ExamGecko
Search Search Login
Home Home / Fortinet / NSE4_FGT-7.2
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct regarding FortiGate HA cluster virtual IP addresses? (Choose two.)
Which two statements are correct about NGFW Policy-based mode? (Choose two.)
An administrator configures FortiGuard servers as DNS servers on FortiGate using default settings. What is true about the DNS connection to a FortiGuard server?
If the Issuer and Subject values are the same in a digital certificate, which type of entity was the certificate issued to?
Which of the following are valid actions for FortiGuard category based filter in a web filter profile ui proxy-based inspection mode? (Choose two.)
Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)
Which two statements are correct about SLA targets? (Choose two.)
If Internet Service is already selected as Source in a firewall policy, which other configuration objects can be added to the Source filed of a firewall policy?
Which of the following conditions must be met in order for a web browser to trust a web server certificate signed by a third-party CA?

Question 23 - NSE4_FGT-7.2 discussion

Report
Export

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

* All traffic must be routed through the primary tunnel when both tunnels are up

* The secondary tunnel must be used only if the primary tunnel goes down

* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)

A.
Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
Answers
A.
Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
B.
Enable Dead Peer Detection.
Answers
B.
Enable Dead Peer Detection.
C.
Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
Answers
C.
Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
D.
Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
Answers
D.
Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
Suggested answer: B, C

Explanation:

Study Guide -- IPsec VPN -- IPsec configuration -- Phase 1 Network.

When Dead Peer Detection (DPD) is enabled, DPD probes are sent to detect a failed tunnel and bring it down before its IPsec SAs expire. This failure detection mechanism is very useful when you have redundant paths to the same destination, and you want to failover to a backup connection when the primary connection fails to keep the connectivity between the sites up.

There are three DPD modes. On demand is the default mode.

Study Guide -- IPsec VPN -- Redundant VPNs.

Add one phase 1 configuration for each tunnel. DPD should be enabled on both ends.

Add at least one phase 2 definition for each phase 1.

Add one static route for each path. Use distance or priority to select primary routes over backup routes (routes for the primary VPN must have a lower distance or lower priority than the backup). Alternatively, use dynamic routing.

Configure FW policies for each IPsec interface.

Show Answer
asked 18/09/2024
Abdulilah Alhousainy
39 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms