When multiple remote sites connect to the same hub using overlapping subnets, FortiGate needs to

determine which route should be used for traffic forwarding. The route-overlap setting in IPsec Phase

2 allows FortiGate to handle this scenario by deciding whether to keep the existing route (use-old) or

replace it with a new route (use-new).

In an ECMP (Equal-Cost Multi-Path) routing setup, both routes should be retained and balanced, but

FortiGate does not support ECMP directly over overlapping routes in IPsec Phase 2. Instead, an

administrator must decide which connection takes precedence using route-overlap settings.

The diagnose vpn tunnel list name Hub2Spoke1 command output provides key information about

the offloading status of an IPsec VPN tunnel to the Network Processing Unit (NPU).

● npu_flag=20:

● This flag indicates that both inbound and outbound IPsec Security Associations (SAs) have been

offloaded to the NPU, meaning the VPN traffic is processed in hardware instead of the CPU.

● npu_rgwy=10.10.2.2 and npu_lgwy=10.10.1.1:

● These IPs represent the remote gateway (rgwy) and local gateway (lgwy), confirming that the

tunnel is successfully offloaded.

● npu_selid=1:

● This value means the session selector for the NPU offloaded SA is active.

Since both inbound and outbound SAs are offloaded, the administrator can conclude that the

FortiGate NPU is handling IPsec encryption and decryption efficiently, reducing CPU load and

improving VPN performance.

In ADVPN (Auto-Discovery VPN) configurations, security concerns include protecting peer IDs during

VPN establishment. Peer IDs are exchanged in the IKE (Internet Key Exchange) negotiation phase,

and their exposure could lead to privacy risks or targeted attacks.

● IKEv2 encrypts peer IDs, making it more secure compared to IKEv1, where peer IDs can be exposed

in plaintext in aggressive mode.

● IKEv2 also provides better performance and flexibility while supporting dynamic tunnel

establishment in ADVPN.

When standardizing the deployment of FortiGate devices across branches using FortiManager, the

best practice is to use metadata variables. This allows for dynamic interface configuration while

maintaining a single, consistent policy package for all branches.

● Metadata variables in FortiManager enable interface roles and configurations to be dynamically

assigned based on the specific FortiGate device.

● This ensures scalability and consistent security policy enforcement across all branches without

manually adjusting interface settings for each device.

● When a new branch FortiGate is deployed, metadata variables automatically map to the correct

physical interfaces, reducing manual configuration errors.

From the BGP neighbor status output, the key issue is that BGP is stuck in the "Idle" state, meaning

the FortiGate is unable to establish a BGP session with its peer 100.65.4.1 (Remote AS 65300).

The output also shows:

● "Not directly connected EBGP" → This means the BGP peer is not on the same subnet, requiring

multihop BGP.

● "Update source is Loopback" → Since a loopback interface is used, FortiGate must be configured

to allow BGP neighbors over multiple hops.

To resolve this issue, the administrator must enable ebgp-enforce-multihop, which allows BGP

sessions to be established even when the neighbors are not directly connected.

When FortiGate is operating in proxy mode with full SSL inspection enabled, it inspects encrypted

HTTPS traffic by default on port 443. However, some websites may use non-standard HTTPS ports

(such as 8443), which FortiGate does not inspect unless explicitly configured.

To ensure that FortiGate inspects HTTPS traffic on port 8443, administrators must manually add port

8443 in the Protocol Port Mapping section of the SSL/SSH Inspection Profile. This allows FortiGate to

treat HTTPS traffic on port 8443 the same as traffic on port 443, enabling proper inspection and

enforcement of FortiGuard category-based web filtering.

In this scenario, the corporate network and the new remote office network need to communicate

over the Internet, which requires a secure and dynamic routing method. Since both networks are

using OSPF (Open Shortest Path First) as the routing protocol, the best approach is to establish an

OSPF over IPsec VPN to ensure secure and dynamic route propagation.

OSPF is already running on the corporate network, and extending it over an IPsec tunnel allows

dynamic route exchange between the corporate FortiGate and the remote office FortiGate. IPsec

provides encryption for traffic over the Internet, ensuring secure communication. OSPF over IPsec

eliminates the need for manual static routes, allowing automatic route updates if networks change.

The new remote office's 192.168.1.0/24 subnet will be advertised dynamically to the corporate

network without additional configuration.

False positives in Intrusion Prevention System (IPS) analysis can disrupt legitimate traffic and

negatively impact user experience. To reduce false positives while maintaining security,

administrators can:

● Use IPS profile extensions to fine-tune the settings based on the organization's environment.

● Select the correct operating system, protocol, and application types to ensure that IPS signatures

match the network's actual traffic patterns, reducing false positives.

● Customize signature selection based on the network’s specific services, filtering out unnecessary

or irrelevant signatures.

When using IPsec VPNs and VXLAN, additional headers are added to packets, which can exceed the

default 1500-byte MTU. This can lead to fragmentation issues, dropped packets, or degraded

performance.

To resolve this, the MTU (Maximum Transmission Unit) should be adjusted only if all devices in the

network path support it. Otherwise, some devices may still drop or fragment packets, leading to

continued issues.

Why adjusting MTU helps:

● VXLAN adds a 50-byte overhead to packets.

● IPsec adds additional encapsulation (ESP, GRE, etc.), increasing the packet size.

● If packets exceed the MTU, they may be fragmented or dropped, causing intermittent connectivity

issues.

● Lowering the MTU on interfaces ensures packets stay within the supported size limit across all

network devices.

In BGP (Border Gateway Protocol), a neighbor (peer) configuration is required to establish a

connection between two BGP routers. Since FortiGate A is connecting to the ISP (Autonomous

System 10) from AS 30, the administrator must define the ISP's BGP router as a neighbor.

The config neighbor command is used to:

● Define the ISP's IP address as a BGP peer

● Specify the remote AS (AS 10 in this case)

● Allow BGP route exchanges between FortiGate A and the ISP