FCP – FortiGate Administrator 7.4 — Question 65

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)

Answer options

• A. Enable Dead Peer Detection.
• B. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
• C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
• D. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.

Correct answer: A, C

Explanation

The correct answer is A and C. Enabling Dead Peer Detection allows FortiGate to quickly identify if the primary tunnel is down, facilitating faster failover to the secondary tunnel. Additionally, configuring a lower distance for the static route of the primary tunnel ensures it is preferred over the secondary tunnel, which has a higher distance, allowing proper traffic routing when both tunnels are available.