Exam NSE7_EFW-7.2 topic 1 question 46 discussion

The root FortiGate must have the address object set to fabric object enable and the downstream FortiGate must have the fabric object unification setting set to default. Configuration sync has to do with FortiAnalyzer and FortiManager Configuration settings being synced to downstream appliances which would not have an effect in the event of an address object.

A. The downstream FortiGate has fabric-object-unification set to local. True. If the downstream FortiGate has fabric-object-unification set to local, it will not synchronize global objects from the root FortiGate. This setting allows the downstream FortiGate to maintain its own local objects independently of the root. B. The root FortiGate has configuration-sync set to enable. False. The configuration-sync on the root FortiGate is typically enabled to push objects downstream. This setting would not prevent synchronization but rather facilitate it. C. The address object on the root FortiGate has fabric-object set to disable. False. If the fabric-object is disabled for an address object, it won't be marked for synchronization within the Security Fabric. However, this option is not specified in the scenario, so it is unlikely to be the cause. D. The downstream FortiGate has configuration-sync set to local. True. If the downstream FortiGate has configuration-sync set to local, it will not import global CMDB objects from the root FortiGate. This setting restricts the synchronization of global objects to that specific device.

Object synchronization can be configured with the following commands: config system csf set fabric-object-unification [default | local] set configuration-sync [default | local] ... next end https://docs.fortinet.com/document/fortigate/6.4.0/new-features/893434/synchronizing-objects-across-the-security-fabric

C and D are correct

A is incorrect because fabric-object-unification is not a setting applicable to downstream FortiGates. B is incorrect because configuration-sync being enabled on the root FortiGate should facilitate, not prevent, synchronization. C is correct because if the address object on the root FortiGate has fabric-object set to disable, it will not be synchronized. D is correct because if the downstream FortiGate has configuration-sync set to local, it will not accept the synchronized configuration from the root FortiGate.

Correct answer C, D

C & D are correct SG page 67

we discuss about an address object and a downstream without specify how many downstream there are .... , and for this reason "C" is correct. A -- OK C -- OK

A & C are correct. B and D are wrong, as "configuration-sync" is "Synchronize configuration for IPAM, FortiAnalyzer, FortiSandbox, and Central Management with root node.", not object synchronisation. https://docs.fortinet.com/document/fortigate/7.4.4/cli-reference/

A fabric-object-unification is a root configuration. So, C & D

We agree on A being correct. I think the reason C is not correct is that they aren't saying ALL downstream FortiGates aren't synchronizing. They are referencing a single downstream device.

Sorry, The CORRECT is AC: If set fabric-object (Fabric synchronization option in the GUI) is disabled for firewall addresses and address groups on the root FortiGate, they will not be synchronized to downstream FortiGates https://docs.fortinet.com/document/fortigate/6.4.0/new-features/520820/improvements-to-synchronizing-objects-across-the-security-fabric-6-4-4

AD is the Correct. *fabric-object-unification* default: Global CMDB objects will be synchronized in Security Fabric. local: Global CMDB objects will not be synchronized to and from this device. *configuration-sync* default: Synchronize configuration for FortiAnalyzer, FortiSandbox, and Central Management to root node. local: Do not synchronize configuration with root node. https://docs.fortinet.com/document/fortigate/6.4.0/new-features/893434/synchronizing-objects-across-the-security-fabric