Refer to the exhibits.
Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic. Exhibit B shows the HA configuration and the partial output of the get system ha status command.
Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)
In the FortiGate HA (high availability) configuration provided, the primary device handles the initial traffic and then can involve the secondary device for load balancing. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source, ensuring seamless integration and traffic management continuity. In the case of load balanced connections, the primary device encodes TCP SYN packets before forwarding them to the secondary device, ensuring proper synchronization and handling of the session. This encapsulation is only done for the first packet of a load balanced session.
A: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in standby mode D: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source MAC address of the packet is changed to the physical MAC address of port1 on the primary and the destination MAC address to the physical MAC address of port1 on the secondary. This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session
Sorry, FGT2 is primary... So the other way around --'
D: is the only correct for me.
Correct answers are C and D. The cluster is in Active-Active mode and FGT1 is the secondary
Correct: A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source. D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary. Incorrect: B. The traffic sourced from the client and destined to the server is sent to FGT-1. (not primary) C. The cluster can load balance ICMP connections to the secondary. (not enabled) FortiGate Infrastructure 7.2 Study Guide (p.317 & p.320): "To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses." "The primary forwards the SYN packet to the selected secondary. (...) This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session. The encapsulated packet includes the original packet plus session information that the secondary requires to process the traffic." Reference and download study guide: https://ebin.pub/fortinet-fortigate-infrastructure-study-guide-for-fortios-72.html
A. Is not true, always Cluster sends traffic to server using physical MAC B. Is not true, the traffic sourced from the client and destined to the server is sent to FGT-2. C. Is not true, the cluster cannot load balance ICMP connections D. Is true for load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary using 0x8891 frame Everything is taken from infrastruture study guide pages 320-322
FortiGate Infrastructure 7.2 Study Guide (p.317 & p.320): "To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses." "The primary forwards the SYN packet to the selected secondary. (...) This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session. The encapsulated packet includes the original packet plus session information that the secondary requires to process the traffic."
Set mode is a-a not a-p
correct answer is A&D
in mode A-A no icmp protocol can ben load balanced
Can A really be correct? View the slide on page 322 FortiGate_Infrastructure_7.2_Study_Guide-Online.pdf It's shows secondary-physical MAC-port2 to server D is the only correct one
La C no es por que se puede sincronizar pero no hacer balanceo de ICMP
A and D for A-A loadbalance traffic from the client is received on the primary's Vmac to which the packet is then sent to the secondary for inspection with the physical mac address of the primary as source. Then it comes back to primary and client to which the handshake has begun.
FortiGate Infrastructure 7.2 Study Guide p.320-322
Correct Answr is AD
Answer is A & D
A and B. Since Secondary : FGT-1 HA Cluster index = 0
A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source. D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.