A solutions architect is designing an ADVPN topology with two hubs for redundancy. BGP is the chosen routing protocol. To prevent spokes from becoming a transit for traffic between the two hubs, a specific BGP community is typically used. Which BGP community should be advertised from the spokes to the hubs to achieve this?
A FortiGate is configured in an Active-Passive FGCP cluster. During a scheduled failover test, the administrator notices that all existing connections are dropped and must be re-established. Analysis of the cluster configuration shows that session pickup is enabled. What is the most likely reason for the sessions being dropped despite session pickup being enabled?
A network engineer is troubleshooting an OSPF issue where a FortiGate is not forming an adjacency with a Cisco router. The FortiGate is in OSPF area 1, which is configured as a Not-So-Stubby Area (NSSA). The Cisco router is in the same area but is configured as a standard, non-stub area. Both devices are on the same subnet and can ping each other. What is causing the adjacency to fail?
A security administrator needs to create a custom IPS signature to detect and block the string "confidential-project-alpha" in plain text HTTP traffic. The traffic could be in either the client request or the server response. Which of the following custom signature syntaxes is the most effective and efficient way to achieve this?
During a security audit, it was discovered that a junior administrator configured a new ADOM on FortiManager but assigned a FortiOS version of 6.4, while all the FortiGate devices to be managed are running FortiOS 7.2. What are the primary implications of this misconfiguration? (Select TWO)
True or False: When using FortiManager in a workspace mode configuration, an administrator must lock an ADOM before making any configuration changes to policy packages or objects within that ADOM.
An organization uses two FortiGate devices in different data centers, managed by a third-party load balancer for active/active processing. They need to ensure that if one FortiGate fails, user sessions are seamlessly transferred to the other without requiring re-authentication. A traditional FGCP cluster is not feasible due to the network architecture. Which Fortinet technology is designed for this specific scenario?
A consultant is reviewing a BGP configuration on a FortiGate that is multihomed to two different ISPs. The company wants to ensure that all outbound traffic prefers the primary ISP link, but can automatically fail over to the secondary ISP. The primary ISP connection has higher bandwidth and lower latency. Which BGP attribute should be manipulated on the inbound route maps from the ISPs to achieve this routing policy?
**Case Study:** A large enterprise, FinCorp, operates a primary data center and a disaster recovery (DR) site, each with a FortiGate cluster. They have a requirement for deep SSL inspection for all outbound web traffic for compliance reasons. To reduce the load on the individual FortiGates and centralize certificate management, they want to offload the SSL inspection to a dedicated appliance. All outbound traffic from the user network is routed to the primary FortiGate cluster. The dedicated SSL inspection appliance is located in a separate security zone. The FortiGates are responsible for applying web filtering, IPS, and application control after the traffic has been decrypted. The security architect has proposed a solution where the FortiGate forwards traffic to the SSL inspection appliance, receives the decrypted traffic back, applies security profiles, and then forwards it to the internet. The following diagram illustrates the intended logical traffic flow: ```mermaid graph TD User --> FGT[FortiGate Cluster] FGT -->|Encrypted Traffic| SSL_App[SSL Inspection Appliance] SSL_App -->|Decrypted Traffic| FGT FGT -->|Apply Profiles| FGT_NAT[NAT & Egress] FGT_NAT --> Internet((Internet)) ``` Which FortiOS feature must be configured on the FortiGate to support this design?
An administrator is attempting to establish a certificate-based IKEv2 IPsec tunnel between two FortiGates. Phase 1 fails to come up. The debug output on the initiator shows the message "received peer certificate but it is not trusted". The administrator has confirmed that both FortiGates have their own signed local certificates and the CA certificate for the peer. What is a common cause for this error?