For the ADVPN feature to function properly on the hub, the following phase 1 parameters must be configured:

A. set auto-discovery-forwarder enable: This enables the hub to forward shortcut information to the spokes, which is essential for them to establish direct tunnels.

C. set auto-discovery-receiver enable: This allows the hub to receive shortcut offers from the spokes.

This information is corroborated by the Fortinet documentation, which explains that in an ADVPN setup, the hub must be able to both forward and receive shortcut information for dynamic tunnel creation between spokes.

C. The hub adds routes based on IKE negotiations: This is part of the ADVPN functionality where the hub learns about the networks behind the spokes and can add routes dynamically based on the IKE negotiations with the spokes.

D. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0: This wildcard setting in the phase 2 selectors allows any-to-any tunnel establishment, which is necessary for the dynamic creation of spoke-to-spoke tunnels.

These configurations are outlined in Fortinet ' s documentation for setting up ADVPN, where the hub ' s role in route control and the use of wildcard selectors for phase 2 are emphasized to enable dynamic tunneling between spokes.

Option A is correct because the address object on the tool FortiGate will not be synchronized with the downstream devices if it has fabric-object set to disable.  This option controls whether the address object is shared with other FortiGate devices in the Security Fabric or not 1 .

Option C is correct because the downstream FortiGate will not receive the address object from the tool FortiGate if it has fabric-object-unification set to local.  This option controls whether the downstream FortiGate uses the address objects from the root FortiGate or its own local address objects 2 .

Option B is incorrect because the root FortiGate has configuration-sync set to enable by default, which means that it will synchronize the address objects with the downstream devices unless they are disabled by the fabric-object option 3 .

Option D is incorrect because the downstream FortiGate has configuration-sync set to local by default, which means that it will receive the address objects from the root FortiGate unless they are overridden by the fabric-object-unification option 4 .  References : =

1 : Group address objects sync hronized from FortiManager 5

2 : Security Fabric address object unification 6

3 : Configuration synchronization 7

4 : Configuration synchronization 7

: Security Fabric - Fortinet Documentation

Option B is correct because each FortiGate in the Security Fabric can send logs to FortiAnalyzer for centralized logging and analysis 1 2 . This allows you to monitor and manage the entire Security Fabric from a single console and view aggr egated reports and dashboards.

Option A is incorrect because the root FortiGate is not the only device that can send logs to FortiAnalyzer.  The root FortiGate is the devi ce that initiates the Security Fabric and acts as the central point of contact for other FortiGate devices 3 . However, it does not have to be the only log source for Forti Analyzer.

Option C is incorrect because the FortiGate devices performing NAT or UTM are not the only devices that can send logs to FortiAnalyzer.  These devices can perform additional security functions on the traffic that passes through them, such as firewall, antivirus, web filtering, etc 4 . However, they are not the only devices that generate logs in the Security Fabric.

Option D is incorrect because the last FortiGate that handled a session in the Security Fabric is not the only device that can send logs to FortiAnalyzer.  The last FortiGate is the device that terminates the session and applies the fi nal security policy 5 . However, it does not have to be the only device that reports the session information to FortiAnalyzer.  References : =

1 : Security Fabric - Fortinet Documentation 1

2 : FortiAnalyzer Demo 6

3 : Security Fabric topology

4 : Security Fabric UTM features

5 : Security Fabric session handling

Option B is correct because the routing table shows that the tunnel interfaces have a netmask of 255.255.255.255, which indicates that net-device is enabled in the phase 1 configuration.  This option allows the FortiGate to use the tunnel interface as a next-hop for routing, without adding a route to the phase 2 de stination 1 .

Option D is correct because the routing table does not show any routes to the phase 2 destination networks, which indicates that add-route is disabled in the phase 1 configuration.  This option controls whether the FortiGate adds a static ro ute to the phase 2 destination network using the tunnel interface as the gateway 2 .

Option A is incorrect because IPSec tunnel aggregation is a feature that allows multiple phase 2 selectors to share a single phase 1 tunnel, reducing the number of tunnels and improving performance 3 . This feature is not related to the routing table or the phase 1 configuration.

Option C is incorrect because OSPF is a dynamic routing protocol that can run over IPSec tunnels, but it requires additional configuration on the FortiGate and the peer device 4 . This option is not related to the routing table or the phase 1 configuration.  References : =

1 : Technical Tip: ‘set net-device’ new route-based IPsec logic 2

2 : Adding a static route 5

3 : IPSec VPN concepts 6

4 : Dynamic routing over IPsec VPN 7

Option A is correct because the OSPF interface network types determine how the routers form adjacencies and exchange LSAs on a network segment.  The network types must match for the routers to become neighbors 1 .

Option B is correct because the OSPF router IDs are used to identify each router in the OSPF domain and to establish adjacencies.  The router IDs must be unique for the routers to beco me neighbors 2 .

Option E is correct because the authentication settings control how the routers authenticate each other before exchanging OSPF packets.  The authentication settings must match for the routers to become neighbors 3 .

Option C is incorrect because the OSPF interface priority settings are used to elect the designated router (DR) and the backup designated router (BDR) on a broadcast or non-broadcast multi-access networ k.  The priority settings do not have to be unique for the routers to become neighbors, but they affect the DR/BDR election process 4 .

Option D is incorrect because the OSPF link costs are used to calculate the shortest path to a destination netw ork based on the bandwidth of the links.  The link costs do not have to match for the routers to become neighbors, but they affect the routing decisions 5 .  References : =

1 : OSPF network types

2 : OSPF router ID

3 : OSPF authenticati on

4 : OSPF interface priority

5 : OSPF link cost

BFD (Bidirectional Forwarding Detection) is a protocol that provides fast failure detection for BGP by sending periodic messages to verify the connec tivity between two peers 1 .  BFD can be enabled on both connected FortiGate devices by using the command  set bfd enable  under the BGP configuration 2 .  References : =  Technical Tip : FortiGate BFD implementation and examples … ,  Configure BGP | FortiGate / FortiOS 7.0.2 - Fortinet Documentation

The BGP stat e is “Idle”, indicating that BGP is attempting to establish a TCP connection with the peer. This is the first state in the BGP finite state machine, and it means that no TCP connection has been established yet. If the TCP connection fails, the BGP state wi ll reset to either active or idle, depending on the configuration.  References : You can find more information about BGP states and troubleshooting in the following Fortinet Enterprise Firewall 7.2 documents:

Troubleshooting BGP

How BGP wor ks

To configure a loopback as the BGP source, you need to set the “ebgp-enforce-multihop” and “update-source” parameters in the BGP configuration.  The “ebgp-enforce-multihop” allows EBGP connections to neighbor routers that are not directly connected, while “update-source” specifies the IP address that should be used for the BGP session 1 .  References  :=  BGP on loopback ,  Loopback interface ,  Technical Tip: Configuring EBGP Multihop Load-Balancing ,  Technical Tip: BGP routes are not installed in routing table with loopback as update source

Bidirectional Forwarding Detection (BFD) is a rapid protocol for detecting failures in the forwarding path between two adjacent routers, including interfaces, data links, and forwarding planes. BFD is designed to detect forwarding path failures in a very short amount of time, often less than one second, which is significantly faster than traditional failure detection mechanisms like hold-down timers in routing protocols.

Fortinet supports BFD for BGP, and it can be used over multiple hops, which allows the detection of failures even if the BGP peers are not directly connected. This functionality enhances the ability to maintain stable BGP sessions over a wider network topology and is documented in Fortinet ' s guides.