Exam NSE4_FGT-7.0 topic 1 question 19 discussion

B is not true, a defaut static route is needed.

A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs. B. A default static route is not required on the To_Internet VDOM to allow LAN users to access the internet./ Basic routing. C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs. / At least one of the VDOMs must be operating in NAT mode. This, among other benefits, prevents potential Layer 2 loops. D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM./ Similar to FG w/o VDOMs enabled, the admin VDOM should have outgoing Internet access. Otherwise, features such as scheduled FortiGuard updates will fail.

The question does not say choose 2. So why choose 2 answers, correct answer is A

Correct: A. Inter-VDOM links are required to allow traffic between the Local and Root VDOMs. Incorrect: B. A default static route is not required on the To_Internet VDOM to allow LAN users to access the internet. C. Inter-VDOM links are required to allow traffic between the Local and DMZ VDOMs. (transparent-transparent) D. Inter-VDOM links are not required between the Root and To_Internet VDOMs because the Root VDOM is used only as a management VDOM. FortiGate Infrastructure 7.2 Study Guide: "Each VDOM has independent security policies and routing tables. Also, and by default, traffic from one VDOM cannot go to a different VDOM" (p.71) "...you cannot create an inter-VDOM link between Layer 2 transparent mode VDOMs. At least one of the VDOMs must be operating in NAT mode" (p.101) "Similar to FortiGate without VDOMs enabled, the management VDOM should have outgoing internet access. Otherwise, features such as scheduled FortiGuard updates, fail" (p.73) Reference and download study guide: https://ebin.pub/fortinet-fortigate-infrastructure-study-guide-for-fortios-72.html

The question doesn't ask for multiple correct statements or am i missing anything? bccabrera's & Poeblas statements are correct, why are so many people selecting two answers?

Selected Answer: AD

Root vdom is used only as management Vdom and not required inter links, correct answers are A and C

We can use cables to interconnect VDOMs so Inter-VDOM link is not a requirement, but a feature. Inter-VDOM link does not allow traffic, it creates a path. The security policy can allow the traffic. A static default route is not needed, a route or multiple routes to the internet are needed, static or not.

Pretty bad question in my opinion. It should provide more information, does the fortigate get route to the internet through a dynamic route protocol/is dhcp enabled on ISP router? Inter-vdom links are technically required for communication but alone won't cause the traffic to pass. While the management vdom should have internet access, it is TECHNICALLY not required. If it said "It's best practice to.." it would be a different story.

only A

Is A for sure, and only 1 Answer is required

You need a static route on the To_Internet VDOM

I would say only A because most of the time company will use Static public IP, but think about it, if the ISP provides a dynamic public IP to the Fortigate, will it have a dynamic route?