Fortinet NSE7_SDW-7.2 Fortinet NSE 7 - SD-WAN 7.2 Exam Practice Test

The traffic always skips the regular policy routes.

You steer traffic based on the detected application.

You do not need to enable SSL inspection.

You do not need to configure firewall policies that accept the SD-WAN traffic.

All traffic from a source IP to a destination IP is sent to the same interface.

All traffic from a source IP is sent to the same interface.

All traffic from a source IP is sent to the most used interface.

All traffic from a source IP to a destination IP is sent to the least used interface.

The original traffic exceeded the maximum packets per second of the outgoing interface, and the packet was dropped.

The reply traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

The original traffic exceeded the maximum bandwidth of the outgoing interface, and the packet was dropped.

The original traffic exceeded the maximum bandwidth configured in the traffic shaper, and the packet was dropped.

FortiGate did not refresh the routing information on the session after the application was detected.

Port1 and port2 do not have a valid route to the destination.

Full SSL inspection is not enabled on the matching firewall policy.

The session 3-tuple did not match any of the existing entries in the ISDB application cache.

Theservice-sla-tie-breaksetting enables you to configure preferred member selection based on the best route to the destination.

You can delete the default zones.

The default zones are virtual-wan-link and SASE.

An SD-WAN member can belong to two or more zones.

Cost

Interface member

Priority

Gateway IP

The type of traffic defined and allowed on firewall policy ID 1 is UDP.

FortiGate has terminated the session after a change on policy ID 1.

Changes have been made on firewall policy ID 1 on FortiGate.

Firewall policy ID 1 has source NAT disabled.

The performance is an average of the metrics measured for Facebook and YouTube traffic passing through the member.

FortiGate is unable to measure jitter and packet loss on Facebook and YouTube traffic.

FortiGate identifies the member as dead when there is no Facebook and YouTube traffic passing through the member.

Non-TCP Facebook and YouTube traffic are not used for performance measurement.

London generates an IKE information message that contains the Toronto public IP address.

Traffic from Toronto to London triggers the dynamic negotiation of a direct site-to-site VPN.

Toronto needs to establish a site-to-site tunnel with Hub 2 to bypass Hub 1.

The first packets from Toronto to London are routed through Hub 1 then to Hub 2.

The total number of daily sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

The packet size exceeded the outgoing interface MTU.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the traffic shaper, and the packet was dropped.

The number of concurrent sessions for 10.1.10.1 exceeded the maximum number of concurrent sessions configured in the firewall policy, and the packet was dropped.

You can manually define the SD-WAN members sequence number.

Interfaces of type virtual wire pair can be used as SD-WAN members.

Interfaces of type VLAN can be used as SD-WAN members.

An SD-WAN member can belong to two or more SD-WAN zones.

When all three members have the same packet loss.

When T_INET_0_0 has 4% packet loss.

When T_INET_0_0 has 12% packet loss.

When T_INET_1_0 has 4% packet loss.

SD-WAN rules use SLA targets to check if the preferred members meet the SLA requirements

Member metrics are measured only if an SLA target is configured

When configuring an SD-WAN rule you can select multiple SLA targets of the same performance SLA

SLA targets are used only by SD-WAN rules that are configured with Lowest Cost (SLA) or Maximize Bandwidth (SLA) as strategy

The number of simultaneous connections among all source IP addresses cannot exceed five connections.

The traffic shaper limits the combined bandwidth of all connections to a maximum of 5 MB/sec.

The number of simultaneous connections allowed for each source IP address cannot exceed five connections.

The traffic shaper limits the bandwidth of each source IP address to a maximum of 625 KB/sec.

It creates redundant tunnels between hub-and-spokes, in case failure takes place on the primary links.

It dynamically assigns cost and weight between the hub and the spokes, based on the physical distance.

It ensures that spoke-to-spoke traffic no longer needs to flow through the tunnels through the hub.

It provides direct connectivity between all sites by creating on-demand tunnels between spokes.

It simplifies the deployment and administration of SD-WAN on managed FortiGate devices.

It improves SD-WAN performance on the managed FortiGate devices.

It sends probe signals as health checks to the beacon servers on behalf of FortiGate.

It acts as a policy compliance entity to review all managed FortiGate devices.

It reduces WAN usage on FortiGate devices by acting as a local FortiGuard server.

It is a hub device. It can send ADVPN shortcut offers.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. The subnet range is 10.10.128.0/23.

It is a spoke device that establishes dynamic IPsec tunnels to the hub. It can send ADVPN shortcut requests.

It is a hub device and will automatically discover the spoke devices that are in the SD-WAN topology.

This is a spoke that has received a query from a remote hub and has forwarded the response to its hub.

Two hubs,10.0.1.101and10.0.2.101, are receiving and forwarding queries between each other.

This is a hub that has received a query from a spoke and has forwarded it to another spoke.

Two spokes,192.2.0.1and10.0.2.101, forward their queries to their hubs.

It instructs the hub to disable the reordering of TCP packets on behalf of the receiver, to improve performance.

It instructs the hub to disable TCP sequence number check, which is required for TCP sessions originated from spokes to fail over back and forth between the hubs.

It instructs the hub to not check the ESP sequence numbers on IPsec traffic, to improve performance.

It instructs the hub to skip content inspection on TCP traffic, to improve performance.

A peer ID is included in the first packet from the initiator, along with suggested security policies.

XAuth is enabled as an additional level of authentication, which requires a username and password.

A total of six packets are exchanged between an initiator and a responder instead of three packets.

The use of Diffie Hellman keys is limited by the responder and needs initiator acceptance.

The objects are saved in the ADOM common object database.

It does not support meta fields.

It uses templates to configure SD-WAN on managed devices.

It supports normalized interfaces for SD-WAN member configuration.

get router info routing-table all

diagnose debug application ike

diagnose vpn tunnel list

get ipsec tunnel list

Type of physical link connection

Internet service database (ISDB) address object

Source and destination IP address

URL categories

Application signatures

diagnose sys sdwan sla-log

diagnose ays sdwan health-check

diagnose sys sdwan intf-sla-log

diagnose sys sdwan log

http

icmp

twamp

dns

Traffic has matched none of the FortiGate policy routes.

Matched traffic failed RPF and was caught by the rule.

The FIB lookup resolved interface was the SD-WAN interface.

An absolute SD-WAN rule was defined and matched traffic.

When FortiGate cannot recognize the application of the flow it steers the traffic destined to server 10.0.0.1 according to service rule 3.

FortiGate steers traffic to HO servers according to service rule 1 and it uses port1 or port2 because both interfaces are selected.

There is no service defined for the Salesforce application, so FortiGate will use the service rule 3 and steer the traffic through interface T_HQ1.

FortiGate steers traffic for business application according to service rule 2 and steers traffic through port2.

Interface-based shaping mode

Reverse-policy shaping mode

Shared-policy shaping mode

Per-IP shaping mode

You can configure full mesh, star, and dial-up VPN topologies.

You must enable VPN zones for SD-WAN deployments.

FortiManager installs VPN settings on both managed and external gateways.

You configure VPN communities to define common IPsec settings shared by all VPN gateways.