Exam NSE7_EFW-7.2 topic 1 question 33 discussion

A. You must disable add-route in the hub. True. For ADVPN (Auto-Discovery VPN) to work, the hub should not add routes automatically. Disabling add-route ensures that route discovery is dynamic and based on the ADVPN mechanism rather than static route additions. B. All FortiGate devices must be in the same autonomous system (AS). False. ADVPN can operate across different AS numbers as long as the routing and VPN configurations are correct. It does not require all FortiGates to be in the same AS. C. The hub adds routes based on IKE negotiations. False. ADVPN uses dynamic routing protocols (e.g., BGP or OSPF) to exchange routes, not IKE negotiations. IKE is responsible for establishing the VPN tunnels, but routing is handled separately. D. You must configure phase 2 quick mode selectors to 0.0.0.0 0.0.0.0. True. To enable ADVPN's dynamic capabilities, phase 2 quick mode selectors are typically set to 0.0.0.0/0 for both source and destination. This ensures that the VPN tunnel can dynamically accommodate various subnets.

A. wrong - not relevant B. Correct because C is wrong and D is correct C. wrong devices can be in the same or not the same AS depending your topology. Also you can use EBGP rather than IBGP. it is recommended to use IBGP but that doesnt mean you cant use only EBGP. So it is not mandatory to be in the same AS. D. ADVPN runs on dynamic routing so you must disable add-routes etc.. - Correct

Refer to Study guide 334. AD-VPN supports EBGP for inter-region routing (dual regions - Dual HUB). So the correct answer is BD

B and D are correct study guide p. 336

Correction of my last answer.

This is a difficult one, This documentation states that members of an ADVPN must use IBGP - https://community.fortinet.com/t5/FortiGate/Technical-Tip-ADVPN-with-BGP-as-the-routing-protocol/ta-p/192437 , and thus must be in the same AS as answer C states. The hub must also be configured with set add-route disable, so D is definitely correct. The Study Guide merely states that you have to check and confirm that phase2 selectors are set to 0.0.0.0/0, which is the default setting as stated here https://docs.fortinet.com/document/fortigate/7.2.4/cli-reference/373620/config-vpn-ipsec-phase2-interface (dst-subnet row in table). I belive if you HAD to set 0.0.0.0/0 the documentation would actually show that in every configuration example of ADVPN. Thus I am going to say that C and D are the correct answers, just to confuse everyone, because I am a bit confused my self.

and also C is correct

study guide p. 336

It's B and D as per study guide p. 336