Fortinet NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Exam Practice Test

You can configure full mesh, star, and dial-up VPN topologies.

You must enable VPN zones for SD-WAN deployments.

FortiManager installs VPN settings on both managed and external gateways.

You configure VPN communities to define common IPsec settings shared by all VPN gateways.

The traffic will be load balanced across all three overlays.

The traffic will be routed over T_INET_0_0.

The traffic will be routed over T_MPLS_0.

The traffic will be routed over T_INET_1_0.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

XAuth is enabled as an additional level of authentication, which requires a username and password.

A total of six packets are exchanged between an initiator and a responder instead of three packets.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

Set priority 10.

Set cost 15.

Set load-balance-mode source-ip-ip-based.

Set source 100.64.1.1.

You can delete the virtual-wan-link zone because it contains no member.

The corporate zone contains no member.

You can move port1 from the underlay zone to the overlay zone.

The overlay zone contains four members.

Each region has its own SD-WAN topology

It is not compatible with ADVPN.

Regions must correspond to geographical areas.

Routing between the hub and spokes must be BGP.

On the hubs,auto-discovery-sendermust be enabled on the IPsec VPNs to spokes.

On the spokes,auto-discovery-receivermust be enabled on the IPsec VPN to the hub.

auto-discovery-forwardermust be enabled on all IPsec VPNs.

On the hubs,net-devicemust be enabled on all IPsec VPNs.

In the dcl-lab-rm route map configuration, set set-route-tag to 10.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

In the BGP neighbor configuration, apply the route map dcl-lab-rm in the outbound direction.

In the dcl-lab-rm route map configuration, unset match-community.

The dead member interface stays unavailable until an administrator manually brings the interface back.

Port2 needs to wait 500 milliseconds to change the status from alive to dead.

Static routes using port2 are active in the routing table.

FortiGate has not received three consecutive requests from the SLA server configured for port2.

Create policy packages for branch devices.

Assign an sdwan_id metadata variable to each device (branch and hub}.

Configure routing through overlay tunnels created by the SD-WAN overlay template.

Assign a branch_id metadata variable to each branch device.

Configure SD-WAN rules.

Packet duplication can leverage multiple IPsec overlays for sending additional data.

Packet duplication does not require a route to the destination.

Packet duplication supports hardware offloading.

Packet duplication uses smaller parity packets which results in less bandwidth consumption.

FortiGate updated the outgoing interface list on the rule so it prefers port2.

Port2 has the highest member priority.

Port2 has a lower latency than port1.

SD-WAN rule ID 1 is set to lowest cost (SLA) mode.

FortiGate bounces port5 after it detects all SD-WAN members as dead.

FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.

FortiGate brings up port5 after it detects all SD-WAN members as alive.

FortiGate brings down port5 after it detects all SD-WAN members as dead.

The number of simultaneous connections among all source IP addresses cannot exceed five connections.

The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec.

The number of simultaneous connections allowed for each source IP address cannot exceed five connections.

The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec.

The type of traffic defined and allowed on firewall policy ID 1 is UDP.

FortiGate has terminated the session after a change on policy ID 1.

Changes have been made on firewall policy ID 1 on FortiGate.

Firewall policy ID 1 has source NAT disabled.

This is a spoke that has received a query from a remote hub and has forwarded the response to its hub.

Two hubs,10.0.1.101and10.0.2.101, are receiving and forwarding queries between each other.

This is a hub that has received a query from a spoke and has forwarded it to another spoke.

Two spokes,192.2.0.1and10.0.2.101, forward their queries to their hubs.

FortiGate performed standard FIB routing on the session.

FortiGate will not re-evaluate the session following a firewall policy change.

FortiGate used192.2.0.1as the gateway for the original direction of the traffic.

FortiGate must re-evaluate the session due to routing change.

It is a hub device. It can send ADVPN shortcut offers.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. The subnet range is 10.10.128.0/23.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. It can send ADVPN shortcut requests.

It is a hub device and will automatically discover the spoke devices that are in the SD-WAN topology.

After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.

During passive monitoring, FortiGate can’t detect dead members.

FortiGate can offload the traffic that is subject to passive monitoring to hardware.

FortiGate passively monitors the member if TCP traffic is passing through the member.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

XAuth is enabled as an additional level of authentication, which requires a username and password.

Three packets are exchanged between an initiator and a responder instead of six packets.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

Port2 becomes alive after three successful probes are detected.

FortiGate removes all static routes for port2.

The administrator manually restores the static routes for port2, if port2 becomes alive.

Host 8.8.8.8 is reachable through port1 and port2.

When all three members have the same packet loss.

When T_INET_0_0 has 4% packet loss.

When T_INET_0_0 has 12% packet loss.

When T_INET_1_0 has 4% packet loss.

The sdwan_service_id flag in the session information is 0.

All SD-WAN rules have the default setting enabled.

Traffic does not match any of the entries in the policy route table.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Setadditional-pathtosend

Enableroute-reflector-client

Setadvertisement-intervalto the number of additional paths to advertise

Setadv-additional-pathto the number of additional paths to advertise

Enablesoft-reconfiguration

Enable auxiliary-session under config system settings.

Disable tсp-session-without-syn under config system settings.

Enable snat-route-change under config system global.

Disable allow-subnet-overlap under config system settings.

You must use BGP to route traffic for both overlay and underlay links.

You must configure AS path prepending.

You must configure BGP communities.

IBGP is preferred over EBGP, because IBGP preserves next hop information.

The traffic always skips the regular policy routes.

You steer traffic based on the detected application.

You do not need to enable SSL inspection.

You do not need to configure firewall policies that accept the SD-WAN traffic.

You can use metadata variables only to define interface members and the gateway IP.

All SD-WAN template fields support metadata variables.

Any field Identified with a dollar sign ($) in a magnifying glass.

Any field identified with an "M" in a circle.

get router info routing-table all

diagnose debug application ike

diagnose vpn tunnel list

get ipsec tunnel list