Refer to the exhibits.
An administrator creates a new address object on the root FortiGate (Local-FortiGate) in the security fabric. After synchronization, this object is not available on the downstream FortiGate (ISFW).
What must the administrator do to synchronize the address object?
To synchronize the address object between the root FortiGate (Local-FortiGate) and the downstream FortiGate (ISFW), the configuration must ensure that the downstream device can receive synchronized objects. The correct setting is to enable 'downstream-access' on both devices. Without this enabled, the necessary synchronization does not occur, which is why option C, which changes the csf setting on both devices to set downstream-access enable, is the right choice.
The correct answer is D. When both devices are configured with set downstream-access-disable (answer in C) then the newly created address objects are still replicated. However, when I configure the root with set fabric-object-unification local the address object is no longer replicated to the downstream FortiGates. I believe that the Exhibit B is wrong!
D - not correct Fortigate Security guide 7.2 - page 434 The CLI command "set fabric-object-unification" is only available on the root FortiGate.
The named "Local-Fortigate" is the root FortiGate.
A is wrong, "if set configuration-sync is set to local, the downstream device does not participate in synchronization" B wrong, as the connection has been established and no need to authenticate D is wrong, the command is already there on the root C is the only one left
The Exhibit B is wrong and misleading the answer. The root configuration is "set fabric-object-unification local", then the right answer should be to change it to DEFAULT.
That is my idea, the exhibit be is wrong, as it is there is nothing wrong that prevents the object from syncing. if 'fabric-object-unification' is set to local on root Fg, yes it prevents syncing; now it is 'default' so no problem seen, so there is no right choice from A-D in this case.
D - Correct. To synchronize the address object created on the root FortiGate (Local-FortiGate) with the downstream FortiGate (ISFW), the administrator must ensure that the fabric-object-unification setting on the root FortiGate is set to "default" . This setting allows the downstream device to synchronize objects from the root FortiGate. When set to local, the device does not synchronize objects from the root but will still participate in sending the synchronized object downstream .Therefore, the correct answer is:D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.The Exhibit B is wrong.
I had this question in my exam today (12/12/23) and can tell you the exhibit B is NOT wrong. 100% identical to the exam question. Therefore C must be the correct answer.
Answer C is correct. From the study guide "If object synchronisation is disabled on the root Fortigate, using the command 'set fabric-object disable', firewall addresses and address groups will not be synchronised to downstream Fortigate devices." The question states that the admin created an address object on the root, so it won't be synchronised.
D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.
A and B does not apply here, D answer doesn't change anything in the configuration as it is already configured in the root FG. Correct answer is C.
The correct answer is C. Because "set fabric-object-unification default" is already defined in the configuration presented in "Exhibit B".
Fortigate Security guide 7.2 - page 434
C - Correct. C stands for correct. jk. This is tricky just because D is already enable by default and is actually given in this scenario that it is already enabled. Clearly C - because look this statement in exhibit B on the root side "set fabric-object disable". this needs to be changed to enable. ^_^
I think neither D nor C is correct. Don't forget the fabric-object-unification command is configured on a downstream device and not on Root Fortigate. It could be correct if we had proposed answer like : "Change the csf settings on ISFW by set fabric-object-unification default"
Answer C is correct.
Option C is the correct answer
When the Security Fabric is enabled, various objects such as addresses, services, and schedules are synced from the upstream FortiGate to all downstream devices by default1. Therefore, if a new address object created on the root FortiGate (Local-FortiGate) is not available on the downstream FortiGate (ISFW) after synchronization, it indicates that there might be a sync issue. However, none of the options A, B, C, and D provided directly address this issue based on the information available
The downstream-access feature must be enable https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/148376/preparing-fortigate-for-supported-security-fabric-devices, if not is enable the security fabric not function
The downstream-access feature must be enable https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/148376/preparing-fortigate-for-supported-security-fabric-devices, if not is enable the security fabric not function