Question 8 - Fortinet FCP_FGT_AD-7.6 Real Exam Questions [March 2026 Update]

Q: 8

An administrator wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The requirement is that FortiGate sends DPD probes only when there is no inbound traffic. Which DPD mode on FortiGate meets this requirement?

Options

Discussion

Olivia E. Mar 2, 2026 2:34 am

Option B is correct here. "On Idle" specifically sends DPD probes only when there's no inbound traffic, matching the question's condition. Option D is a common trap since "On Demand" would be more for manual or general inactivity, not just inbound. Feel free to correct me if I'm off.

Robin T. Feb 26, 2026 10:22 pm

Option B

Jamie A. Feb 24, 2026 4:26 pm

B. only sends probes if inbound traffic goes quiet. That's exactly what the question wants.

Robin D. Feb 21, 2026 9:59 pm

B tbh

Arjun U. Feb 17, 2026 3:57 am

Makes sense to go with B here. "On Idle" fits because it sends DPD probes only if there's no inbound traffic.

Nina H. Feb 23, 2026 7:11 am

Option B matches the requirement. On Idle sends DPD probes only if there’s no inbound traffic. That lines up with what the question is asking, pretty sure that’s how FortiGate handles it. Someone correct me if I’m missing a nuance.

SeasonedAuditor5273 Mar 5, 2026 2:46 am

C or D? Pretty sure I saw similar phrasing in the official guide and practice test.

Cameron G. Feb 14, 2026 5:32 am

Nora X. Feb 23, 2026 6:04 pm

Makes sense, B fits what they're asking. "On Idle" sends DPD probes if no inbound traffic is coming through, so that's exactly what the scenario describes. Pretty sure D is for manual checks or when there's no traffic at all. Anyone disagree?

Arjun S. Feb 22, 2026 8:19 am

C vs D? C is just off, but D is a trap here. It's B for sure.

Be respectful. No spam.

Correct Answer:

Explanation

The 'On Idle' mode for Dead Peer Detection (DPD) on FortiGate is designed to send probes when the IPsec tunnel is idle. This means that if no inbound traffic is received from the VPN peer for a specified period, FortiGate will begin sending DPD probes to verify the peer's availability. This behavior directly matches the administrator's requirement to send probes only when there is no inbound traffic, ensuring that a dead tunnel is detected even during periods of inactivity without waiting for new outbound traffic to trigger the check.

Why Incorrect

A. Enabled: This is a general term and not a specific DPD mode in the FortiOS CLI. The specific operational modes are 'On Idle' and 'On Demand', making 'On Idle' the more precise and correct answer.

C. Disabled: This option completely deactivates the DPD mechanism, meaning no probes would be sent under any circumstances to detect a dead peer.

D. On Demand: This mode sends DPD probes only when FortiGate attempts to send outbound traffic over a tunnel that has not seen any recent inbound traffic. The trigger is outbound traffic, not simply the absence of inbound traffic.

References

1. Fortinet FortiOS 7.6.0 Administration Guide:

In the "IPsec VPN" chapter

under the "Dead Peer Detection" section

the modes are described.

On Idle: "The FortiGate sends DPD probes at regular intervals if no traffic is received from the peer." This directly supports the correct answer.

On Demand: "The FortiGate sends a DPD probe when it sends a packet to the peer but has not received any traffic from the peer in the last five seconds." This clarifies why option D is incorrect.

2. Fortinet FortiOS 7.6.0 CLI Reference:

Under the config vpn ipsec phase1-interface command context

the set dpd parameter options are defined.

set dpd {disable | on-idle | on-demand}

The description for on-idle states: "Dial-on-demand

DPD every ." This mode is triggered by idleness

aligning with the question's scenario.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE