New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Examstrust Logo
examstrust mcafee
  1. Home
  2. Fortinet
  3. Fortinet Certification
  4. NSE7_SDW-7.2 - Fortinet NSE 7 - SD-WAN 7.2

Fortinet NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Exam Practice Test

Page: 1 / 10
Total 97 questions
Get NSE7_SDW-7.2 Full Access Download NSE7_SDW-7.2 PDF

Fortinet NSE 7 - SD-WAN 7.2 Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99
Add to Cart

PDF + Testing Engine

  • Product Type: PDF + Testing Engine
$52.5  $174.99
Add to Cart

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Add to Cart
Question 1

Which CLI command do you use to perform real-time troubleshooting for ADVPN negotiation?

Options:

A.

get router info routing-table all

B.

diagnose debug application ike

C.

diagnose vpn tunnel list

D.

get ipsec tunnel list

Question 2

Which two statements about SD-WAN central management are true? (Choose two.)

Options:

A.

The objects are saved in the ADOM common object database.

B.

It does not support meta fields.

C.

It uses templates to configure SD-WAN on managed devices.

D.

It supports normalized interfaces for SD-WAN member configuration.

Question 3

Refer to the exhibits.

Exhibit A shows the packet duplication rule configuration, the SD-WAN zone status output, and the sniffer output on FortiGate acting as the sender. Exhibit B shows the sniffer output on a FortiGate acting as the receiver.

The administrator configured packet duplication on both FortiGate devices. The sniffer output on the sender FortiGate shows that FortiGate forwards an ICMP echo request packet over three overlays, but it only receives one reply packet through T_INET_1_0.

Based on the output shown in the exhibits, which two reasons can cause the observed behavior? (Choose two.)

Options:

A.

On the receiver FortiGate, packet-de-duplication is enabled.

B.

The ICMP echo request packets sent over T_INET_0_0 and T_MPLS_0 were dropped along the way.

C.

The ICMP echo request packets received over T_INET_0_0 and T_MPLS_0 were offloaded to NPU.

D.

On the sender FortiGate, duplication-max-num is set to 3.

Question 4

In the default SD-WAN minimum configuration, which two statements are correct when traffic matches the default implicit SD-WAN rule? (Choose two )

Options:

A.

Traffic has matched none of the FortiGate policy routes.

B.

Matched traffic failed RPF and was caught by the rule.

C.

The FIB lookup resolved interface was the SD-WAN interface.

D.

An absolute SD-WAN rule was defined and matched traffic.

Question 5

Refer to the exhibit.

Which are two expected behaviors of the traffic that matches the traffic shaper? (Choose two.)

Options:

A.

The number of simultaneous connections among all source IP addresses cannot exceed five connections.

B.

The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec.

C.

The number of simultaneous connections allowed for each source IP address cannot exceed five connections.

D.

The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec.

Question 6

Refer to the exhibit.

The exhibit shows the SD-WAN rule status and configuration.

Based on the exhibit, which change in the measured latency will make T_MPLS_0 the new preferred member?

Options:

A.

When T_INET_0_0 and T_MPLS_0 have the same latency.

B.

When T_MPLS_0 has a latency of 100 ms.

C.

When T_INET_0_0 has a latency of 250 ms.

D.

When T_N1PLS_0 has a latency of 80 ms.

Question 7

Which diagnostic command can you use to show the SD-WAN rules, interface information, and state?

    diagnose sys sdwan service

    diagnose sys sdwan route-tag-list

    diagnose sys sdwan member

Options:

A.

diagnose sys sdwan neighbor

Question 8

Which three matching traffic criteria are available in SD-WAN rules? (Choose three.)

Options:

A.

Type of physical link connection

B.

Internet service database (ISDB) address object

C.

Source and destination IP address

D.

URL categories

E.

Application signatures

Question 9

Exhibit.

The exhibit shows VPN event logs on FortiGate. In the output shown in the exhibit, which statement is true?

Options:

A.

There are no IPsec tunnel statistics log messages for ADVPN cuts.

B.

There is one shortcut tunnel built from master tunnel T_MPLS_0.

C.

The VPN tunnel T_MPLS_0 is a shortcut tunnel.

D.

The master tunnel T_INET_0 cannot accept the ADVPN shortcut. 

Question 10

Refer to the exhibit.

Which conclusion about the packet debug flow output is correct?

Options:

A.

The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.

B.

The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

C.

The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.

D.

The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

Question 11

Refer to the exhibit.

Based on the exhibit, which action does FortiGate take?

Options:

A.

FortiGate bounces port5 after it detects all SD-WAN members as dead.

B.

FortiGate fails over to the secondary device after it detects all SD-WAN members as dead.

C.

FortiGate brings up port5 after it detects all SD-WAN members as alive.

D.

FortiGate brings down port5 after it detects all SD-WAN members as dead.

Question 12

Refer to the exhibit.

Which algorithm does SD-WAN use to distribute traffic that does not match any of the SD-WAN rules?

Options:

A.

All traffic from a source IP to a destination IP is sent to the same interface.

B.

All traffic from a source IP is sent to the same interface.

C.

All traffic from a source IP is sent to the most used interface.

D.

All traffic from a source IP to a destination IP is sent to the least used interface.

Question 13

Refer to the exhibit.

The exhibit shows output of the command diagnose 3vg sdwan service collected on a FortiGate device.

The administrator wants to know through which interface FortiGate will steer the traffic from local users on subnet 10.0.1.0/255.255.255.192 and with a destination of the business application Salesforce located on HO servers 10.0.0.1.

Based on the exhibits, which two statements are correct? (Choose two.)

Options:

A.

When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.

B.

FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.

C.

There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.

D.

FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

Question 14

Refer to the exhibit.

Based on the exhibit, which two statements are correct about the health of the selected members? (Choose two.)

Options:

A.

After FortiGate switches to active mode, FortiGate never fails back to passive monitoring.

B.

During passive monitoring, FortiGate can’t detect dead members.

C.

FortiGate can offload the traffic that is subject to passive monitoring to hardware.

D.

FortiGate passively monitors the member if TCP traffic is passing through the member.

Question 15

What three characteristics apply to provisioning templates available on FortiManager? (Choose three.)

Options:

A.

You can apply a system template and a CLI template to the same FortiGate device.

B.

A CLI template can be of type CLI script or Perl script.

C.

A template group can include a system template and an SD-WAN template.

D.

A template group can contain CLI templates of both types.

E.

Templates are applied in order, from top to bottom.

Question 16

Refer to the exhibit.

Based on the output shown in the exhibit, which two criteria on the SD-WAN member configuration can be used to select an outgoing interface in an SD-WAN rule? (Choose two.)

Options:

A.

Set priority 10.

B.

Set cost 15.

C.

Set load-balance-mode source-ip-ip-based.

D.

Set source 100.64.1.1.

Question 17

Which statement about using BGP routes in SD-WAN is true?

Options:

A.

Learned routes can be used as dynamic destinations in SD-WAN rules.

B.

You must use BGP to route traffic for both overlay and underlay links.

C.

You must configure AS path prepending.

D.

You must use external BGP.

Question 18

Refer to the Exhibits:

Exhibit A, which shows the SD-WAN performance SLA and exhibit B shows the health of the participating SD-WAN members.

Based on the exhibits, which statement is correct?

Options:

A.

The dead member interface stays unavailable until an administrator manually brings the interface back.

B.

Port2 needs to wait 500 milliseconds to change the status from alive to dead.

C.

Static routes using port2 are active in the routing table.

D.

FortiGate has not received three consecutive requests from the SLA server configured for port2.

Question 19

Which statement about using BGP for ADVPN is true?

Options:

A.

You must use BGP to route traffic for both overlay and underlay links.

B.

You must configure AS path prepending.

C.

You must configure BGP communities.

D.

IBGP is preferred over EBGP, because IBGP preserves next hop information.

Question 20

Which SD-WAN setting enables FortiGate to delay the recovery of ADVPN shortcuts?

Options:

A.

hold-down-time

B.

link-down-failover

C.

auto-discovery-shortcuts

D.

idle-timeout

Question 21

Refer to the exhibits.

Exhibit A -

Exhibit B -

Exhibit A shows a site-to-site topology between two FortiGate devices: branch1_fgt and dc1_fgt. Exhibit B shows the system global and system settings configuration on dc1_fgt.

When branch1_client establishes a connection to dc1_host, the administrator observes that, on dc1_fgt, the reply traffic is routed over T_INET_0_0, even though T_INET_1_0 is the preferred member in the matching SD-WAN rule.

Based on the information shown in the exhibits, what configuration change must be made on dc1_fgt so dc1_fgt routes the reply traffic over T_INET_1_0?

Options:

A.

Enable auxiliary-session under config system settings.

B.

Disable tсp-session-without-syn under config system settings.

C.

Enable snat-route-change under config system global.

D.

Disable allow-subnet-overlap under config system settings.

Question 22

What are two reasons why FortiGate would be unable to complete the zero-touch provisioning process? (Choose two.)

Options:

A.

The FortiGate cloud key has not been added to the FortiGate cloud portal.

B.

FortiDeploy has connected with FortiGate and provided the initial configuration to contact FortiManager

C.

The zero-touch provisioning process has completed internally, behind FortiGate.

D.

FortiGate has obtained a configuration from the platform template in FortiGate cloud.

E.

A factory reset performed on FortiGate.

Question 23

Refer to the exhibit.

An administrator is troubleshooting SD-WAN on FortiGate. A device behind branch1_fgt generates traffic to the 10.0.0.0/8 network. The administrator expects the traffic to match SD-WAN rule ID 1 and be routed over T_INET_0_0. However, the traffic is routed over T_INET_1_0.

Based on the output shown in the exhibit, which two reasons can cause the observed behavior? (Choose two.)

Options:

A.

The traffic matches a regular policy route configured with T_INET_1_0 as the outgoing device.

B.

T_INET_1_0 has a lower route priority value (higher priority) than T_INET_0_0.

C.

T_INET_0_0 does not have a valid route to the destination.

D.

T_INET_1_0 has a higher member configuration priority than T_INET_0_0.

Question 24

Refer to the exhibit.

Which two SD-WAN template member settings support the use of FortiManager meta fields? (Choose two.)

Options:

A.

Cost

B.

Interface member

C.

Priority

D.

Gateway IP

Question 25

Which two performance SLA protocols enable you to verify that the server response contains a specific value? (Choose two.)

Options:

A.

http

B.

icmp

C.

twamp

D.

dns

Question 26

Refer to the exhibits.

Exhibit A shows two IPsec templates to define Branch_IPsec_1 and Branch_IPsec_2. Each template defines a VPN tunnel.

Exhibit B shows the error message that FortiManager displayed when the administrator tried to assign the second template to the FortiGate device.

Which statement best explain the cause for this issue?

Options:

A.

You can assign only one template with a tunnel of fype static to each FortiGate device

B.

You can define only one IPsec tunnel from branch devices to HUB1.

C.

You can assign only one IPsec template to each FortiGate device.

D.

You should review the branch1_fgt configuration for the already configured tunnel with the name HUB1-VPN2.

Question 27

Which two statements are correct when traffic matches the implicit SD-WAN rule? (Choose two.)

Options:

A.

The sdwan_service_id flag in the session information is 0.

B.

All SD-WAN rules have the default setting enabled.

C.

Traffic does not match any of the entries in the policy route table.

D.

Traffic is load balanced using the algorithm set for the v4-ecmp-mode setting.

Question 28

Which diagnostic command can you use to show the configured SD-WAN zones and their assigned members?

Options:

A.

diagnose sys sdwan zone

B.

diagnose sys sdwan service

C.

diagnose sys sdwan member

D.

diagnose sys sdwan interface

Question 29

Which two statements about SLA targets and SD-WAN rules are true? (Choose two.)

Options:

A.

SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements

B.

Member metrics are measured only if an SLA target is configured

C.

When configuring an SD-WAN rule you can select multiple SLA targets of the same performance SLA

D.

SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy

Load More NSE7_SDW-7.2 Questions
Page: 1 / 10
Total 97 questions
Get NSE7_SDW-7.2 Full Access Download NSE7_SDW-7.2 PDF