View all questions & answers for the NSE 7 - Enterprise Firewall 7.6 Administrator Exam Materials exam


NSE 7 - Enterprise Firewall 7.6 Administrator Exam Materials-Question 14 Discussion

Refer to the exhibit. The ADVPN IPsec interface represents the VPN IPsec phase 1 from Hub A to Spoke 1 and Spoke 2, and from Hub B to Spoke 3 and Spoke 4. You must configure an ADVPN using IBGP and EBGP to connect Overlay 1 with Overlay 2. Which parameters must you configure in the phase 1 VPN IPsec configuration of the ADVPN tunnels? (Choose one answer)

  • A. set auto-discovery-forwarder enable and set remote-as x
  • B. set auto-discovery-sender enable and set network-id x
  • C. set auto-discovery-receiver enable and set remote-ip x
  • D. set auto-discovery-crossover enable and set enforce-multihop enable
Correct Answer: B

Brave-Dump Clients Votes

B 69.23%
D 23.08%
A 7.69%

Comments



Jimiko Allen Dino 2025-11-12 12:11:34

Selected Answers: D


When configuring ADVPN (Auto-Discovery VPN) to connect overlay networks across different hubs using IBGP and EBGP, special configurations are required to allow spokes from different overlay networks to dynamically establish tunnels.
# set auto-discovery-crossover enable
# This allows cross-hub tunnel discovery in an ADVPN deployment where multiple hubs are used.
# Since Hub A and Hub B belong to different overlays, enabling crossover discovery ensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.
# set enforce-multihop enable
# This setting ensures that BGP peers using loopback interfaces can establish connectivity even if they are not directly connected.
# Multihop BGP sessions are required when using loopback addresses as BGP peer sources because the connection might need to traverse multiple routers before reaching the BGP neighbor.
# This is especially useful in ADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.

Hasan Ahmed 2025-11-29 17:26:38

Selected Answers: D


D is correct Answer

Mike 2025-12-04 17:10:46

Selected Answers: B


since the ipsec interface in question is the Hub to Spoke interface answer B is correct
Study guide page 245
Hubs# config vpn ipsec phase1-interface
edit "ADVPN"
set auto-discovery-sender enable
set network-id x
end

Mahmoud Mohammedali 2025-12-09 14:01:29

Selected Answers: B


Correct answer: B. set auto-discovery-sender enable and set network-id x

In FortiGate ADVPN (Auto-Discovery VPN), the key Phase 1 parameters that enable dynamic shortcut creation and overlay separation are:


#set auto-discovery-sender enable
Enables the device (typically hubs) to advertise reachable prefixes and participate in shortcut discovery, allowing spokes to form on‑demand IPsec tunnels directly to each other.


#set network-id <x>
Tags the ADVPN domain/overlay. This ensures routes and shortcuts remain scoped to the correct overlay, which is essential when you’re connecting them with iBGP/EBGP while keeping control of which peers can auto‑discover each other.

Adam 2026-01-18 08:38:25

Selected Answers: D


https://docs.fortinet.com/document/fortigate/7.2.5/fortios-release-notes/743723
"849515"
Add auto-discovery-crossover option under config vpn ipsec phase1-interface to block or allow (default) the set-up of shortcut tunnels between different network IDs.
When auto-discovery-crossover is set to allow:
-> The cross-over shortcut connection will be initialized with network ID of 0.
-> The non-cross-over shortcut connection will use the configured network ID number.

As question says "You must configure an ADVPN using IBGP and EBGP to connect Overlay 1 with Overlay 2" (two different network IDs), then D is the correct answer.
"set ebgp-enforce-multihop enable" is needed in BGP config as both hubs would be using IPsec tunnel interface for BGP neighborship, and not physical interface.

Andres 2026-01-19 16:39:38

Selected Answers: B


The question is for "phase 1 VPN IPsec configuration", not for BGP, so B.

Anonymous User 2026-02-19 13:55:34

Selected Answers: B


Page 236

Mattia Bruno 2026-03-02 11:38:48

Selected Answers: B


Honestly it's better B
A - Forwarder is for the Hub2Hub
B - Is wrong because sender should be configured in the Spokes P1 not Hubs,
C - Remote IP doesn't exist as commands in P1 but receiver is for the Hub
D - Could be right but the question state what configuration of P1, and enforce-multi hop is a BGP configuration and the questions doesn't talk about shortcut, just connect which can be used the Hub2Hub VPN
So I say B, but with doubt

zineeddine 2026-03-11 00:22:29

Selected Answers: B


this config should be under ADVPN tunnels

Anonymous User 2026-03-11 17:42:44

Selected Answers: B


There doesn't seem to be a requirement for spokes to build tunnels across the hubs. The spokes can still communicate via the hub if they want to communicate with spokes registered with the other hub. The auto-discovery-sender command however, is a requirement regardless if we want to run ADVPN.

Mohamed Gamal Mahmoud 2026-03-14 05:52:14

Selected Answers: A


answer A

Kalanidhi Mani Tripathi 2026-04-19 19:48:02

Selected Answers: B


Enterprise_Firewall_7.6_Administrator_Study_Guide Page 235

Anonymous User 2026-04-19 19:50:58

Selected Answers: B


Enterprise_Firewall_7.6_Administrator_Study_Guide Page 235