Which TWO are best practices for configuring IPsec VPN on FortiGate to ensure high availability and security?
PFS ensures that compromise of one key does not affect others.
Why this answer
Perfect Forward Secrecy (PFS) ensures that if an attacker compromises the private key used during IKE phase1, they cannot derive the session keys used in phase2. By requiring a new Diffie-Hellman exchange for each phase2 rekey, PFS isolates the compromise to only the current session, protecting past and future encrypted traffic. This is a critical security best practice for IPsec VPNs on FortiGate.
Exam trap
The trap here is that candidates often confuse DPD with a performance overhead feature and disable it, or they mistakenly believe aggressive mode is faster and therefore better, overlooking the severe security implications of sending identities in cleartext.