Refer to the exhibits.


The Administrators section of a root FortiGate device and the Security Fabric Settings section of a downstream FortiGate device are shown.
When prompted to sign in with Security Fabric in the downstream FortiGate device, a user enters the AdminSSO credentials.
What is the next status for the user?

1. A. The user is prompted to create an SSO administrator account for AdminSSO.
2. B. The user receives an authentication failure message.
3. C. The user accesses the downstream FortiGate with super_admin_readonly privileges.
4. D. The user accesses the downstream FortiGate with super_admin privileges.

Correct Answer: C
From theRoot FortiGate - System Administrator Configurationexhibit: TheAdminSSOaccount has thesuper_admin_readonlyrole.
From theDownstream FortiGate - Security Fabric Settingsexhibit:
TheSecurity Fabric roleis set toJoin Existing Fabric, meaning it will authenticate with the root FortiGate.
SAML Single Sign-On (SSO) is enabled, and thedefault admin profileis set to
super_admin_readonly.
When theAdminSSOuser logs into the downstream FortiGate usingSSO, the authentication request is sent to the root FortiGate, where AdminSSO has super_admin_readonlypermissions. Since the downstream FortiGate inherits this permission through the Security Fabric configuration, the user will be granted super_admin_readonlyaccess.

Which two statements about IKEv2 are true if an administrator decides to implement IKEv2 in the VPN topology? (Choose two.)

1. A. It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups.
2. B. It supports interoperability with devices using IKEv1.
3. C. It exchanges a minimum of two messages to establish a secure tunnel.
4. D. It supports the extensible authentication protocol (EAP).

Correct Answer: AD
IKEv2 (Internet Key Exchange version 2) is an improvement over IKEv1, offering enhanced security, efficiency, and flexibility in VPN configurations.
It includes stronger Diffie-Hellman (DH) groups, such as Elliptic Curve (ECP) groups. IKEv2 supports stronger cryptographic algorithms, includingElliptic Curve Diffie- Hellman (ECDH)groups such asECP256 and ECP384, providing improved security compared to IKEv1.
It supports the extensible authentication protocol (EAP).
IKEv2 natively supports EAP authentication, which allows integration with external authentication mechanisms such asRADIUS, certificates, and smart cards. This is particularly useful forremote access VPNswhere user authentication must be flexible and secure.

Refer to the exhibit, which shows theADVPNIPsec interface representing the VPN IPsec phase 1 from Hub A to Spoke 1 and Spoke 2, and from Hub to Spoke 3 and Spoke 4.

An administrator must configure an ADVPN using IBGP and EBGP to connect overlay network 1 with 2.
What must the administrator configure in the phase 1 VPN IPsec configuration of theADVPNtunnels?

1. A. set auto-discovery-sender enable and set network-id x
2. B. set auto-discovery-forwarder enable and set remote-as x
3. C. set auto-discovery-crossover enable and set enforce-multihop enable
4. D. set auto-discovery-receiver enable and set npu-offload enable

Correct Answer: C
When configuringADVPN (Auto-Discovery VPN)to connectoverlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.
set auto-discovery-crossover enable
Thisallows cross-hub tunnel discoveryin an ADVPN deployment where multiple hubs are used.
SinceHub A and Hub Bbelong to different overlays, enablingcrossover discoveryensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.
set enforce-multihop enable
This setting ensures thatBGP peers using loopback interfacescan establish connectivityeven if they are not directly connected.
Multihop BGP sessionsare required when usingloopback addresses as BGP peer sourcesbecause the connection might need to traverse multiple routers before reaching the BGP neighbor.
This is especially useful inADVPN deployments with multiple hubs, where routes might
need to cross from one hub to another.

Refer to the exhibit, which shows a corporate network and a new remote office network.

An administrator must integrate the new remote office network with the corporate enterprise network.
What must the administrator do to allow routing between the two networks?

1. A. The administrator must implement BGP to inject the new remote office network into the corporate FortiGate device
2. B. The administrator must configure a static route to the subnet 192.168.l.0/24 on the corporate FortiGate device.
3. C. The administrator must configure virtual links on both FortiGate devices.
4. D. The administrator must implement OSPF over IPsec on both FortiGate devices.

Correct Answer: D
In this scenario, thecorporate networkand thenew remote office networkneed to communicate over theInternet, which requires asecure and dynamic routing method. Since both networks are usingOSPF (Open Shortest Path First)as the routing protocol, the best approach is to establish anOSPF over IPsec VPNto ensure secure and dynamic route propagation.
OSPF is already running on the corporate network, and extending it over an IPsec tunnel allows dynamic route exchange between the corporate FortiGate and the remote office FortiGate.IPsec provides encryptionfor traffic over the Internet, ensuring secure communication.OSPF over IPsec eliminates the need for manual static routes, allowing automatic route updates if networks change.
The new remote office's192.168.1.0/24 subnetwill be advertised dynamically to the corporate network without additional configuration.

Refer to the exhibit, which contains the partial output of an OSPF command.

An administrator is checking the OSPF status of a FortiGate device and receives the output shown in the exhibit.
Which statement on this FortiGate device is correct?

1. A. The FortiGate device can inject external routing information.
2. B. The FortiGate device is in the area 0.0.0.5.
3. C. The FortiGate device does not support OSPF ECMP.
4. D. The FortiGate device is a backup designated router.

Correct Answer: A
From theOSPF status output, the key information is:
"This router is an ASBR" This means the FortiGate is acting as anAutonomous System Boundary Router (ASBR).
AnASBRis responsible for injectingexternal routing informationinto OSPF from another routing protocol (such as BGP, static routes, or connected networks).