Skip to main content
msfconsole
msfconsole
Visitor II
May 28, 2026
Solved

wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels

  • May 28, 2026
  • 5 replies
  • 165 views

I have a question, for NSE4 please.

wants to configure dead peer detection (DPD) on IPsec VPN for detecting dead tunnels. The
requirement is that FortiGate sends DPD probes only when there is no inbound traffic.
Which DPD mode on FortiGate meets this requirement?
A. Enabled
B. On Idle
C. Disabled
D. On Demand

 
 

 

 

    Best answer by sjoshi

    Hi ​@msfconsole 

    The correct answer is  D on demand as question says dpd is sent only when there is no inbound traffic

    DPD:
    Disable: FortiGate never sends DPD probes to the remote peer, but responds to DPD probes received
    On-idle: FortiGate sends DPD probes when no traffic is observed in the tunnel (outbound or inbound).
    On-demand: FortiGate sends DPD probes if there is only outbound traffic through the tunnel, but no inbound. On-demand is the default setting.

     

    Refer:

     

    5 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 28, 2026

    I would say ‘B’. But on-idle doesn’t cause sending keepalives if it still has outbound traffic.
    Tricky question.

    Toshi

      msfconsole
      msfconsoleAuthor
      Visitor II
      May 28, 2026

      hey ​@Toshi_Esumi 

      thanx bro 

      DZ
        Toshi_Esumi
        SuperUser
        Toshi_Esumi
        SuperUser
        May 28, 2026

        You’re NOT in the middle of the test and cheating, right?

        Toshi

          sjoshi
          Staff
          sjoshiAnswer
          Staff
          May 29, 2026

          Hi ​@msfconsole 

          The correct answer is  D on demand as question says dpd is sent only when there is no inbound traffic

          DPD:
          Disable: FortiGate never sends DPD probes to the remote peer, but responds to DPD probes received
          On-idle: FortiGate sends DPD probes when no traffic is observed in the tunnel (outbound or inbound).
          On-demand: FortiGate sends DPD probes if there is only outbound traffic through the tunnel, but no inbound. On-demand is the default setting.

           

          Refer:

           

          Thanks, Salon
            Toshi_Esumi
            SuperUser
            Toshi_Esumi
            SuperUser
            May 29, 2026

            Ok, then this is another my misunderstanding about FortiOS for long time since 6.0? when on-idle/on-demand was introduced.

            Toshi

            Toshi_Esumi
            SuperUser
            Toshi_Esumi
            SuperUser
            May 29, 2026

            For the record, “on-idle/on-demand” seemed to have been introduced with 5.4. I checked back the old admin guide.  

              Yurisk
              SuperUser
              Yurisk
              SuperUser
              May 30, 2026

              That is the correct answer (by ​@sjoshi ) - D (at least exam-wise).

                msfconsole
                msfconsoleAuthor
                Visitor II
                May 31, 2026

                thanx ​@Toshi_Esumi  ​@sjoshi ​@Yurisk 

                DZ
                  Anthony_E
                  Staff
                  Anthony_E
                  Staff
                  June 2, 2026

                  Hi,

                  I think the best way to get the good answers in NSE exams is to study and to follow the courses.

                   

                  Anthony

                  Best Regards
                    Terms & ConditionsAccessibility statement