The 'On Idle' mode for Dead Peer Detection (DPD) on FortiGate is designed to send probes when the IPsec tunnel is idle. This means that if no inbound traffic is received from the VPN peer for a specified period, FortiGate will begin sending DPD probes to verify the peer's availability. This behavior directly matches the administrator's requirement to send probes only when there is no inbound traffic, ensuring that a dead tunnel is detected even during periods of inactivity without waiting for new outbound traffic to trigger the check.

A. Enabled: This is a general term and not a specific DPD mode in the FortiOS CLI. The specific operational modes are 'On Idle' and 'On Demand', making 'On Idle' the more precise and correct answer.

C. Disabled: This option completely deactivates the DPD mechanism, meaning no probes would be sent under any circumstances to detect a dead peer.

D. On Demand: This mode sends DPD probes only when FortiGate attempts to send outbound traffic over a tunnel that has not seen any recent inbound traffic. The trigger is outbound traffic, not simply the absence of inbound traffic.

1. Fortinet FortiOS 7.6.0 Administration Guide:

In the "IPsec VPN" chapter

under the "Dead Peer Detection" section

the modes are described.

On Idle: "The FortiGate sends DPD probes at regular intervals if no traffic is received from the peer." This directly supports the correct answer.

On Demand: "The FortiGate sends a DPD probe when it sends a packet to the peer but has not received any traffic from the peer in the last five seconds." This clarifies why option D is incorrect.

2. Fortinet FortiOS 7.6.0 CLI Reference:

Under the config vpn ipsec phase1-interface command context

the set dpd parameter options are defined.

set dpd {disable | on-idle | on-demand}

The description for on-idle states: "Dial-on-demand

DPD every ." This mode is triggered by idleness

aligning with the question's scenario.