Fortinet Exam FCSS_EFW_AD-7.4 Topic 5 Question 5 Discussion

Actual exam question for Fortinet's FCSS_EFW_AD-7.4 exam

Question #: 5
Topic #: 5

Refer to the exhibit, which shows a network diagram showing the addition of site 2 with an overlapping network segment to the existing VPN IPsec connection between the hub and site 1.

Which IPsec phase 2 configuration must an administrator make on the FortiGate hub to enable equal-cost multi-path (ECMP) routing when multiple remote sites connect with overlapping subnets?

ASet route-overlap to either use-new or use-old

BSet net-device to ecmp

CSet single-source to enable

DSet route-overlap to allow

Show Suggested Answer

Suggested Answer: A

When multiple remote sites connect to the same hub using overlapping subnets, FortiGate needs to determine which route should be used for traffic forwarding. The route-overlap setting in IPsec Phase 2 allows FortiGate to handle this scenario by deciding whether to keep the existing route (use-old) or replace it with a new route (use-new).

In an ECMP (Equal-Cost Multi-Path) routing setup, both routes should be retained and balanced, but FortiGate does not support ECMP directly over overlapping routes in IPsec Phase 2. Instead, an administrator must decide which connection takes precedence using route-overlap settings.

by Ty at Apr 06, 2025, 09:54 AM

Limited Time Offer

25%

Off

Get Premium FCSS_EFW_AD-7.4 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Jaleesa

6 days ago

Ah, the age-old dilemma of overlapping subnets. I'm feeling Option C, 'single-source to enable', has a certain charm to it. Why not keep it simple, right?

upvoted 0 times

...