Refer to the exhibit. A partial VPN configuration is shown. Which statement about this VPN IPsec phase 1 configuration is correct? (Choose one answer)

A. FortiGate will not add a route to its routing information base (RIB) or forwarding information base (FIB) when the dynamic tunnel is negotiated.
B. This configuration is the best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.
C. A separate interface is created for each dial-up tunnel, which can be slower and more resource intensive, especially in large networks.
D. This configuration must include certificates associated peer IDs to enhance security.

Correct Answer: B

Brave-Dump Clients Votes

B 100%

Comments

Adam 2026-01-20 14:17:05

Selected Answers: B

From Study Guide:
FortiGate supports three DPD modes: on-demand, on-idle, and disable.
-> On-demand mode is best for environments where traffic patterns are unpredictable, and immediate response to connectivity issues is crucial.
-> On-idle mode is best for networks with regular traffic intervals, providing a balance between connectivity assurance and resource utilization.
-> Disable mode is suitable in highly stable environments where DPD overhead is unwarranted

D is wrong because certificate authentication in IKE uses local certificate and peer certificate, so we don't associate peer certificate with peer ID. Peer ID is not configurable in IKEv2 as in IKEv2 we can only use "set peertype any"

Mattia Bruno 2026-03-02 12:34:13

Selected Answers: B

As Adam said