Exam NSE4_FGT-7.2 topic 1 question 7 discussion

The correct answer is D. When both devices are configured with set downstream-access-disable (answer in C) then the newly created address objects are still replicated. However, when I configure the root with set fabric-object-unification local the address object is no longer replicated to the downstream FortiGates. I believe that the Exhibit B is wrong!

D - not correct Fortigate Security guide 7.2 - page 434 The CLI command "set fabric-object-unification" is only available on the root FortiGate.

set downstream-access enable On the root FortiGate of the Security Fabric, enable downstream access.

It's D. On the actual test it's set to local.

FGTA-1 # config system csf set status enable set group-name "csf_script" set fabric-object-unification default ... end FGTB-1 # config system csf set status enable set upstream-ip 10.2.200.1 set configuration-sync local ... end

The correct answer is C. Because "set fabric-object-unification default" is already defined in the configuration presented in "Exhibit B".

The downstream-access feature must be enable https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/148376/preparing-fortigate-for-supported-security-fabric-devices, if not is enable the security fabric not function

The downstream-access feature must be enable https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/148376/preparing-fortigate-for-supported-security-fabric-devices, if not is enable the security fabric not function

A and B does not apply here, D answer doesn't change anything in the configuration as it is already configured in the root FG. Correct answer is C.

When the Security Fabric is enabled, various objects such as addresses, services, and schedules are synced from the upstream FortiGate to all downstream devices by default1. Therefore, if a new address object created on the root FortiGate (Local-FortiGate) is not available on the downstream FortiGate (ISFW) after synchronization, it indicates that there might be a sync issue. However, none of the options A, B, C, and D provided directly address this issue based on the information available

The Exhibit B is wrong and misleading the answer. The root configuration is "set fabric-object-unification local", then the right answer should be to change it to DEFAULT.

D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

Option C is the correct answer

Answer C is correct.

Answer C is correct. From the study guide "If object synchronisation is disabled on the root Fortigate, using the command 'set fabric-object disable', firewall addresses and address groups will not be synchronised to downstream Fortigate devices." The question states that the admin created an address object on the root, so it won't be synchronised.

A is wrong, "if set configuration-sync is set to local, the downstream device does not participate in synchronization" B wrong, as the connection has been established and no need to authenticate D is wrong, the command is already there on the root C is the only one left

I think neither D nor C is correct. Don't forget the fabric-object-unification command is configured on a downstream device and not on Root Fortigate. It could be correct if we had proposed answer like : "Change the csf settings on ISFW by set fabric-object-unification default"