NSE 7 – Enterprise Firewall 6.4 — Question 15

An administrator has configured two FortiGate devices for an HA cluster. While testing HA failover, the administrator notices that some of the switches in the network continue to send traffic to the former primary device. The administrator decides to enable the setting link-failed-signal to fix the problem.
Which statement about this setting is true?

Answer options

• A. It sends an ARP packet to all connected devices, indicating that the HA virtual MAC address is reachable through a new master after a failover.
• B. It sends a link failed signal to all connected devices.
• C. It disabled all the non-heartbeat interfaces in all HA members for two seconds after a failover.
• D. It forces the former primary device to shut down all its non-heartbeat interfaces for one second, while the failover occurs.

Correct answer: D

Explanation

The correct answer is D because enabling the link-failed-signal causes the previous primary device to shut down its non-heartbeat interfaces for a brief period, which helps prevent traffic from being sent to it after a failover. Options A and B describe actions that do not occur with this setting, while option C incorrectly states the duration and scope of interface disabling.