Exam NSE4_FGT-7.0 topic 1 question 98 discussion

I think it's C. Enable auto-negotiate by default enabling auto-keep-alive too which brings up tunnel automatically. Ans B is little bit tricky, auto-negotiate will negotiate new SA "before" existing SA expired not "after" existing SA expired.

Answer B suggest that after the SA expires, however incase of auto-negotiate setting negotiation happen well before the existing SA expires.

It's B: Fortigate Infraestructure 7.2 page 264 When IPsec SAs expire, FortiGate needs to negotiate new SAs to continue sending and receiving traffic over the IPsec tunnel. Technically, FortiGate deletes the expired SAs from the respective phase 2 selectors, and installs new ones. If IPsec SA renegotiation takes too much time, then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation.

It's B: FortiGate automatically negotiates a new security association after the existing security association expires. The answer would have been C if the 'Autokey Keep Alive' had been activated in addition.

C is the correct

Auto-negotiate: Enable the option to automatically renegotiate the tunnel when the tunnel expires.

Page 222 of Infrastructure 7.0: Auto-negotiate being enabled negotiates new SAs BEFORE current SAs fail. Enabling Auto-negotiate allows the tunnel to come up and stay up automatically, even when there is no interesting traffic.

C is correct, B is wrong as negotiation happen before not after the current SA expire.

C according to the study guide, as the new SA is created BEFORE the old one expires

It's C Auto-negotiate: Enable the option to automatically renegotiate the tunnel when the tunnel expires. By default, the phase 2 security association (SA) is not negotiated until a peer attempts to send data. The triggering packet and some subsequent packets are dropped until the SA is established. Applications normally resend this data, so there is no loss, but there might be a noticeable delay in response to the user. If the tunnel goes down, the auto-negotiate feature (when enabled) attempts to re-establish the tunnel. Auto-negotiate initiates the phase-2 SA negotiation automatically, repeating every five seconds until the SA is established. Automatically establishing the SA can be important for a dial-up peer. It ensures that the VPN tunnel is available for peers at the server end to initiate traffic to the dial-up peer. Otherwise, the VPN tunnel does not exist until the dial-up peer initiates traffic.

Answer is B. Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536

Answer is C Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. When you enable Autokey Keep Alive and keep Auto-negotiate disabled, the tunnel does not come up automatically unless there is interesting traffic. FortiGate Infrastructure 7.0 Study Guide pag 222

Answer C is correct

"If IPsec SA renegotiation takes too much time, then FortiGate might drop interesting traffic because of the absence of active SAs. To prevent this, you can enable Auto-negotiate. When you do this, FortiGate not only negotiates new SAs before the current SAs expire, but it also starts using the new SAs right away. The latter prevents traffic disruption by IPsec SA renegotiation. Another benefit of enabling Auto-negotiate is that the tunnel comes up and stays up automatically, even when there is no interesting traffic. " Fortigate Infrastructure Study Guide v7.0, Page 236

Answer is C Look in section Autonegotiate https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepalive/ta-p/189536

AutoNegotiate renegotiates new SAs before the current SAs expire and the tunnel comes up and stays up automatically even when there is no interesting traffic.

It's C. According to FG infra pg. 263.