Based on the exhibits, which two statements about the traffic passing through the cluster are true?

Refer to the exhibits.

Exhibit A shows a topology for a FortiGate HA cluster that performs proxy-based inspection on traffic.

Exhibit B shows the HA configuration and the partial output of the get system ha status command.

Based on the exhibits, which two statements about the traffic passing through the cluster are true? (Choose two.)

A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

B. The traffic sourced from the client and destined to the server is sent to FGT-1.

C. The cluster can load balance ICMP connections to the secondary.

D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them

to the secondary.

View Answer

Answer: A,D

Explanation:

A: Non load balance: traffic enters port1 and go out port2 from FGT1. FGT2 is in primary mode

D: In proxy inspection mode, SYN packet goes to FGT1 port1. It is then forwarded to FGT2. the source MAC address of the packet is changed to the physical MAC address of port1 on the primary and the destination MAC address to the physical MAC address of port1 on the secondary. This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session

A. For non-load balanced connections, packets forwarded by the cluster to the server contain the virtual MAC address of port2 as source.

D. For load balanced connections, the primary encapsulates TCP SYN packets before forwarding them to the secondary.

Incorrect:

B. The traffic sourced from the client and destined to the server is sent to FGT-1. (not primary)

C. The cluster can load balance ICMP connections to the secondary. (not enabled)

To forward traffic correctly, a FortiGate HA solution uses virtual MAC addresses.

The primary forwards the SYN packet to the selected secondary. (…) This is also known as MAC address rewrite. In addition, the primary encapsulates the packet in an Ethernet frame type 0x8891. The encapsulation is done only for the first packet of a load balanced session. The encapsulated packet includes the original packet plus session information that the secondary requires to process the traffic.