connection. This is the primary function of HA Session Pickup.
Why other options are incorrect:
* A: While the output shows app_ntf (Application Control notification) and may_dirty, the presence of the synced flag overrides this concern regarding failover. If the session type were not supported for failover (e.g., certain proxy sessions in older versions), it would not be marked as synced. Since it is synced, it persists.
* B: As noted, proto_state=01 means established, not "not fully established".
* D: While the kernel updates routing tables, the purpose of syncing the session is to preserve the state so it does not need to be re-evaluated as a new packet would, preventing traffic drops.
Reference:
FortiGate Security 7.6 Study Guide (High Availability): "If session pickup is enabled, the primary unit synchronizes its session table... to the backup unit. If the primary unit fails, the backup unit... continues to process the sessions with no interruption."

The BGP debug output shows session information for peers, including state details. According to official Fortinet BGP documentation, if the session state with a peer does not show "Idle," "Active," or "Connect," but instead shows "Established," "Up," or related counters (e.g., messages sent/received or uptime), it indicates the session is operational. In this scenario, the peer 10.127.0.75 is the only one showing a positive indication of a live, established session. Other options like neighbor-range configuration, AS mismatch, or route-maps blocking prefixes are not supported by evidence provided in a simple BGP session state debug, nor does the output show errors relating to local or remote AS issues.
The correct interpretation comes from Fortinet's BGP troubleshooting guide, which outlines how to read session status and neighbor states in debug and summary outputs.
References:
FortiOS BGP Debugging Guide: Session State Interpretation
BGP CLI Reference: Neighbor Status Fields