Which two key configuration changes must the administrator make on FortiGate to meet the requirements?

A network administrator wants to set up redundant IPsec VPN tunnels on FortiGate by using two IPsec VPN tunnels and static routes.

All traffic must be routed through the primary tunnel when both tunnels are up. The secondary tunnel must be used only if the primary tunnel goes down. In addition, FortiGate should be able to detect a dead tunnel to speed up tunnel failover.

Which two key configuration changes must the administrator make on FortiGate to meet the requirements? (Choose two.)
A . Configure a higher distance on the static route for the primary tunnel, and a lower distance on the static route for the secondary tunnel.
B . Configure a lower distance on the static route for the primary tunnel, and a higher distance on the
static route for the secondary tunnel.
C . Enable Auto-negotiate and Autokey Keep Alive on the phase 2 configuration of both tunnels.
D . Enable Dead Peer Detection.

Answer: B,D

Explanation:

To set up redundant IPsec VPN tunnels on FortiGate and meet the specified requirements, the administrator should make the following key configuration changes:

B. Configure a lower distance on the static route for the primary tunnel, and a higher distance on the static route for the secondary tunnel.

By configuring a lower administrative distance for the static route of the primary tunnel, the FortiGate will prefer this route when both tunnels are up. If the primary tunnel goes down, the higher administrative distance on the static route for the secondary tunnel will cause the FortiGate to use the secondary tunnel.

D. Enable Dead Peer Detection.

Dead Peer Detection (DPD) should be enabled to detect the status of the VPN tunnels. If the FortiGate detects that the primary tunnel is no longer responsive (dead), it can trigger the failover to the secondary tunnel, ensuring a faster tunnel failover.

So, the correct choices are B and D.