Question 18 - Fortinet FCP_FGT_AD-7.4 Real Exam Questions [Jan 2026 Update]

Q: 18

Which three statements about security associations (SA) in IPsec are correct? (Choose three.) 136/219

Options

Correct Answer:

A, C, D

Explanation

In an IPsec VPN, the Internet Key Exchange (IKE) protocol establishes Security Associations (SAs). The Phase 1 SA (IKE SA) is a single, bidirectional channel created to authenticate the peers and secure the negotiation of the Phase 2 SAs. The Phase 2 SAs (IPsec SAs) are unidirectional and are used to apply security services, such as encryption and authentication via ESP or AH, to the actual data traffic flowing through the tunnel. To ensure security, Phase 2 SAs have a finite lifetime, which can be configured to expire based on a set time duration, a specific volume of processed data, or whichever of these two limits is reached first.

Why Incorrect

B. An SA never expires.

This is incorrect. All SAs have a defined lifetime (time or volume-based) to force re-keying, which is a critical security practice to limit the impact of a compromised key.

E. Both the phase 1 SA and phase 2 SA are bidirectional.

This is incorrect. The Phase 1 (IKE) SA is bidirectional, but the Phase 2 (IPsec) SAs are unidirectional. Two Phase 2 SAs are required for bidirectional data communication.

References

1. Fortinet FortiOS 7.0 Administration Guide:

In the "IPsec VPN concepts > IKE and IPsec > Phase 1 and Phase 2" section

it states: "The IKE SA is a bidirectional secure channel... The purpose of IKE phase 2 is to negotiate IPsec SAs to set up the IPsec tunnel. The IPsec SAs are unidirectional... The IPsec SAs handle the encryption and decryption of traffic in the IPsec tunnel." This supports options A and C.

In the "IPsec VPN concepts > IKE and IPsec > Phase 2 settings" section

it details lifetime settings: "You can define the SA lifetime in seconds

in kilobytes of data processed

or both. The SA expires when one of these values is reached." This supports option D and refutes B.

2. RFC 4301

Security Architecture for the Internet Protocol:

Section 4.1

"Security Associations": "An SA is unidirectional. That is

it is a security relationship that applies to traffic in one direction... For peer-to-peer communication

two SAs are required

one in each direction." This confirms the unidirectional nature of IPsec (Phase 2) SAs

supporting option C and refuting E.

3. RFC 7296

Internet Key Exchange Protocol Version 2 (IKEv2):

Section 1.2

"The IKESA": "An IKESA is a bidirectional entity that is created as the result of an IKESAINIT exchange... All IKE messages are protected by an IKESA." This confirms the bidirectional nature of the IKE (Phase 1) SA

supporting option C.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE