Refer to the exhibits. All three FortiSwitch-connected ports are configured in VLAN 10. FortiGate acts as the Dynamic Host Configuration Protocol (DHCP) server and is connected to a DHCP snooping trusted trunk port. PC1 and PC2 are connected to ports configured as untrusted for DAI, and no static bindings are configured in the IP source guard (IPSG) database. PC2 is compromised and attempts to spoof the FortiGate IP address by sending forged Address Resolution Protocol (ARP) replies with its own MAC address. What will FortiSwitch do with the ARP packets from PC2? (Choose one answer)

A. Forward the ARP replies because there are no IPSG bindings blocking them.
B. Accept the ARP replies because the VLAN has DAI enabled and FortiGate is a trusted DHCP server.
C. Forward the ARP replies to all VLAN 10 ports because DAI is only active on trusted ports.
D. Drop the ARP replies because they fail DAI validation against the DHCP snooping database.

Correct Answer: D

Brave-Dump Clients Votes

D 100%

Comments

javaughn Bryan 2025-12-11 02:21:06

Selected Answers: D

D is correct.

Since the ARP reply is received on an untrusted port and the IP-to-MAC binding in the packet does not validate against the DHCP snooping database, the FortiSwitch detects an ARP spoofing attempt.

Therefore, the FortiSwitch will Drop the ARP reply because they fail DAI validation against the DHCP snooping database.

PAGE: 201 | FORTISWITCH 7.6 ADMIN GUIDE