Statement B is correct because interface monitoring is a primary mechanism for triggering an HA failover. If a monitored interface on the primary device fails, including being administratively set to down, the cluster detects this as a link failure and initiates a failover to a secondary unit to maintain network connectivity.

Statement D is correct as the FortiGate Cluster Protocol (FGCP) is designed to provide stateful failover. To achieve this, it synchronizes critical runtime data between cluster members. This data includes the Forwarding Information Base (FIB) for routing and IPsec Security Associations (SAs) for VPN tunnels, ensuring that sessions and tunnels are not interrupted during a failover.

A. An HA cluster can have both in-band and out-of-band management interfaces. Out-of-band management can be configured on dedicated ports while in-band management remains active on data interfaces.

C. The IP address 169.254.0.2 is assigned to the secondary unit with the highest device priority. A different secondary unit would use 169.254.0.3, so this IP is not guaranteed to be seen in all sniffs.

1. FortiOS 7.6 Administration Guide

"High Availability" chapter

section "HA failover triggers".

This section states

"If a link on a monitored interface on a cluster unit fails

the cluster unit is considered to have failed." An administrative shutdown of an interface is considered a link failure

which supports answer B.

2. FortiOS 7.6 Administration Guide

"High Availability" chapter

section "Information synchronized by the FGCP".

This section details the data synchronized by the cluster. It explicitly mentions

"The FGCP synchronizes the routing table..." and "The FGCP synchronizes IPsec security associations (SAs). This means that active IPsec tunnels are not interrupted by a failover." This directly supports answer D.

3. FortiOS 7.6 Administration Guide

"High Availability" chapter

section "Heartbeat packets and interfaces".

This section explains the IP addressing for heartbeat communication: "The primary unit has the heartbeat IP address 169.254.0.1. The subordinate unit with the highest device priority has the heartbeat IP address 169.254.0.2." This shows that 169.254.0.2 is specific to one subordinate

not a universally present IP

making statement C incorrect.

4. FortiOS 7.6 Administration Guide

"High Availability" chapter

section "Management access to a cluster".

This section describes configuring dedicated management interfaces and using ha-direct for out-of-band access

which can coexist with standard in-band management

proving statement A is incorrect.