ExamTopics Logo
Mail Us[email protected]
Menu
Fortinet Discussions
exam questions

Exam NSE4_FGT-6.4 All Questions

View all questions & answers for the NSE4_FGT-6.4 exam
Go to Exam

Exam NSE4_FGT-6.4 topic 1 question 32 discussion

Actual exam question from Fortinet's NSE4_FGT-6.4
Question #: 32
Topic #: 1
[All NSE4_FGT-6.4 Questions]

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

  • A. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
  • B. Enable Dead Peer Detection.
  • C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
  • D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
Show Suggested Answer Hide Answer
Suggested Answer: BC 🗳️
by Lionardo at April 11, 2021, 10:17 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Lionardo
Highly Voted 4 years ago
B & C is correct. FortiGate_Infrastructure_6.4 page 219 for "B" and 243 for "C"
upvoted 12 times
...
Biz90
Highly Voted 4 years ago
Ok to answer this question is B and C. B because the customer requires the tunnels to notify when a tunnel goes down. DPD is designed for that purpose. To send a packet over a firewall to determine a failover for the next tunnel after a specific amount of time of not receiving a response from its peer. C remember when it comes to choosing a route with regards to Administrative Distance. The route with the lowest distance for that particular route will be chosen. So, by configuring a lower routing distance on the primary tunnel, means that the primary tunnel will be chosen to route packets towards their destination.
upvoted 5 times
...
NicolaeEast
Most Recent 2 years, 8 months ago
Selected Answer: BC
Fortigate Infrastructure pg 234
upvoted 1 times
...
ChuckC
2 years, 9 months ago
Selected Answer: BC
I was looking to 'Prove' these answers found FortiGate_Infrastructure_7.0 page 234 for both B and C
upvoted 2 times
...
SandroAlex
3 years, 1 month ago
Selected Answer: BC
B e C são verdadeiras
upvoted 1 times
...
Ali1982
3 years, 4 months ago
B & C Are correct
upvoted 1 times
...
Bluegrass168
3 years, 10 months ago
Answers are B and C. But in the real environment, the Ipsec Tunnle keeps up even the DPD enabled ... ha ha And the best way to resolve the issue in my opinion is to add IPSEC Tunnel to SDWAN group with Tunnel Interface IP address as health check...
upvoted 4 times
...
mahmoudlol
3 years, 12 months ago
B & C are correct
upvoted 1 times
...
Ishan_Dis
3 years, 12 months ago
DPD- Identify Dead Tunnels Low Distance Routes will apply first So answer is BC
upvoted 3 times
...
Ishan_Dis
3 years, 12 months ago
DPD- Identify Dead Tunnels Low Distance Routes will apply first
upvoted 2 times
...
davidone
4 years ago
B and C are correct.
upvoted 3 times
...
HT_TNT
4 years ago
Correct is B and D. Both routes must have same AD.
upvoted 2 times
Lionardo
4 years ago
D is incorrect, this configuration only keep alive IPsec connection. There no such requirements.
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago