Refer to the exhibit.

Based on the ZTNA tag, the security posture of the remote endpoint has changed. What will happen to endpoint active ZTNA sessions?

1. A. They will be re-evaluated to match the endpoint policy.
2. B. They will be re-evaluated to match the firewall policy.
3. C. They will be re-evaluated to match the ZTNA policy.
4. D. They will be re-evaluated to match the security policy.

Correct Answer: C
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/580880/posture-check-verification-for-active-zt FortiGate Infrastructure 7.2 Study Guide (p.182): "Endpoint posture changes trigger active ZTNA proxy
sessions to be re-verified and terminated if the endpoint is no longer compliant with the ZTNA policy."

An administrator wants to simplify remote access without asking users to provide user credentials. Which access control method provides this solution?

1. A. ZTNA IP/MAC filtering mode
2. B. ZTNA access proxy
3. C. SSL VPN
4. D. L2TP

Correct Answer: B
FortiGate Infrastructure 7.2 Study Guide (p.165): "ZTNA access proxy allows users to securely access resources through an SSL-encrypted access proxy. This simplifies remote access by eliminating the use of VPNs."
This is true because ZTNA access proxy is a feature that allows remote users to access internal applications without requiring VPN or user credentials. ZTNA access proxy uses a secure tunnel between the user’s device and the FortiGate, and authenticates the user based on device identity and context. The user only needs to install a lightweight agent on their device, and the FortiGate will automatically assign them to the appropriate application group based on their device profile. This simplifies remote access and enhances security by reducing the attack surface12

Which statements about the firmware upgrade process on an active-active HA cluster are true? (Choose two.)

1. A. The firmware image must be manually uploaded to each FortiGate.
2. B. Only secondary FortiGate devices are rebooted.
3. C. Uninterruptable upgrade is enabled by default.
4. D. Traffic load balancing is temporally disabled while upgrading the firmware.

Correct Answer: CD

Which statements best describe auto discovery VPN (ADVPN). (Choose two.)

1. A. It requires the use of dynamic routing protocols so that spokes can learn the routes to other spokes.
2. B. ADVPN is only supported with IKEv2.
3. C. Tunnels are negotiated dynamically between spokes.
4. D. Every spoke requires a static tunnel to be configured to other spokes so that phase 1 and phase 2 proposals are defined in advance.

Correct Answer: AC

What are two characteristics of FortiGate HA cluster virtual IP addresses? (Choose two.)

1. A. Virtual IP addresses are used to distinguish between cluster members.
2. B. Heartbeat interfaces have virtual IP addresses that are manually assigned.
3. C. The primary device in the cluster is always assigned IP address 169.254.0.1.
4. D. A change in the virtual IP address happens when a FortiGate device joins or leaves the cluster.

Correct Answer: AD
Fortigate Infrastructure 7.2 Study Guide page 301 FortiGate Infrastructure 7.2 Study Guide (p.301):
"FGCP automatically assigns the heartbeat IP addresses based on the serial number of each device. The IP address 169.254.0.1 is assigned to the device with the highest serial number."
"A change in the heartbeat IP addresses may happen when a FortiGate device joins or leaves the cluster." "The HA cluster uses the heartbeat IP addresses to distinguish the cluster members and synchronize data." https://networkinterview.com/fortigate-ha-high-availability/