NSE 4 – FortiGate 6.4 — Question 42

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.
✑ All traffic must be routed through the primary tunnel when both tunnels are up.
✑ The secondary tunnel must be used only if the primary tunnel goes down.
✑ In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.
Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two.)

Answer options

• A. Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
• B. Enable Dead Peer Detection.
• C. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
• D. Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

Correct answer: B, C

Explanation

The correct answers are B and C. Enabling Dead Peer Detection (B) allows FortiGate to quickly detect if the primary tunnel goes down, facilitating faster failover to the secondary tunnel. Configuring a lower distance on the static route for the primary tunnel and a higher distance for the secondary tunnel (C) ensures that all traffic is routed through the primary tunnel when it is available, while the secondary tunnel serves as a backup only when the primary is down.