When central DNAT and virtual IPs are configured, the correct option for the firewall policy Destination field is the mapped IP address object of the VIP object. Central DNAT involves translating the destination address of packets to a different address as defined by the virtual IP object. Therefore, in the firewall policy, the mapped IP address of the VIP object should be selected as the destination.

To strengthen the security for SSL VPN access, configuring host restrictions by IP or MAC address ensures that only authorized devices are allowed to connect. Using two-factor authentication with security certificates adds an additional layer of security, making it harder for unauthorized users to gain access. Implementing a client integrity check (host-check) ensures that the connecting device meets certain security standards before allowing access. These best practices help secure the SSL VPN access effectively.

The correct statement is that antivirus signatures are downloaded locally on FortiGate. This ensures that FortiGate can perform antivirus scanning efficiently and without needing constant access to external resources. The other options are incorrect because the web filtering database is not downloaded locally, FortiGate does not use UDP ports 53 or 8888 for IPS updates (it uses TCP ports instead), and while FortiAnalyzer has many uses, it is not configured as a local FDN for providing antivirus and IPS updates.

For static routes to be eligible for equal cost multipath (ECMP) routing, the routes must have the same metric and cost. The metric is a value used by routing protocols to determine the best path to a destination. Cost is often another term for metric specifically in certain routing protocols. Having the same priority and distance is not necessary for ECMP.

The global configuration is synchronized between the primary and secondary FortiGate devices, as indicated by the matching checksums in the 'global' section. The all VDOM is not synchronized between the primary and secondary FortiGate devices, as indicated by the differing checksums in the 'all' section. The root VDOM checksum differences indicate potential configuration issues, but the lack of synchronization, especially in the 'all' section, is a key indicator that the synchronization is not consistent. Therefore, the most accurate conclusions are that the global configuration is synchronized, while the all VDOM is not.