Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Examstrust Logo
examstrust mcafee
  1. Home
  2. Fortinet
  3. Fortinet Certification
  4. NSE7_SDW-7.2 - Fortinet NSE 7 - SD-WAN 7.2

Fortinet NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Exam Practice Test

Page: 1 / 10
Total 99 questions
Get NSE7_SDW-7.2 Full Access Download NSE7_SDW-7.2 PDF

Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99
Add to Cart

PDF + Testing Engine

  • Product Type: PDF + Testing Engine
$52.5  $174.99
Add to Cart

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Add to Cart
Question 1

Which two protocols in the IPsec suite are most used for authentication and encryption? (Choose two.)

Options:

A.

Encapsulating Security Payload (ESP)

B.

Secure Shell (SSH)

C.

Internet Key Exchange (IKE)

D.

Security Association (SA)

Question 2

The administrator uses the FortiManager SD-WAN overlay template to prepare an SD-WAN deployment. With information provided through the SD-WAN overlay template wizard, FortiManager creates templates ready to install on spoke and hub devices.

Select three templates created by the SD-WAN overlay template for a spoke device. (Choose three.)

Options:

A.

System template

B.

BGP template

C.

IPsec tunnel template

D.

CLI template

E.

Overlay template

Question 3

Refer to the exhibit.

Based on the exhibit, which two actions does FortiGate perform on traffic passing through port2? (Choose two.)

Options:

A.

FortiGate does not change the routing information on existing sessions that use a valid gateway, after a route change.

B.

FortiGate performs routing lookups for new sessions only, after a route change.

C.

FortiGate always blocks all traffic, after a route change.

D.

FortiGate flushes all routing information from the session table, after a route change.

Question 4

Refer to the exhibits.

Exhibit A

Exhibit B

Exhibit A shows the SD-WAN performance SLA configuration, the SD-WAN rule configuration, and the application IDs of Facebook and YouTube. Exhibit B shows the firewall policy configuration and the underlay zone status.

Based on the exhibits, which two statements are correct about the health and performance of port1 and port2? (Choose two.)

Options:

A.

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

B.

FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.

C.

FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

D.

Non-TCP Facebook and YouTube traffic are not used for performance measurement.

Question 5

Which type statements about the SD-WAN members are true? (Choose two.)

Options:

A.

You can manually define the SD-WAN members sequence number.

B.

Interfaces of type virtual wire pair can be used as SD-WAN members.

C.

Interfaces of type VLAN can be used as SD-WAN members.

D.

An SD-WAN member can belong to two or more SD-WAN zones.

Question 6

Which statement about using BGP routes in SD-WAN is true?

Options:

A.

Learned routes can be used as dynamic destinations in SD-WAN rules.

B.

You must use BGP to route traffic for both overlay and underlay links.

C.

You must configure AS path prepending.

D.

You must use external BGP.

Question 7

What is the route-tag setting in an SD-WAN rule used for?

Options:

A.

To indicate the routes for health check probes.

B.

To indicate the destination of a rule based on learned BGP prefixes.

C.

To indicate the routes that can be used for routing SD-WAN traffic.

D.

To indicate the members that can be used to route SD-WAN traffic.

Question 8

What are two advantages of using an IPsec recommended template to configure an IPsec tunnel in an hub-and-spoke topology? (Choose two.)

Options:

A.

It ensures consistent settings between phase1 and phase2.

B.

It guides the administrator to use Fortinet recommended settings.

C.

It automatically install IPsec tunnels to every spoke when they are added to the FortiManager ADOM.

D.

The VPN monitor tool provides additional statistics for tunnels defined with an IPsec recommended template.

Question 9

Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?

Options:

A.

hold-down-time

B.

link-down-failover

C.

auto-discovery-shortcuts

D.

idle-timeout

Question 10

Refer to the exhibit.

Which two statements about the IPsec VPN configuration and the status of the IPsec VPN tunnel are true? (Choose two.)

Options:

A.

FortiGate does not install IPsec static routes for remote protected networks in the routing table.

B.

The phase 1 configuration supports the network-overlay setting.

C.

FortiGate facilitated the negotiation of the T_INET_1_0_0 ADVPN shortcut over T_INET_1_0.

D.

Dead peer detection is disabled.

Question 11

Refer to the exhibit.

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

Options:

A.

All traffic from a source IP to a destination IP is sent to the same interface.

B.

All traffic from a source IP is sent to the same interface.

C.

All traffic from a source IP is sent to the most used interface.

D.

All traffic from a source IP to a destination IP is sent to the least used interface.

Question 12

Exhibit.

Which conclusion about the packet debug flow output is correct?

Options:

A.

The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

B.

The packet size exceeded the outgoing interface MTU.

C.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

D.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.

Question 13

Refer to the exhibit.

Which statement about the role of the ADVPN device in handling traffic is true?

Options:

A.

An IKE session is established between 10.0.1.101 and 10.0.2.101 in the process of forming a shortcut tunnel.

B.

This is a hub that has received an offer from a spoke and has forwarded it to another spoke.

C.

Two spokes. 192.2. 1 and 10.0.2.101. establish a shortcut.

D.

This is a spoke that has received an offer from a remote hub.

Question 14

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2. The administrator configured ADVPN on both hub-and-spoke groups.

Which two outcomes are expected if a user in Toronto sends traffic to London? (Choose two.)

Options:

A.

London generates an IKE information message that contains the Toronto public IP address.

B.

Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.

C.

Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.

D.

The first packets from Toronto to London are routed through Hub 1 then to Hub 2.

Question 15

Refer to the exhibits.

Exhibit A -

Exhibit B -

Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt.

When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.

Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0?

Options:

A.

Enable auxiliary-session under config system settings.

B.

Disable tсp-session-without-syn under config system settings.

C.

Enable snat-route-change under config system global.

D.

Disable allow-subnet-overlap under config system settings.

Question 16

Refer to the exhibit.

Two hub-and-spoke groups are connected through a site-to-site IPsec VPN between Hub 1 and Hub 2.

Which two configuration settings are required for Toronto and London spokes to establish an ADVPN shortcut? (Choose two.)

Options:

A.

On the hubs,auto-discovery-sendermust be enabled on the IPsec VPNs to spokes.

B.

On the spokes,auto-discovery-receivermust be enabled on the IPsec VPN to the hub.

C.

auto-discovery-forwardermust be enabled on all IPsec VPNs.

D.

On the hubs,net-devicemust be enabled on all IPsec VPNs.

Question 17

Refer to the exhibit.

The device exchanges routes using IBGP.

Which two statements are correct about the IBGP configuration and routing information on the device? (Choose two.)

Options:

A.

Each BGP route is three hops away from the destination.

B.

ibgp-multipath is disabled.

C.

additional-path is enabled.

D.

You can run the get router info routing-table database command to display the additional paths.

Question 18

Which diagnostic command can you use to show the SD-WAN rules, interface information, and state?

    diagnose sys sdwan service

    diagnose sys sdwan route-tag-list

    diagnose sys sdwan member

Options:

A.

diagnose sys sdwan neighbor

Question 19

Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?

Options:

A.

get router info routing-table all

B.

diagnose debug application ike

C.

diagnose vpn tunnel list

D.

get ipsec tunnel list

Question 20

Refer to the exhibits.

Exhibit A -

Exhibit B -

Exhibit A shows the traffic shaping policy and exhibit B shows the firewall policy.

The administrator wants FortiGate to limit the bandwidth used by YouTube. When testing, the administrator determines that FortiGate does not apply traffic shaping on YouTube traffic.

Based on the policies shown in the exhibits, what configuration change must be made so FortiGate performs traffic shaping on YouTube traffic?

Options:

A.

Destination internet service must be enabled on the traffic shaping policy.

B.

Application control must be enabled on the firewall policy.

C.

Web filtering must be enabled on the firewall policy.

D.

Individual SD-WAN members must be selected as the outgoing interface on the traffic shaping policy.

Question 21

Refer to the exhibit.

Which configuration change is required if the responder FortiGate uses a dynamic routing protocol to exchange routes over IPsec?

Options:

A.

type must be set to static.

B.

mode-cfg must be enabled.

C.

exchange-interface-ip must be enabled.

D.

add-route must be disabled.

Question 22

Refer to the exhibits.

An administrator is testing application steering in SD-WAN. Before generating test traffic, the administrator collected the information shown in exhibit A.

After generating GoToMeeting test traffic, the administrator examined the respective traffic log on FortiAnalyzer, which is shown in exhibit B. The administrator noticed that the traffic matched the implicit SD-WAN rule, but they expected the traffic to match rule ID 1.

Which two reasons explain why the traffic matched the implicit SD-WAN rule? (Choose two.)

Options:

A.

FortiGate did not refresh the routing information on the session after the application was detected.

B.

Port1 and port2 do not have a valid route to the destination.

C.

Full SSL inspection is not enabled on the matching firewall policy.

D.

The session 3-tuple did not match any of the existing entries in the ISDB application cache.

Question 23

Refer to the exhibit.

Based on the output shown in the exhibit, which two criteria on the SD-WAN member configuration can be used to select an outgoing interface in an SD-WAN rule? (Choose two.)

Options:

A.

Set priority 10.

B.

Set cost 15.

C.

Set load-balance-mode source-ip-ip-based.

D.

Set source 100.64.1.1.

Question 24

Refer to the exhibit.

The exhibit shows output of the command diagnose 3vg sdwan service collected on a FortiGate device.

The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the business application Salesforce located on HO servers 10.0.0.1.

Based on the exhibits, which two statements are correct? (Choose two.)

Options:

A.

When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.

B.

FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.

C.

There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.

D.

FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

Question 25

In which SD-WAN template field can you use a metadata variable?

Options:

A.

You can use metadata variables only to define interface members and the gateway IP.

B.

All SD-WAN template fields support metadata variables.

C.

Any field Identified with a dollar sign ($) in a magnifying glass.

D.

Any field identified with an "M" in a circle.

Question 26

Which three matching traffic criteria are available in SD-WAN rules? (Choose three.)

Options:

A.

Type of physical link connection

B.

Internet service database (ISDB) address object

C.

Source and destination IP address

D.

URL categories

E.

Application signatures

Question 27

Exhibit.

The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?

Options:

A.

There are no IPsec tunnel statistics log messages for ADVPN cuts.

B.

There is one shortcut tunnel built from master tunnel T_MPLS_0.

C.

The VPN tunnel T_MPLS_0 is a shortcut tunnel.

D.

The master tunnel T_INET_0 cannot accept the ADVPN shortcut. 

Question 28

Refer to the exhibits.

Exhibit A shows the SD-WAN rule status and the learned BGP routes with community 65000:10.

Exhibit B shows the SD-WAN rule configuration, the BGP neighbor configuration, and the route map configuration.

The administrator wants to steer corporate traffic using routes tags in the SD-WAN rule ID 1.

However, the administrator observes that the corporate traffic does not match the SD-WAN rule ID 1.

Based on the exhibits, which configuration change is required to fix issue?

Options:

A.

In the dc1-lan-rm route map configuration, set set-route-tag to 10.

B.

In SD-WAN rule ID 1, change the destination to use ISDB entries.

C.

In the dc1-lan-rm route map configuration, unset match-community.

D.

In the BGP neighbor configuration, apply the route map dc1-lan-rm in the outbound direction.

Question 29

Which two conclusions for traffic that matches the traffic shaper are true? (Choose two.)

Options:

A.

The traffic shaper drops packets if the bandwidth is less than 2500 KBps.

B.

The measured bandwidth is less than 100 KBps.

C.

The traffic shaper drops packets if the bandwidth exceeds 6250 KBps.

D.

The traffic shaper limits the bandwidth of each source IP to a maximum of 6250 KBps.

Load More NSE7_SDW-7.2 Questions
Page: 1 / 10
Total 99 questions
Get NSE7_SDW-7.2 Full Access Download NSE7_SDW-7.2 PDF