The correct answer is D. When both devices are configured with set downstream-access-disable (answer in C) then the newly created address objects are still replicated. However, when I configure the root with set fabric-object-unification local the address object is no longer replicated to the downstream FortiGates. I believe that the Exhibit B is wrong!

D - not correct Fortigate Security guide 7.2 - page 434 The CLI command "set fabric-object-unification" is only available on the root FortiGate.

The correct answer is C. Because "set fabric-object-unification default" is already defined in the configuration presented in "Exhibit B".

The downstream-access feature must be enable https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/148376/preparing-fortigate-for-supported-security-fabric-devices, if not is enable the security fabric not function

The downstream-access feature must be enable https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/148376/preparing-fortigate-for-supported-security-fabric-devices, if not is enable the security fabric not function

A and B does not apply here, D answer doesn't change anything in the configuration as it is already configured in the root FG. Correct answer is C.

When the Security Fabric is enabled, various objects such as addresses, services, and schedules are synced from the upstream FortiGate to all downstream devices by default1. Therefore, if a new address object created on the root FortiGate (Local-FortiGate) is not available on the downstream FortiGate (ISFW) after synchronization, it indicates that there might be a sync issue. However, none of the options A, B, C, and D provided directly address this issue based on the information available

The Exhibit B is wrong and misleading the answer. The root configuration is "set fabric-object-unification local", then the right answer should be to change it to DEFAULT.

D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.

Option C is the correct answer

Answer C is correct.

Answer C is correct. From the study guide "If object synchronisation is disabled on the root Fortigate, using the command 'set fabric-object disable', firewall addresses and address groups will not be synchronised to downstream Fortigate devices." The question states that the admin created an address object on the root, so it won't be synchronised.

A is wrong, "if set configuration-sync is set to local, the downstream device does not participate in synchronization" B wrong, as the connection has been established and no need to authenticate D is wrong, the command is already there on the root C is the only one left

I think neither D nor C is correct. Don't forget the fabric-object-unification command is configured on a downstream device and not on Root Fortigate. It could be correct if we had proposed answer like : "Change the csf settings on ISFW by set fabric-object-unification default"

C - Correct. C stands for correct. jk. This is tricky just because D is already enable by default and is actually given in this scenario that it is already enabled. Clearly C - because look this statement in exhibit B on the root side "set fabric-object disable". this needs to be changed to enable. ^_^

Fortigate Security guide 7.2 - page 434

D - Correct. To synchronize the address object created on the root FortiGate (Local-FortiGate) with the downstream FortiGate (ISFW), the administrator must ensure that the fabric-object-unification setting on the root FortiGate is set to "default" . This setting allows the downstream device to synchronize objects from the root FortiGate. When set to local, the device does not synchronize objects from the root but will still participate in sending the synchronized object downstream .Therefore, the correct answer is:D. Change the csf setting on Local-FortiGate (root) to set fabric-object-unification default.The Exhibit B is wrong.