View all questions & answers for the NSE 7 - Enterprise Firewall 7.6 Administrator Exam Materials exam
Comments
Selected Answers: D
# set auto-discovery-crossover enable
# This allows cross-hub tunnel discovery in an ADVPN deployment where multiple hubs are used.
# Since Hub A and Hub B belong to different overlays, enabling crossover discovery ensures that spokes from one overlay can dynamically create direct tunnels to spokes in the other overlay when needed.
# set enforce-multihop enable
# This setting ensures that BGP peers using loopback interfaces can establish connectivity even if they are not directly connected.
# Multihop BGP sessions are required when using loopback addresses as BGP peer sources because the connection might need to traverse multiple routers before reaching the BGP neighbor.
# This is especially useful in ADVPN deployments with multiple hubs, where routes might need to cross from one hub to another.
Selected Answers: D
Selected Answers: B
Study guide page 245
Hubs# config vpn ipsec phase1-interface
edit "ADVPN"
set auto-discovery-sender enable
set network-id x
end
Selected Answers: B
In FortiGate ADVPN (Auto-Discovery VPN), the key Phase 1 parameters that enable dynamic shortcut creation and overlay separation are:
#set auto-discovery-sender enable
Enables the device (typically hubs) to advertise reachable prefixes and participate in shortcut discovery, allowing spokes to form on‑demand IPsec tunnels directly to each other.
#set network-id <x>
Tags the ADVPN domain/overlay. This ensures routes and shortcuts remain scoped to the correct overlay, which is essential when you’re connecting them with iBGP/EBGP while keeping control of which peers can auto‑discover each other.
Selected Answers: D
"849515"
Add auto-discovery-crossover option under config vpn ipsec phase1-interface to block or allow (default) the set-up of shortcut tunnels between different network IDs.
When auto-discovery-crossover is set to allow:
-> The cross-over shortcut connection will be initialized with network ID of 0.
-> The non-cross-over shortcut connection will use the configured network ID number.
As question says "You must configure an ADVPN using IBGP and EBGP to connect Overlay 1 with Overlay 2" (two different network IDs), then D is the correct answer.
"set ebgp-enforce-multihop enable" is needed in BGP config as both hubs would be using IPsec tunnel interface for BGP neighborship, and not physical interface.
Selected Answers: B
Selected Answers: B
Selected Answers: B
A - Forwarder is for the Hub2Hub
B - Is wrong because sender should be configured in the Spokes P1 not Hubs,
C - Remote IP doesn't exist as commands in P1 but receiver is for the Hub
D - Could be right but the question state what configuration of P1, and enforce-multi hop is a BGP configuration and the questions doesn't talk about shortcut, just connect which can be used the Hub2Hub VPN
So I say B, but with doubt
Selected Answers: B
Refer to the exhibit. The ADVPN IPsec interface represents the VPN IPsec phase 1 from Hub A to Spoke 1 and Spoke 2, and from Hub B to Spoke 3 and Spoke 4. You must configure an ADVPN using IBGP and EBGP to connect Overlay 1 with Overlay 2. Which parameters must you configure in the phase 1 VPN IPsec configuration of the ADVPN tunnels? (Choose one answer)
Brave-Dump Clients Votes