Which two key configuration changes are needed on FortiGate to meet the design requirements?

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

* All traffic must be routed through the primary tunnel when both tunnels are up

* The secondary tunnel must be used only if the primary tunnel goes down

* In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover

Which two key configuration changes are needed on FortiGate to meet the design requirements? (Choose two,)
A . Configure a high distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
B . Enable Dead Peer Detection.
C . Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.
D . Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.

View Answer

Answer: B,C

Explanation:

B – because the customer requires the tunnels to notify when a tunnel goes down. DPD is designed for that purpose. To send a packet over a firewall to determine a failover for the next tunnel after a specific amount of time of not receiving a response from its peer.

C – remember when it comes to choosing a route with regards to Administrative Distance. The route with the lowest distance for that particular route will be chosen. So, by configuring a lower routing distance on the primary tunnel, means that the primary tunnel

will be chosen to route packets towards their destination.